CTF-BUGKU-WEB（初级题）答题记录

BUGKU-WEB
1.秋名山车神

import requests
import re
s = requests.Session()
r = s.get("http://123.206.87.240:8002/qiumingshan/")
searchObj = re.search(r'(\d+[+\-*])+(\d+)', r.text)
d = {
    "value": eval(searchObj.group(0))
    }
r = s.post("http://123.206.87.240:8002/qiumingshan/", data=d)
print(r.text)
print("脚本已完成")

2.字符？正则
题目提示：传入ID符合正则表达式

错误的构造：?id=/keykeyaaaakey:/akeya:
正确的构造：?id=keykeyaaaakeykey:/a/keya:

PHP_encrypt_1(ISCCCTF)
fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=

解题

 $value) { // 对偏移后的密文数据进行还原
        $i = $key;
        if($i >= strlen($mkey)) {$i = $i - strlen($mkey);}
        $dd = $value;
        $od = ord($mkey[$i]);
        array_push($md_data_source,$dd);
        $data1 .= chr(($dd+128)-$od);  // 第一种可能, 余数+128-key 为回归数
        $data2 .= chr($dd-$od);  // 第二种可能, 余数直接-key 为回归数
    }
    print "data1 => ".$data1."
\n";
    print "data2 => ".$data2."
\n";
}
$str = "fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=";
decrypt($str);
?>

# -*- coding: UTF-8 -*-
import base64
# import hashlib

'''
def eccrypt(data):
    key = hashlib.md5('ISCC').hexdigest()
    # print 'key-->', key
    x = 0
    char = ''
    data_len = len(data)  # data的长度
    key_len = len(key)  # key的长度
    for i in range(data_len):
        if x == key_len:
            x = 0
        char += key[x]
        x += 1
    # print 'char-->', char
    flag = ''
    for i in range(data_len):
        flag += chr((ord(data[i]))+(ord(char[i])) % 128)
    # print 'flag-->', flag
    return base64.b64encode(flag)
'''


def detrcy(b64):
    int_b64 = []
    b64de = base64.b64decode(b64)
    # print 'b64de-->', b64de
    # print 'len_b64de-->', len(b64de)
    for i in range(len(b64de)):
        int_b64.append(ord(b64de[i]))
    # print 'int_b64-->',int_b64
    # print 'len_int_b64-->', len(int_b64)
    key = '729623334f0aa2784a1599fd374c120d729623'  # 知道data的长度后直接写出来
    int_key = []
    for i in range(len(key)):
        int_key.append(ord(key[i]))
    # print 'int_key-->', int_key
    flag = ''
    for i in range(len(int_b64)):
        flag += chr((int_b64[i]-int_key[i]+128) % 128)
    print flag


if __name__ == '__main__':
    # str_b64 = eccrypt('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
    # print 'str_b64-->', str_b64
    str_b64 = 'fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA='
    # print 'str_b64-->', str_b64
    detrcy(str_b64)