{"id":89,"date":"2025-12-28T20:26:41","date_gmt":"2025-12-28T12:26:41","guid":{"rendered":"http:\/\/154.36.185.147\/?p=89"},"modified":"2026-02-01T20:32:34","modified_gmt":"2026-02-01T12:32:34","slug":"%e9%95%bf%e5%9f%8e%e6%9d%afctf%e7%9a%84%e9%83%a8%e5%88%86web%e9%a2%98%e7%9b%aewp","status":"publish","type":"post","link":"http:\/\/www.plutoze.xyz\/index.php\/2025\/12\/28\/%e9%95%bf%e5%9f%8e%e6%9d%afctf%e7%9a%84%e9%83%a8%e5%88%86web%e9%a2%98%e7%9b%aewp\/","title":{"rendered":"\u957f\u57ce\u676fCTF\u7684\u90e8\u5206WEB\u9898\u76eeWP"},"content":{"rendered":"\n

WP\uff1a<\/strong><\/p>\n\n\n\n

Hellogate\uff1a<\/strong><\/p>\n\n\n\n

\u4e0b\u8f7d\u56fe\u7247\uff0c\u53d1\u73b0\u56fe\u7247\u540e\u65b9\u6709\u9690\u5199\uff0c\u63d0\u53d6\u51fa\u6765<\/p>\n\n\n\n

<?php\n\nerror_reporting(0);\n\nclass A {\n\npublic $handle;\n\npublic function triggerMethod() {\n\necho \"\" . $this->handle;\n\n}\n\n}\n\nclass B {\n\npublic $worker;\n\npublic $cmd;\n\npublic function __toString() {\n\nreturn $this->worker->result;\n\n}\n\n}\n\nclass C {\n\npublic $cmd;\n\npublic function __get($name) {\n\necho file_get_contents($this->cmd);\n\n}\n\n}\n\n$raw = isset($_POST['data']) ? $_POST['data'] : '';\n\nheader('Content-Type: image\/jpeg');\n\nreadfile(\"muzujijiji.jpg\");\n\nhighlight_file(__FILE__);\n\n$obj = unserialize($_POST['data']);\n\n$obj->triggerMethod();<\/code><\/pre>\n\n\n\n
\u6784\u5efa\u5bf9\u8c61\uff0c\u5e76\u8fdb\u884c\u7f16\u8bd1\uff0c\u4e0a\u4f20\u5230 data\uff0c\u5f97\u5230\u56fe\u7247\uff0c\u89c2\u5bdf\u9690\u5199\uff0c\u5f97\u5230 flag<\/p>\n\n\n\n
Dedecms\uff1a<\/strong><\/p>\n\n\n\n
\u6ce8\u518c\u8d26\u53f7\u540e\u53d1\u73b0\u6709\u4e00\u4e2a Aa123456789 \u4e3a\u7ba1\u7406\u5458\u8d26\u53f7\uff0c\u5c1d\u8bd5\u8d26\u53f7\u5bc6\u7801\u90fd\u4e3a Aa123456789\uff0c\u767b\u5f55\uff0c<\/p>\n\n\n\n
\u4e4b\u540e\u4e0a\u4f20\u56fe\u7247\u9a6c\uff08\u52a0\u8f7d\u4e00\u53e5\u8bdd\u6728\u9a6c\uff09\uff0c\u540e\u7f00\u540d\u6539\u4e3a jpg\uff0c\u5c1d\u8bd5\u4f7f\u7528 CVE-2018-9144 \u6f0f\u6d1e\u5c06\u540e<\/p>\n\n\n\n
\u7f00\u6539\u4e3a php\uff0c\u53d1\u73b0\u6743\u9650\u4e0d\u8db3\uff0c\u6539\u4e3a\u7528 bp \u6539\u540e\u7f00\uff0c\u4e0a\u4f20\u4e4b\u540e\uff0c\u518d\u7528\u8681\u5251\u8fdb\u884c\u8fde\u63a5\uff0c\u5f97\u5230 flag\u3002<\/p>\n\n\n\n
AIWAF\uff1a<\/strong><\/p>\n\n\n\n
\u901a\u8fc7\u957f\u6ce8\u91ca\u5e72\u6270\u5224\u65ad\uff0c\u964d\u4f4eAI\u8d28\u7591\u5ea6\uff0c\u8fdb\u884cSQL\u6ce8\u5165<\/p>\n","protected":false},"excerpt":{"rendered":"
WP\uff1a Hellogate\uff1a \u4e0b\u8f7d\u56fe\u7247\uff0c\u53d1\u73b0\u56fe\u7247\u540e\u65b9\u6709\u9690\u5199\uff0c\u63d0\u53d6\u51fa\u6765 \u6784\u5efa\u5bf9\u8c61\uff0c\u5e76\u8fdb\u884c\u7f16\u8bd1\uff0c\u4e0a\u4f20\u5230 data\uff0c […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-89","post","type-post","status-publish","format-standard","hentry","category-learn"],"_links":{"self":[{"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/posts\/89","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=89"}],"version-history":[{"count":2,"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/posts\/89\/revisions"}],"predecessor-version":[{"id":92,"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/posts\/89\/revisions\/92"}],"wp:attachment":[{"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=89"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=89"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.plutoze.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=89"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}