• This week is mainly a repetition of last month's fight vishwactf, It's the first one to hit CTF match , Yes MISC and web The question is wp.
• Continue to learn the trigger of various magic methods of deserialization 、 The sequence of magic methods 、 structure pop chain , Feel like picking up JAVA Knowledge to , By the way, the JAVA Also learn about deserialization , So as not to reduce your proficiency in the future
• I learned the next chapter of the lecture progress , Banker algorithm of operating system , Computer architecture jobs

vishwactf

I learned... Through a question SSTI

• It's the fastest way to learn knowledge by playing games , The most efficient . In the process of writing questions , Meet the unknown knowledge point , Field study , On site utilization , The promotion is very fast , And better remember （ Write in time wp）
• flask Template Injection ： The input is rendered by the server and then output , formation SSTI Template injection vulnerability .
  Injection idea ：
  Just find a built-in class object and use __class__ Get his corresponding class
  use __bases__ Get the base class （<class ‘object’>）
  use __subclasses__() Get the subclass list
  Directly find the available classes in the subclass list getshell（ Write a script to find the first few ）
  Bypass technique ：
  Bypass parentheses 、 Bypass comma 、 Bypass braces

Learn more encryption methods

Twitter Steganography 、rot47、 Virginia encryption 、md5、sha1
A game involves so much encryption
Be familiar with the principles and typical features of these encryption , Better judge in the future

adopt jwt Problem familiarity hashcat

hashcat The basic use and cracking commands

Bluetooth traffic analysis wireshark

Apply the script of Wang Yihang to directly analyze the traffic of keyboard and mouse

php Deserialization

Magic methods

__construct(), Class constructor 

__destruct(), Destructor of class 

__call(), Called when an invocable method is invoked in an object 

__callStatic(), Call in an static way when an invocable method is called 

__get(), Call when you get a member variable of a class 

__set(), Called when setting a member variable of a class 

__isset(), When called on an inaccessible property isset() or empty() Called when the 

__unset(), When called on an inaccessible property unset() When called .

__sleep(), perform serialize() when , This function will be called first 

__wakeup(), perform unserialize() when , This function will be called first 

__toString(), The response method when a class is treated as a string 

__invoke(), The response method when an object is called by calling a function 

__set_state(), call var_export() When exporting a class , This static method will be called .

__clone(), Called when the object copy is complete 

__autoload(), Trying to load an undefined class 

__debugInfo(), Print the required debug information 

Running order

 Construction method  => set Method （ At this time, we assign a value to a class attribute that has not been defined in the class and trigger set Method ） => get Method  => isset Method  => unset Method  => isset Method  =>  destructor 

 The destruct method is performed after all the code is executed .

Combined with file containing vulnerabilities

Fake protocol ：
php://filter/read=convert.base64-encode/resource=