题目
source👉buu
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}
public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}
}
题解
代码分析
- include 提示目标flag.php
- 绕过is_valid函数
- 反序列化过程中,调用__destruct析构方法
若op===‘2’,将其赋为‘1’,同时contnt赋为空,之后进入process函数
NT:这里是强类型比较 - process函数
op==‘1’->write;op==‘2’->read;其他报错
NT:此处变为若类型比较 - read 有file_get_contents函数,读取文件,与第一步include练习
👉process要令op=2
file_get_contents函数读取filename的文件,filename可控
借助php://filter伪协议读取文件,获取文件后使用output函数输出
- NT:$op,$filename,$content三个变量权限都是protected,protected的变量在序列化后会有%00*%00字符,无法通过is_valid
解决
绕过%00
php7.1+ 版本对属性类型不敏感,本地序列化的时候将属性改为public即可进行绕过
在本地修改为:
public $op=2;
public $filename="flag.php";
public $content="yuri";
再获取其序列化字符串:
$a = new FileHandler();
echo serialize($a);
输出结果:
再将获取的字符串上传,在源码中可以获取:
NT:
也可用伪协议
public $filename = "php://filter/read=convert.base64-encode/resource=flag.php";
此时flag可直接在页面显示,转码即可