BUU CODE REVIEW 1
考点知识:反序列化,md5绕过
魔术方法 __destruct(): 对象的所有引用都被删除或者当对象被显式销毁时执行
题目:
<?php /** * Created by PhpStorm. * User: jinzhao * Date: 2019/10/6 * Time: 8:04 PM */ highlight_file(__FILE__); class BUU { public $correct = ""; public $input = ""; public function __destruct() { try { $this->correct = base64_encode(uniqid()); if($this->correct === $this->input) { echo file_get_contents("/flag"); } } catch (Exception $e) { } } } if($_GET['pleaseget'] === '1') { if($_POST['pleasepost'] === '2') { if(md5($_POST['md51']) == md5($_POST['md52']) && $_POST['md51'] != $_POST['md52']) { unserialize($_POST['obj']); } } }
解决:
一、构造序列化
输出结果得到flag
注:此处可用 md51=QNKCDZO&md52=240610708(弱类型)或者 md5[]=1&md52[]=2(数组)