通过源码这里发现,这里利用isset()函数来判断$_GET['tid']传递的tid值是否为空,然后再将GET方式传递的tid值赋值给变量$tid,下面的代码就很关键:
**$tid_zis=$c_sql->select("select id from type where tid={$tid}");**
这里就是$c_sql来引用select("select id from type where tid={$tid}"),这里就继续追踪select()函数发现在/cms/include/class_sql.php被定义:
Class clazz = Class.forName("java.lang.Runtime"); Constructor m = clazz.getDeclareConstructor(); m.setAccessible(true); clazz.getMethod("exec",String.class).invoke(m.newInstance(),"calc.exe");
package reflection; #Cat.java public class Cat { public Cat(){ } public Cat(String name){ } public void hi(){ // System.out.println("1"); } public void cry(){ // System.out.println("2"); } }
public class ReflectionDemo { public static void main(String[] args) throws ClassNotFoundException, InvocationTargetException, InstantiationException, IllegalAccessException, NoSuchMethodException { m1(); m2(); } public static void m1(){ Cat cat = new Cat(); long start = System.currentTimeMillis(); for (int i = 0; i < 100000; i++) { cat.hi(); } long end = System.currentTimeMillis(); System.out.println("传统方法耗时:"+(end - start)); } public static void m2() throws ClassNotFoundException, InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException { Class cls = Class.forName("reflection.Cat"); Object o = cls.newInstance(); Method hi = cls.getMethod("hi"); long start = System.currentTimeMillis(); for (int i = 0; i < 100000; i++) { hi.invoke(o); } long end = System.currentTimeMillis(); System.out.println("反射方法耗时:"+(end - start)); } }
public static void m3() throws ClassNotFoundException, InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException { Class cls = Class.forName("reflection.Cat"); Object o = cls.newInstance(); Method hi = cls.getMethod("hi"); hi.setAccessible(true); long start = System.currentTimeMillis(); for (int i = 0; i < 1000000000; i++) { hi.invoke(o); } long end = System.currentTimeMillis(); System.out.println("反射方法m3耗时:"+(end - start));
Owl wvn n xhkm SBWav krttqbu gfq gja jhheu up yljycxjpu, vvtx R jzeh pydv usd zp lalhmk, ic brtkac ya whep{866q3755-t358-5119-txnr-juw666e8099m}, uroa okv!
from pwn import * from Crypto.Util.number import * import gmpy2 import string import hashlib table = string.digits + string.ascii_letters r = remote('url',port ) def proof(): r.recvuntil(b'sha256(XXXX') line = r.recvline()[:-1].decode() print(line) tmp = line[line.find('+') + 1:line.find(')')] print(tmp) aim = line[line.find('== ') + 3:] print(aim) for i in table: for j in table: for k in table: for l in table: ans = i + j + k + l if hashlib.sha256((ans + tmp).encode()).hexdigest() == aim: print(ans) r.recvuntil(b'Plz Tell Me XXXX :') r.sendline(ans.encode()) return
public class GetClassName { public static void main(String[] args) throws ClassNotFoundException{ // 类的.class属性 Class c1 = GetClassName.class; System.out.println(c1.getName());
// 实例化对象的getClass()方法 GetClassName demo = new GetClassName(); Class c2 = demo.getClass(); System.out.println(c2.getName());
// Class.forName(String className): 动态加载类 Class c3 = Class.forName("com.GetClassName"); System.out.println(c3.getName());
#Cat.java public class Cat { private String name = "1"; public void hi(){ System.out.println("hi"+name); } public void cry(){ System.out.println("miaomiaomiao"); } }