Week3_Week4 | JerryXie的博客

12-18更新了misc

Crypto

1.随机数之旅3

# Sage 9.3
import random
import uuid

flag="flag{"+str(uuid.uuid4())+"}"


n=len(flag)
m=n-1
p=random_prime(2**20)

A=[random.randint(p//2,p-1) for _ in range(m*n)]
A=matrix(Zmod(p),m,n,A)

x=[ord(i) for i in flag]
x=vector(x)

b=A*x

with open("output.txt","w") as f:
    f.write(str(p)+"\n")
    f.write(str(list(A))+"\n")
    f.write(str(list(b)))

flag="flag{"+str(uuid.uuid4())+"}"生成一个32+4个字符的随机flag

A=[random.randint(p//2,p-1) for _ in range(m*n)]创建一个随机矩阵（m=41,n=42,p已知p=5323）

x=[ord(i) for i in flag] 、x=vector(x)将flag转成一个42维的向量

解题思路：

把b中的已知部分去掉之后就可以直接解了，**x_u = A_u.solve_right(b_prime)**（核心就这个）

解题代码：

x = var('x', n=100)  # 创建足够多的变量

p = 5323
A_list = [(5264, 4296, 3438, 4717, 3154, 4628, 4488, 3442, 5197, 4464, 4449, 3242, 3931, 3947, 5167, 4486, 4780, 4256, 3154, 5063, 2810, 4761, 5207, 3105, 5149, 4803, 4990, 3078, 3826, 5238, 4753, 4021, 3590, 3510, 2931, 4065, 3508, 3691, 4810, 3493, 3773, 3069), (4419, 3578, 4420, 4692, 4344, 4184, 3843, 3494, 3168, 3788, 3094, 5314, 3480, 4739, 2683, 4045, 4338, 4652, 5221, 5191, 2833, 3183, 2781, 4339, 4433, 2992, 4964, 4866, 3100, 3624, 4956, 3989, 5149, 3955, 4338, 5265, 2952, 5142, 4898, 4499, 4615, 2797), (3274, 4484, 3339, 4842, 3842, 2892, 2741, 3756, 2861, 3817, 4146, 4887, 2703, 4618, 4984, 2805, 3334, 2932, 3094, 4532, 4424, 4568, 4927, 5008, 2814, 3385, 3850, 3437, 3449, 3290, 5191, 3980, 5290, 3043, 5288, 2704, 3147, 5084, 4560, 2781, 2950, 4753), (3565, 3536, 4814, 3977, 4844, 4833, 2806, 3976, 4889, 3908, 3359, 3611, 2983, 4719, 3170, 4019, 4594, 5182, 4493, 4861, 3999, 2680, 3883, 5290, 4436, 4426, 4885, 4521, 3019, 3237, 5249, 3236, 5303, 4536, 4090, 4463, 2919, 2879, 2771, 4255, 5148, 5156), (2974, 2716, 2782, 3667, 4443, 4289, 3230, 4157, 3876, 4763, 5021, 3268, 4278, 3385, 2765, 5082, 3965, 3557, 2708, 4709, 3125, 4673, 4783, 5029, 3430, 5235, 3919, 3576, 3449, 4861, 3207, 2667, 3942, 3597, 4185, 3759, 5253, 4940, 4256, 2845, 4391, 2750), (5252, 5292, 2822, 4063, 4116, 4065, 3913, 5198, 3856, 3419, 4209, 4900, 3700, 3107, 3998, 5141, 5052, 4370, 3366, 4134, 3461, 3947, 4497, 2980, 5143, 2836, 2914, 4600, 5205, 3041, 3834, 3544, 3682, 2677, 4514, 4327, 4638, 4028, 4971, 3528, 2773, 5043), (3491, 5181, 2922, 3106, 4734, 3657, 3134, 3242, 2959, 5187, 3513, 4099, 4495, 5100, 2945, 5172, 3772, 4409, 3645, 5260, 2663, 2702, 4673, 5263, 3215, 3953, 4123, 3230, 3402, 4822, 3303, 3746, 3892, 4547, 2696, 4139, 3736, 4689, 3320, 4682, 5166, 4576), (3594, 4405, 3032, 4297, 4906, 4383, 3846, 3850, 3210, 3923, 5280, 4643, 4588, 4397, 5134, 3848, 3660, 4770, 3930, 3808, 4509, 5044, 4123, 4757, 4481, 4290, 4140, 3052, 4557, 3626, 3181, 2690, 5279, 3532, 3497, 3214, 4057, 4170, 3153, 3123, 4536, 3958), (4613, 5247, 5279, 3239, 3517, 2809, 3104, 3318, 2771, 4262, 5069, 4399, 4874, 3019, 5034, 4723, 4653, 5047, 5087, 2730, 4602, 2727, 4068, 3055, 4450, 2809, 2760, 3009, 3911, 4485, 2775, 5029, 2816, 4692, 4979, 2732, 3762, 3670, 3850, 3345, 5215, 3151), (3481, 4331, 3840, 5102, 3411, 3530, 4300, 3529, 4067, 4727, 4234, 3191, 4643, 5132, 4380, 4498, 3533, 4896, 3008, 2947, 3395, 2804, 4232, 3425, 3888, 3177, 5120, 3047, 2830, 4352, 3929, 3668, 5209, 2906, 3280, 5093, 4563, 2806, 4851, 3216, 4857, 4032), (4850, 3824, 2777, 3998, 5257, 4238, 3490, 2867, 5129, 2869, 4865, 4224, 3844, 3238, 5154, 3970, 4250, 4099, 3271, 4750, 5181, 4086, 3696, 3335, 3562, 4822, 5137, 4046, 3976, 3663, 4244, 3678, 4761, 3634, 4001, 4417, 4324, 4158, 4384, 3682, 5313, 4052), (4973, 5109, 3841, 3854, 4886, 4200, 5250, 3172, 4677, 4518, 3633, 2742, 3187, 2804, 4649, 4945, 4480, 3701, 3966, 2839, 3503, 2814, 4071, 4624, 2812, 4362, 2986, 3544, 5129, 4687, 4474, 3115, 3936, 5168, 4478, 3970, 3361, 4437, 3226, 2986, 4806, 3652), (4941, 4951, 3618, 3904, 5054, 3596, 4032, 3850, 5117, 3372, 4125, 3333, 3848, 5225, 4780, 4097, 4544, 2861, 3576, 4935, 3871, 3949, 3707, 4129, 5187, 4692, 3177, 5147, 2666, 4823, 4435, 3578, 2929, 2707, 4595, 3938, 2850, 5212, 5240, 3860, 3283, 5259), (3664, 3915, 5206, 2996, 3344, 4880, 4678, 4995, 3521, 3772, 3508, 3860, 4188, 5132, 2712, 3390, 3435, 4608, 3075, 3393, 4593, 3120, 5100, 3087, 3027, 5188, 5026, 4209, 4270, 2842, 2788, 4285, 2878, 3225, 2693, 4212, 2867, 4446, 4595, 4961, 4939, 2998), (4628, 3052, 2878, 4527, 2915, 4819, 3100, 3224, 3877, 3999, 4700, 4824, 4255, 4802, 4334, 4161, 4111, 4861, 4883, 4278, 2665, 2880, 4219, 4705, 4511, 4320, 3875, 3156, 4906, 4754, 4083, 2716, 3573, 3252, 4216, 2778, 3439, 4765, 3618, 5315, 4561, 3499), (4853, 4733, 5289, 4087, 5051, 4808, 5264, 4996, 3673, 4609, 4727, 4774, 4221, 3050, 5050, 4768, 4192, 3998, 2855, 4058, 3899, 3687, 4249, 2733, 3980, 2702, 4089, 3729, 4351, 4872, 3572, 4156, 4186, 3062, 4156, 5188, 3758, 3660, 4650, 3538, 4063, 3598), (3993, 4550, 4516, 4220, 3025, 3134, 2713, 3461, 4284, 4153, 4541, 3514, 4184, 5286, 4209, 4787, 4166, 3551, 2985, 4639, 2867, 3944, 4185, 3014, 2782, 3325, 4989, 3147, 4528, 2772, 2912, 4452, 4634, 5211, 2897, 5207, 4454, 4685, 4227, 4878, 4643, 2788), (3563, 4874, 3399, 3488, 4253, 4172, 4353, 4562, 3074, 5272, 2784, 3724, 3394, 2858, 3180, 4594, 3763, 3392, 4707, 4607, 3394, 3623, 4323, 4294, 4775, 4004, 2977, 3669, 3618, 3311, 4171, 4904, 4001, 3548, 5118, 4847, 4722, 3125, 4605, 3717, 2687, 3679), (4736, 2904, 4535, 4415, 3471, 4198, 4433, 2944, 2952, 3160, 4346, 5281, 2850, 4921, 3807, 4245, 2693, 4369, 4898, 3222, 4052, 5123, 4128, 4014, 3901, 3339, 4862, 5210, 3955, 3925, 3472, 3298, 4158, 2818, 4865, 4910, 3617, 3276, 3818, 4303, 3824, 4572), (4415, 3388, 4882, 4396, 4382, 4921, 3815, 2950, 3251, 3710, 5215, 4841, 3678, 4603, 5191, 3291, 3570, 3436, 5089, 5269, 3887, 3444, 4001, 4397, 3430, 3886, 3676, 5149, 2746, 3828, 3607, 4170, 4152, 4640, 4162, 2868, 2719, 3923, 3156, 4324, 3108, 3722), (3912, 4206, 4036, 5031, 3316, 3080, 3385, 5003, 4397, 4493, 4568, 4130, 3089, 4697, 4599, 3019, 3126, 2830, 4186, 3969, 3103, 2911, 2991, 3332, 2703, 4581, 5276, 3040, 4687, 4033, 4304, 5304, 4976, 3765, 2957, 4005, 3138, 3876, 4032, 3132, 3415, 3465), (4971, 3562, 3942, 2905, 5078, 4273, 5246, 3042, 5171, 4607, 3948, 3894, 2730, 2896, 4641, 3378, 4384, 5053, 4187, 3194, 4581, 3971, 4181, 4413, 4599, 3716, 3531, 3742, 3806, 2979, 4113, 4373, 4766, 3543, 4707, 4592, 4421, 4381, 4084, 4732, 4026, 2859), (3824, 3663, 3807, 4580, 4447, 4273, 5123, 3645, 5235, 3410, 3512, 3041, 3410, 4076, 3435, 4001, 4681, 3327, 5258, 4796, 4517, 4925, 3909, 4947, 4439, 4350, 2912, 4664, 4546, 3248, 2982, 4513, 4684, 3132, 4555, 5013, 5026, 5118, 5002, 2840, 4668, 2794), (4249, 2838, 3901, 4952, 5191, 4488, 2675, 3402, 2960, 5295, 3414, 4005, 2661, 4406, 2897, 4562, 4784, 3897, 3663, 2925, 4140, 4584, 4128, 4100, 4740, 3539, 5072, 3651, 3723, 2859, 4691, 4858, 3944, 4309, 4199, 3455, 3140, 3562, 4720, 3588, 3773, 3197), (5285, 3168, 3069, 3043, 2733, 4718, 3316, 5162, 3063, 3709, 3669, 3959, 4490, 4556, 4345, 5129, 3512, 4102, 3488, 4643, 3759, 4990, 2683, 2920, 5316, 3644, 2913, 4571, 3323, 3203, 3424, 3992, 3701, 5296, 3507, 4301, 4594, 3823, 3582, 4627, 2964, 4961), (3620, 4130, 5092, 5322, 2817, 3743, 4045, 4649, 4371, 4154, 4407, 2673, 4248, 3901, 4507, 4607, 5281, 5246, 4644, 4811, 2805, 4728, 4215, 2964, 4282, 3962, 3925, 4049, 5075, 3238, 2813, 5027, 3716, 3187, 3277, 3953, 4700, 2693, 4490, 5297, 3233, 2721), (5051, 4362, 3937, 3200, 3230, 4123, 4992, 3668, 5129, 3010, 3311, 4105, 3569, 4993, 3955, 4322, 3328, 2848, 4556, 3681, 3243, 4353, 5026, 5320, 3814, 4000, 3521, 3092, 2670, 4678, 4752, 3547, 4948, 3619, 5038, 2999, 3710, 2885, 3187, 3727, 4749, 4574), (3704, 3785, 3684, 4232, 4826, 3147, 3478, 3369, 5043, 4750, 4371, 4925, 3644, 3257, 4108, 5196, 4411, 4658, 3884, 3942, 4161, 3449, 2788, 4513, 3249, 3347, 3806, 2753, 2805, 4035, 4859, 3553, 4001, 4952, 3152, 4139, 3796, 3964, 4691, 4721, 3642, 5282), (3460, 3712, 5003, 4997, 4911, 3168, 5231, 2681, 4528, 3935, 2701, 5081, 5002, 3808, 3761, 4413, 3824, 2799, 4176, 3147, 4882, 3820, 4318, 4258, 4866, 4138, 4039, 3654, 4070, 3516, 2713, 3761, 4871, 3111, 4768, 3473, 5024, 3376, 2764, 2835, 4965, 4600), (3817, 4228, 3063, 4245, 3187, 3015, 3013, 4639, 3879, 2739, 4641, 2992, 3218, 4632, 4251, 4631, 4592, 3158, 4050, 4993, 3458, 4691, 4376, 3609, 3741, 3047, 4352, 4744, 3116, 3053, 4309, 3963, 4233, 3672, 4699, 4614, 3377, 4626, 3550, 4191, 3575, 4554), (3659, 3336, 5295, 3064, 4372, 4725, 3239, 3094, 4019, 4249, 5012, 3782, 4357, 5101, 4778, 4899, 4266, 4705, 2696, 5028, 4630, 4022, 3189, 4522, 4193, 4782, 4030, 2977, 3310, 4249, 5171, 3780, 3215, 3972, 5217, 4301, 2855, 3941, 4994, 4398, 3016, 3143), (3922, 3364, 2809, 3867, 3625, 5208, 3946, 5014, 3928, 3660, 5027, 4712, 4581, 4521, 3698, 5136, 3149, 5107, 2995, 4245, 2919, 4384, 2964, 5173, 4152, 3413, 4733, 2932, 3157, 3831, 5135, 2976, 3698, 5143, 3291, 4973, 2887, 3940, 5243, 5229, 3813, 4033), (3418, 4524, 3961, 5299, 2967, 3681, 3100, 2704, 4228, 3418, 5072, 3976, 3949, 4540, 5063, 2877, 4327, 4724, 3790, 4743, 2684, 4579, 2842, 4567, 3277, 4961, 3414, 4585, 3903, 4240, 4864, 3138, 3540, 5153, 3809, 5171, 4452, 3841, 5315, 3272, 5187, 4811), (2746, 2996, 3753, 4225, 4056, 3118, 5114, 3354, 2834, 5192, 5213, 2779, 3816, 2827, 3781, 3445, 2864, 4229, 2979, 2822, 5094, 3880, 4430, 4504, 3732, 4481, 4364, 4337, 3366, 4417, 2942, 5180, 4909, 3770, 5298, 4557, 3185, 4502, 4730, 5205, 4777, 3736), (3366, 3922, 4127, 4927, 3079, 4499, 3078, 3113, 3965, 3699, 4024, 3812, 3780, 4434, 4384, 4164, 4293, 3231, 3588, 3788, 3422, 5214, 4360, 3789, 3872, 5096, 4595, 5072, 2900, 4807, 4574, 2875, 4036, 4260, 3766, 3122, 5278, 4376, 3236, 2937, 4663, 4733), (3537, 4422, 4615, 2910, 4383, 3129, 4101, 3741, 3678, 3506, 2795, 4134, 4933, 4677, 3858, 5078, 3252, 3341, 3540, 3432, 3751, 4343, 4306, 4086, 4679, 4690, 4018, 4761, 4506, 5055, 5205, 4394, 4060, 3872, 3477, 4523, 3191, 5158, 4847, 2970, 4722, 3451), (3475, 4137, 4259, 2941, 3515, 4639, 3237, 5274, 2889, 5243, 2984, 4033, 3160, 3668, 4402, 5283, 3479, 4585, 2719, 3023, 3941, 3184, 3774, 3673, 3279, 3124, 3840, 4507, 5111, 4661, 3101, 2744, 3424, 4623, 3936, 2923, 3309, 4324, 3077, 4161, 4461, 5192), (4170, 3426, 4246, 3841, 4606, 3187, 4783, 4900, 5101, 5108, 5041, 4042, 4943, 2927, 3529, 4985, 4682, 4255, 2968, 3298, 4057, 2725, 5305, 4412, 4719, 3730, 2784, 4485, 2760, 3082, 3293, 3026, 4728, 3256, 4683, 3165, 4412, 2883, 4302, 3392, 3399, 3512), (4886, 3474, 2923, 4021, 4746, 5119, 3465, 4475, 5248, 4958, 3441, 3772, 3068, 4773, 3654, 4283, 4688, 3787, 3456, 3174, 2947, 4041, 2724, 3683, 5058, 3914, 2973, 4082, 3706, 2671, 5031, 3297, 3790, 4753, 2847, 3265, 3355, 3214, 2872, 4131, 3459, 4879), (2961, 3419, 4246, 2699, 4676, 2746, 5270, 5186, 3447, 3571, 4989, 3646, 4804, 3003, 5215, 3593, 4244, 5085, 2856, 3706, 3213, 5005, 2900, 3031, 3196, 2726, 3711, 5072, 4654, 4079, 4894, 3748, 4266, 2810, 2770, 4071, 2713, 3079, 4809, 3063, 3174, 3380), (3200, 2952, 2713, 5140, 2863, 3263, 3052, 4190, 4913, 3754, 3942, 5009, 3298, 2848, 3970, 3737, 5099, 3591, 3370, 5302, 4153, 2947, 2904, 4201, 5162, 3919, 4686, 3043, 5071, 4648, 4218, 4914, 4434, 5111, 3284, 2758, 4051, 5157, 5189, 4768, 4019, 2803)]
b_list = [4300, 535, 1288, 4438, 3036, 4873, 312, 2278, 5120, 3806, 2223, 2772, 2709, 953, 1788, 1303, 2432, 4101, 3993, 822, 4493, 841, 1936, 4626, 3419, 3854, 2435, 1925, 5040, 3693, 5181, 932, 1189, 3614, 2685, 2046, 2663, 747, 3627, 648, 3142]
    
# 转换为矩阵和向量
A = matrix(Zmod(p), A_list)
b = vector(Zmod(p), b_list)
m, n = A.dimensions()  # 获取矩阵维度

# 已知字符位置和值
known_positions = {
    0: ord('f'),  # flag[0]
    1: ord('l'),  # flag[1]
    2: ord('a'),  # flag[2]
    3: ord('g'),  # flag[3]
    4: ord('{'),  # flag[4]
    n - 1: ord('}')  # flag[-1]
}

# 分离已知和未知变量
known_indices = list(known_positions.keys())
unknown_indices = [i for i in range(n) if i not in known_positions]

# 构建方程组 A_u * x_u = b_prime
# 其中 b_prime = b - A_k * x_k
A_k = A[:, known_indices]  # 已知变量对应的列
A_u = A[:, unknown_indices]  # 未知变量对应的列

# 已知值向量
x_k = vector(Zmod(p), [known_positions[i] for i in known_indices])

# 计算修正后的b
b_prime = b - A_k * x_k

x_u = A_u.solve_right(b_prime)

# 重建完整flag
x_recovered = [0] * n
for i, idx in enumerate(known_indices):
    x_recovered[idx] = int(x_k[i])
for i, idx in enumerate(unknown_indices):
    x_recovered[idx] = int(x_u[i])

# 转换为字符串
flag = ''.join(chr(val) for val in x_recovered)
print("解密结果:", flag)

2.随机数之旅4

from Crypto.Util.number import getPrime
from Crypto.Util.number import bytes_to_long as b2l
import random
import uuid

p=getPrime(32)
print(p)

flag="flag{"+str(uuid.uuid4())+"}"
pieces=[flag[i:i+3] for i in range(0,len(flag),3)]
c=[b2l(i.encode()) for i in pieces]

x=[random.randint(1,p-1) for i in range(14)]

for i in range(100):
    s=sum(c[i]*x[-14+i] for i in range(14))
    x.append(s%p)

print(x[-28:])

"""
3028255493
[2981540507, 1806477191, 1912594455, 2801509477, 401085215, 818458584, 2397034605, 2120401989, 2008340439, 66147874, 1558789534, 2187085801, 671267991, 2930313508, 924435370, 902711250, 1226810076, 769329795, 2328739529, 1228810265, 1382003520, 1967489557, 2811050420, 1008248532, 1643249997, 639108823, 449982542, 1325050025]

"""

c=[b2l(i.encode()) for i in pieces]
x=[random.randint(1,p-1) for i in range(14)]
for i in range(100):
    s=sum(c[i]*x[-14+i] for i in range(14))
    x.append(s%p)

• 最后给了x[-28:]，最开始的c[]、x[]都是长度为14的列表
• pieces=[flag[i:i+3] for i in range(0,len(flag),3)]把flag切成3块3块输出
• 这里的x[]是一直在增长的，但是一直取的是倒数14个数，具体公式如下：

• 当我们把x列表中的-28个元素定义成y列表0-28个元素，可以得到以下公式：

• x不断的迭代算法可以不用去管他，但是要把它每一次迭代的过程（都只涉及14个数）给摘出来，形成矩阵V：

• 利用增广矩阵解方程

from Crypto.Util.number import long_to_bytes
import sympy as sp

# 给定数据
p = 3028255493
y = [
    2981540507, 1806477191, 1912594455, 2801509477, 401085215, 818458584, 2397034605,
    2120401989, 2008340439, 66147874, 1558789534, 2187085801, 671267991, 2930313508,
    924435370, 902711250, 1226810076, 769329795, 2328739529, 1228810265, 1382003520,
    1967489557, 2811050420, 1008248532, 1643249997, 639108823, 449982542, 1325050025
]

# 构建线性方程组
n = 14  # 未知数个数
# 在模 p 下解线性方程组
A = sp.Matrix([[y[i + j] for j in range(n)] for i in range(n)])
b = sp.Matrix([y[i + n] for i in range(n)])
c = list((A.inv_mod(p) * b) % p)

# 拼接 flag（保持原有字节转换逻辑）
flag = ''.join(long_to_bytes(int(num)).decode('latin1') for num in c)
print(flag)

misc

1. 流量分析：S7 的秘密

西门子S7comm协议解析 —— 利用Wireshark对报文逐字节进行解析详细解析S7comm所含功能码以及UserData功能（path1） - Db2k - 博客园

这个是比较详细介绍了这个协议..不过太多了..ctf也用不到

参考：https://github.com/watermelon1221/Newstar_week3-5

一把梭出来有可读的字符，不过还需要处理一下。

观察一下数据包的功能：

• Frame 1, 2：连接建立（Setup communication）
• Frame 3, 5, 7, …, 31：[Job ] Function:[Write Var]请求，写入数据
• Frame 4, 6, 8, …, 32：[Ack_Data] Function:[Write Var]请求，接收数据

1、2的参数

3-31的参数，写入数据

框1是DB的地址（data block），框2表示该数据块所带的数据（ascii码）

我们按照流量包顺序排下来来看，能组成neta跑出来的结果，如果按照db顺序来跑能得到可读字符：

IIOT_important!

没有找到脚本

2. 日志分析：盲辨海豚

这也是盲注：

这里有22和6，

• 200 6 表示服务器成功处理了请求，并返回了 6 字节的数据。
• 200 22 表示服务器成功处理了请求，并返回了 22 字节的数据。

回复的短，代表在这个SQL注入测试中，可能意味着布尔判断返回了”true”对应的简短内容；回答的长，可能对应布尔判断返回”false”时的页面内容。

根据这个特征可以先筛选出200 6的流量

附上筛选代码：

#source：https://github.com/watermelon1221/Newstar_week3-5
import re
from urllib.parse import unquote

def analyze_sql_log(log_file):
    """分析SQL盲注日志，提取成功注入的请求"""
    success_requests = []

    with open(log_file, 'r', encoding='utf-8') as f:
        for line in f:
            if '" 200 6' in line:  # 成功注入的标志
                url_match = re.search(r'GET\s+([^\s]+)', line)
                if url_match:
                    url = url_match.group(1)
                    decoded = unquote(url)  # URL解码
                    success_requests.append(decoded)
    return success_requests
# 执行分析
log_file = "blindsql.log"
success_requests = analyze_sql_log(log_file)

...
171.16.20.55 - - [31/Aug/2025:18:45:43 +0800] "GET /sqli_bool.php/?id=1%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema%20=%20'sqli'%20and%20table_name%20=%20'flag'%20order%20by%20ordinal_position%20limit%201,1),3,1))%20=%20'96' HTTP/1.1" 200 22
171.16.20.55 - - [31/Aug/2025:18:45:44 +0800] "GET /sqli_bool.php/?id=1%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema%20=%20'sqli'%20and%20table_name%20=%20'flag'%20order%20by%20ordinal_position%20limit%201,1),3,1))%20=%20'97' HTTP/1.1" 200 6
171.16.20.55 - - [31/Aug/2025:18:45:44 +0800] "GET /sqli_bool.php/?id=1%20and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_schema%20=%20'sqli'%20and%20table_name%20=%20'flag'%20order%20by%20ordinal_position%20limit%201,1),4,1))%20=%20'48' HTTP/1.1" 200 22
171.16.20.55 - - [31/Aug/2025:18:45:44 +0800] "GET /sqli_bool.php/?id=1%20
...

像这种转成对应的ascii码即可

一把梭出来

3.区块链：以太坊的约定

本题由多个小问题组成，得到各个小问题答案后用下划线 _ 拼接并裹上 flag{} 即可：

1. 注册小狐狸钱包，并提交小狐狸钱包助记词个数
2. 1145141919810 Gwei 等于多少 ETH（只保留整数）
3. 查询账号 0x949F8fc083006CC5fb51Da693a57D63eEc90C675 第一次交易记录的日期，形式如 20230820
4. 使用 remix 编译运行附件中的合约，将输出进行提交

小狐狸就是metamask

1.助记词个数做几次取证就能知道是12个

2.

所以是1145.141919810

3.区块链浏览器查询 | 欧科云链 OKLink

直接搜没有，但是在搜就有了：

Sepolia Testnet地址0x949f…90c675 | 区块链浏览器 | OKLink

没找到这个日期，我这里显示最早的是25.9.3..

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract SimpleOperation {
    function getResult() public pure returns (string memory) {
        uint a = 10;
        uint b = 5;
        uint sum = a + b;
        uint product = a * b;
        if (sum > product) {
        }
        return "solidity";
    }
}

这个其实可以猜一下返回solidity

flag{12_1145_20240614_solidity}

4. 流量分析：听声辩位

法一：

其实我是通过ctfneta一把梭之后反过来看的

这里能看到有个uri路径，所以筛选GET包http.request.method=='GET'

这里我们随意摘去一个解码：https://www.urldecoder.org/

from urllib.parse import unquote
encoded = "id=1%27%20AND%20ORD%28MID%28%28SELECT%20DISTINCT%28IFNULL%28CAST%28schema_name%20AS%20NCHAR%29%2C0x20%29%29%20FROM%20INFORMATION_SCHEMA.SCHEMATA%20LIMIT%200%2C1%29%2C2%2C1%29%29%3E108%20AND%20%27toOm%27%3"
print(unquote(encoded))

#id=1' AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS NCHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),2,1))>108 AND 'toOm'%3

id=1' AND ORD(MID(
  (SELECT DISTINCT(IFNULL(CAST(schema_name AS NCHAR),0x20)) 
   FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1)
  ,2,1))>108 AND 'toOm'=

判断该字符ASCII码是否大于108（即字母’l’之后的字符），

可以把这样所有的结果总结下来

test_results = {
    0: {  # schema偏移0 = 第一个数据库
        1: {100: True, 105: True, 108: False},  # 字符位置1
        2: {96: True, 110: False},              # 字符位置2
        # ...
    },
    1: {  # schema偏移1 = 第二个数据库
        # ...
    }
}

每个字符根据true和false来判断对应字符串。

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
SQL布尔盲注流量分析核心脚本
功能：解析pcapng，重建schema，解码flag
"""

import pyshark
import urllib.parse
import re

def analyze_blind_sql(pcap_path):
    """核心分析函数"""
    print("[*] 读取pcapng文件...")
    cap = pyshark.FileCapture(pcap_path, display_filter='http')
    
    # 存储测试结果：{schema偏移: {字符位置: {ascii值: 是否成立}}}
    test_results = {}
    
    # 遍历所有数据包
    for pkt in cap:
        try:
            # 只处理GET请求且包含盲注特征
            if not hasattr(pkt.http, 'request_method') or pkt.http.request_method != 'GET':
                continue
                
            uri = pkt.http.request_full_uri
            if 'ORD(MID(' not in uri or 'INFORMATION_SCHEMA.SCHEMATA' not in uri:
                continue
            
            # 提取TCP流ID，用于匹配响应
            stream_id = int(pkt.tcp.stream)
            
            # URL解码
            decoded = urllib.parse.unquote(uri)
            
            # 提取三个关键参数
            # 1. LIMIT偏移（第几个schema）
            schema_offset = int(re.search(r'LIMIT\s+(\d+),1', decoded).group(1))
            
            # 2. MID字符位置（第几个字符）
            char_pos = int(re.search(r'MID\([^,]+,(\d+),1\)', decoded).group(1))
            
            # 3. 比较值（ASCII阈值）
            cmp_val = int(re.search(r'>>(\d+)', decoded).group(1))
            
            # 查找对应响应
            for resp_pkt in cap:
                if (hasattr(resp_pkt, 'tcp') and 
                    int(resp_pkt.tcp.stream) == stream_id and
                    hasattr(resp_pkt.http, 'response_code')):
                    
                    # 判断真假：响应内容包含错误信息则为False
                    resp_data = resp_pkt.http.file_data.get_default_value() if hasattr(resp_pkt.http, 'file_data') else ""
                    is_true = "OMG! it's tooo big!!!" not in resp_data
                    
                    # 存储结果
                    if schema_offset not in test_results:
                        test_results[schema_offset] = {}
                    if char_pos not in test_results[schema_offset]:
                        test_results[schema_offset][char_pos] = {}
                    
                    test_results[schema_offset][char_pos][cmp_val] = is_true
                    break
                    
        except Exception as e:
            continue
    
    cap.close()
    return test_results

def reconstruct_names(test_results):
    """根据测试结果重建schema名称"""
    print("[*] 重建schema名称...")
    schemas = {}
    
    for schema_offset, char_data in test_results.items():
        name = ""
        # 按字符位置排序
        for pos in sorted(char_data.keys()):
            tests = char_data[pos]
            
            # 找出临界点：真值的最大值 + 1 = 确定的ASCII码
            true_vals = [v for v, result in tests.items() if result]
            if not true_vals:
                break  # 无真值，说明字符串结束
                
            ascii_val = max(true_vals) + 1
            name += chr(ascii_val)
        
        schemas[schema_offset] = name
        print(f"  Schema [{schema_offset}]: {name}")
    
    return schemas

def decode_flag():
    """解码密文字符串"""
    print("\n[*] 解码flag...")
    cipher = 'ek`fzakhmc^hmidbshnm^Qd?kkx^Ahfff'
    # 每个字符ASCII码+1
    flag = ''.join(chr(ord(c) + 1) for c in cipher) + '!}'
    print(f"  密文: {cipher}")
    print(f"  明文: {flag}")
    return flag

def main():
    # 文件路径请按需修改
    pcap_path = r"E:\CTF\比赛\NewStar2025\杂项misc\traffic-sound-locate\blindsql.pcapng"
    
    # 步骤1：分析流量
    results = analyze_blind_sql(pcap_path)
    
    # 步骤2：重建schema（验证分析正确性）
    schemas = reconstruct_names(results)
    
    # 步骤3：解码flag（题目真正答案）
    flag = decode_flag()
    
    print(f"\n{'='*50}")
    print(f"最终FLAG: {flag}")
    print(f"{'='*50}")

if __name__ == '__main__':
    main()