S-H-BF

源码<?phpclass test1{ public $varr; function __construct() { $this->varr = "index.php"; } function __destruct() { printf("%s\n", __METHOD__); if (file_exists($this->varr)) { echo "文件" . $this->varr . "存在"; } }}class test2{ public $varr; public $obj; function __construct() { $this->varr = '123456'; $t ...

源码<?php// password in flag.phperror_reporting(0);class happy{ protected $file = 'index.php'; public function __construct($file) { $this->file = $file; } function __destruct() { printf("%s\n", __METHOD__); if (!empty($this->file)) { if (strchr($this->file, "\\") === false && strchr($this->file, '/') === false) { $filename = dirname(__FILE__) ...

源码<?phperror_reporting(0);session_start();class Pisces{ public $romance; public $fantasy; function __wakeup() { printf("%s\n", __METHOD__); $this->fantasy = md5(rand(1, 10000)); if ($this->romance === $this->fantasy) { echo file_get_contents('/flag'); } }} 查看提示 // session.php<?phperror_reporting(0);ini_set('session.serialize_handler', 'php_serialize');sess ...

源码<?phperror_reporting(0);class Aquarius{ public function __wakeup() { printf("%s\n", __METHOD__); echo file_get_contents('/flag'); }}function Check($filename){ $mark = true; $black_list = ['php', 'file', 'glob', 'data', 'http', 'ftp', 'zip', 'https', 'ftps', 'phar']; printf("%s\n", __METHOD__); foreach ($ ...

源码<?phperror_reporting(0);class Capricorn{ public function __wakeup() { printf("%s\n", __METHOD__); echo file_get_contents('/flag'); }}if (isset($_REQUEST['Capricorn'])) { $filename = $_REQUEST['Capricorn']; echo md5_file($filename);} else { echo "系统检测发现该处漏洞，进行攻击测试\n";}?> POC<?phperror_reporting(0);class Capricorn{}@unlink("cap.phar");$phar = n ...

源码<?php//flag is in flag.phpclass Sagittarius{ private $arrow; public function append($value) { printf("%s\n", __METHOD__); include($value); echo $flag; } public function __invoke() { printf("%s\n", __METHOD__); $this->append($this->arrow); }}class Guardian{ public $jupiter; public $zeus; public function __toString() { printf("%s\n", __METHOD__ ...

源码<?phpfunction filter($params){ $safe = array("flag", "/"); return str_replace($safe, "hack", $params);}class Scorpio{ var $hobby; var $trait = 'Mystery'; function __construct($hobby) { $this->hobby = $hobby; }}if (isset($_REQUEST['Scorpio'])) { $data = new Scorpio($_REQUEST['Scorpio']); var_dump($data); $serData = serialize($data); $profile = unserialize( ...

源码<?phpclass Justice{ private $head; private $tail = ''; function __destruct() { printf("%s\n", __METHOD__); $head = $this->head; $tail = $this->tail; $head->$tail(); }}class Libra{ public $name; function __call($func, $args) { printf("%s\n", __METHOD__); if ($func === 'symbolize' and $this->name === 'balance') { echo fil ...

源码<?phpclass Virgo{ private $comm; public function __construct($com) { $this->comm = $com; } function __destruct() { printf("%s\n", __METHOD__); echo eval($this->comm); }}if (isset($_REQUEST['Virgo'])) { unserialize($_REQUEST['Virgo']); } else { echo "系统检测发现该处漏洞，进行攻击测试\n";}?> POC<?phpclass Virgo{ private $comm; public functio ...

源码CVE-2016-7124漏洞影响版本：PHP5 < 5.6.25，PHP7 < 7.0.10 <?php//secret in flag.phpclass Leo{ var $file = 'index.php'; public function __construct($file) { $this->file = $file; } function __destruct() { printf("%s\n", __METHOD__); include_once($this->file); echo $flag; } function __wakeup() { printf("%s\n", __METHOD__); $this->file = 'index.php'; ...