# easyweb

构造反序列化链，$\_SESSION通过PHP\_SESSION\_UPLOAD\_PROGRESS+PHPSESSID进行绕过，也可以通过属性数绕过\_\_wakeup，上传jpg文件通过phar协议反序列化。

读/etc/hosts得到ip地址10.10.10.5，写脚本扫描网段IP，得到10.10.10.10新站，该站可以发起curl请求，且通过phpinfo可以看到时FPM起的服务，通过gopherus攻击9000端口获得flag。


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook-88.gitbook.io/ctf-writeup/2022/2022-qiang-wang-bei/easyweb.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.