但是我们可以利用特性一去闭合,当我们让name的值为";s:4:"pass";s:6:"hacker";} 首先我们要记得要满足特性一和特性二才能反序列化成功!!! 为什么现在生成的序列化字符串还能反序列化成功呢?因为我们的name的值现在 所以我们利用到了fileter函数,这个过滤函数看似想增加代码的安全性,实际上是增加了代码的危险性...
<?php include("flag.php"); highlight_file(__FILE__); class FileHandler { protected $op; protected $filename; protected $content; function __construct() { $op = "1"; $filename = "/tmp/tmpfile"; $content = "Hello World!"; $this->process(); } public function process() { if(...
'r')==="welcome to the bugkuctf")){echo"hello friend!";if(preg_match("/flag/",$file)){echo"不能现在就给你flag哦";exit();}else{include($file);$password = unserialize($password);echo$password;}}else{echo"you are not the number of bugku...
$pathParts ['basename'] = ltrim(substr($filepath, strrpos($filepath, '/')),"/"); $pathParts ['extension'] = substr(strrchr($filepath, '.'), 1); $pathParts ['filename'] = ltrim(substr($pathParts ['basename'], 0, strrpos($pathParts ['basename'], '.')),"/"); return $p...
} else if ($function == 'show_image') { $userinfo = unserialize($serialize_info); echo file_get_contents(base64_decode($userinfo['img'])); } 既然代码中提示phpinfo中有线索不妨打开phpinfo看看 果然,那么flag应该就在这个文件里面。filter函数起过滤作用,$_SESSION会被销毁再重新赋值,由于extract()函...
然后到后面的if判断,因为传入的name是cid没有带.号所以直接跳到else后面 直接把 #method设置为'param' 默认为自动判断类型 然后后面的switch对请求方法进行了判断也就是判断请求方式是什么 然后这里有个特殊的点,当param='put'时 parse_str(file_get_contents('php://input'), $_PUT); ...
<?php $pdo = new PDO('sqlite:/path/db/users.db'); $pdo->query("SELECT name FROM users WHERE id = " . $_GET['id']); // <-- NO! 这是一段糟糕的代码。你正在插入一个原始的请求参数到 SQL 请求中。这将让被黑客轻松地利用[SQL 注入]方式进行攻击。想一下如果黑客将一个构造的 id 参...
Starting from version 1.0.11, it is also possible to include hostname into the rules for parsing and creating URLs. One may extract part of the hostname to be a GET parameter. For example, the URL http://admin.example.com/en/profile may be parsed into GET parameters user=admin and ...
file|ftp|zlib|data|glob|ssh|expect)/i', $this->filepath)){ die("nonono~"); } $mine = mime_content_type($this->filepath); //这里可以触发phar反序列化 $store_path = $this->open($this->filename, $this->filepath); $res['mine'] = $mine; $res['store_path'] = $store_path;...
exif_thumbnailexif_imagetype(); imageloadfontimagecreatefrom(); hash_hmac_filehash_filehash_update_filemd5_filesha1_file(); get_meta_tagsget_headers(); getimagesizegetimagesizefromstring(); $zip = new ZipArchive(); $res = $zip->open('c.zip'); $zip->extractTo('phar://test.phar/...