<?php //flag 在flag.php error_reporting(0); echo '<title>post_me</title>'; if($_SERVER['REQUEST_METHOD'] == 'POST'){ highlight_file(__FILE__); } class get_week{ public $tmp; public $date; function __construct($tmp,$date){ $this->tmp=$tmp; $this->date=$date; } function get_weekday(){ $date_str=date('Y-m-d',strtotime($this->date)); $arr=explode("-", $date_str); $year=$arr[0]; $month=sprintf('%02d',$arr[1]); $day=sprintf('%02d',$arr[2]); $hour = $minute = $second = 0; $strap = mktime($hour,$minute,$second,$month,$day,$year); $number_wk=date("w",$strap); $weekArr=array("星期日","星期一","星期二","星期三","星期四","星期五","星期六"); return $weekArr[$number_wk]; } } class Author{ public $a = 'hkcc'; function __destruct(){ $res = 'Author: '.$this->a; echo $res; } } class Unknown{ public $u = 'welcome.php'; function __toString(){ echo file_get_contents($this->u); } } function change($mi){ return str_replace('---','-',$mi); } $test = new get_week($_POST['tmp'],$_POST['date']); unserialize(change(serialize($test))); ?>
时间: 2024-04-19 19:25:31 浏览: 126
这段代码存在严重的安全问题,特别是在处理用户输入和执行反序列化操作时。攻击者可以通过构造恶意的`$_POST['tmp']`和`$_POST['date']`参数来传递经过修改的序列化字符串,从而触发`unserialize()`函数,使得恶意代码得以执行。
以下是一种可能的攻击方式:
1. 攻击者构造恶意的`$_POST['tmp']`和`$_POST['date']`参数,将其传递给目标服务器。
2. 攻击者将恶意代码序列化,并修改序列化字符串中的"`---`"为"`-`",***
阅读全文