web 265——引用 <? include('flag.php'); highlight_file(__FILE__); class ctfshowAdmin{ public $token; public $password; public function __construct($t,$p){ $this->token=$t; $this->password = $p; } public function login(){ return $this->token===$this->password; } } $ctfshow...
这个题没有考什么,get方式传入payload即可,这里xxxxxx,就是6gex而已 payload: ?username=xxxxxx&password=xxxxxx 1. web 255 highlight_file(__FILE__); include('flag.php'); class ctfShowUser{ public $username='xxxxxx'; public $password='xxxxxx'; public $isVip=false; public function checkVip()...
web259(SoapClient实现SSRF) web260 web261 web262(反序列化逃逸) web263(php session反序列化漏洞) web264 web265(考察php的引用&) web266(php类与变量大小写不敏感) web267-270(Yii框架反序列化) web271(laravel5.7反序列化漏洞) web272(laravel5.8反序列化漏洞) web254 正常传参即可index.php?username=xx...
web259 web260 web262 web263 web264 web265 web266 web254 error_reporting(0); highlight_file(__FILE__); include('flag.php'); classctfShowUser{ public$username='xxxxxx'; public$password='xxxxxx'; public$isVip=false; publicfunctioncheckVip(){ return$this->isVip; } publicfunctionlogin($u...
web171 代码语言:javascript 代码运行次数:0 运行 AI代码解释 $sql="select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;"; 由sql查询语句可知,这里是由单引号包围的字符型注入.有一点奇怪的地方是,这里select的字段为2个(且没有select id值下方不可能存...
web265-引用传参 代码语言:javascript 代码运行次数:0 运行 AI代码解释 复制 class ctfshowAdmin{ public $token; public $password; public function __construct($t,$p){ $this->token=$t; $this->password = $p; } public function login(){ return $this->token===$this->password; } } $ctfshow...
文章目录web254web255web256web257web258(冒号后可以加+号)web259(SoapClient实现SSRF)web260web261web262(反序列化逃逸)web263(php session反序列化漏洞)web264web265(考察php的引用&)web266(php类与变量大小写不敏感)web267-270(Yii框架反序列化)web271(lara ...
web265 public function login(){ return $this->token===$this->password; } 1. 2. 3. token是随机数,但是password我们可控 地址传参,让password指向token的地址 <?php class ctfshowAdmin{ public $token; public $password; public function __construct(){ ...
CTFShow 反序列化 Web 255-270 CTFShow 反序列化 255-270 漏洞原理 未队用户输入的序列化字符串进行检测,导致攻击者可以控制反序列化过程,从而导致代码执行,SQL注入,目录遍历等后果。 触发条件 unserialize函数的参数、变量可控,php文件中存在可利用的类,类中有魔术方法...
web254-简单审计 这个题是搞笑的么🤣 按着源码顺序走一遍 ... $username=$_GET['username']; $password=$_GET['password']; if(isset($username) && isset($password)){ $user = new ctfShowUser(); if($user->login($username,$password)){ if($...