知识点

  • 反序列化
  • pop链的构造

启动靶机

1. 访问题目,直接给出了源码

  1. Welcome to index.php
  2. <?php
  3. //flag is in flag.php
  4. //WTF IS THIS?
  5. //Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
  6. //And Crack It!
  7. class Modifier {
  8.     protected  $var;
  9.     public function append($value){
  10.         include($value);
  11.     }
  12.     public function __invoke(){
  13.         $this->append($this->var);
  14.     }
  15. }
  17. class Show{
  18.     public $source;
  19.     public $str;
  20.     public function __construct($file='index.php'){
  21.         $this->source = $file;
  22.         echo 'Welcome to '.$this->source."<br>";
  23.     }
  24.     public function __toString(){
  25.         return $this->str->source;
  26.     }
  28.     public function __wakeup(){
  29.         if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
  30.             echo "hacker";
  31.             $this->source = "index.php";
  32.         }
  33.     }
  34. }
  36. class Test{
  37.     public $p;
  38.     public function __construct(){
  39.         $this->p = array();
  40.     }
  42.     public function __get($key){
  43.         $function = $this->p;
  44.         return $function();
  45.     }
  46. }
  48. if(isset($_GET['pop'])){
  49.     @unserialize($_GET['pop']);
  50. }
  51. else{
  52.     $a=new Show;
  53.     highlight_file(__FILE__);
  54. }