给自动化代码审计的大佬跪了。
出题人写的WP在这里:强网杯[pop_master]与[陀那多]赛题的出题记录
复现可以到BUUCTF,启动[QWB2021 Quals]popmaster这道题就ok。
按大佬的解法,首先要安装php-parser,把题目的代码转换成抽象语法树。
这里在kali安装一波php-parser:
1.wget https://getcomposer.org/installer
2.mv installer installer.php
3.php installer.php
出现这个说明前置要求的composer.phar安装成功,在当前目录下就会多出来一个叫composer.phar的东西
4.php composer.phar require nikic/php-parser
至此php-parser安装成功。
然后把大佬的EXP下下来,解压到当前目录中
然后将赛题中class.php的内容复制到本exp的code.php中。
然后将mian.php中的全局变量中的入口方法与入口参数名赋值
运行main.php:
成功找到一条pop链。
从上往下依次调用的类如下:
class iK68Ma{
public $idczwVU;
public function ZChdNQ($uoPYr){
for($i = 0; $i < 27; $i ++){
$ahMdeN= $uoPYr;
}
$this->idczwVU->dBIySo($uoPYr);
}
public function KwdKLD($heMeq){
for($i = 0; $i < 25; $i ++){
$aYdeiy= $heMeq;
}
if(method_exists($this->idczwVU, 'OfeG0D')) $this->idczwVU->OfeG0D($heMeq);
if(method_exists($this->idczwVU, 'Ht7Idq')) $this->idczwVU->Ht7Idq($heMeq);
}
}
class FUePM1{
public $E6DqVVy;
public function mYy8r9($VHXSV){
eval($VHXSV);
}
public function dBIySo($NdSF7){
for($i = 0; $i < 31; $i ++){
$aCGtQC= $NdSF7;
}
if(method_exists($this->E6DqVVy, 'X0l7ws')) $this->E6DqVVy->X0l7ws($NdSF7);
if(method_exists($this->E6DqVVy, 'DRvlCc')) $this->E6DqVVy->DRvlCc($NdSF7);
}
}
class PpkuMu{
public $RdKfLNa;
public function X0l7ws($mHYKg){
for($i = 0; $i < 12; $i ++){
$aHe1yD= $mHYKg;
}
if(method_exists($this->RdKfLNa, 'LyI1rT')) $this->RdKfLNa->LyI1rT($mHYKg);
if(method_exists($this->RdKfLNa, 'SgrM8C')) $this->RdKfLNa->SgrM8C($mHYKg);
}
}
class lQEivC{
public $cukqF5g;
public function LyI1rT($IZS2b){
if(45090>37895){
$IZS2b = $IZS2b.'d3ryz';
}
$this->cukqF5g->duxg5w($IZS2b);
}
}
class b01WbW{
public $Lq9qhK8;
public function duxg5w($vZHGI){
if(5684>13902){
$vZHGI = $vZHGI.'T10Z7';
}
$this->Lq9qhK8->D2VmWz($vZHGI);
}
}
class f0qwA1{
public $qzrtSV4;
public function D2VmWz($rAFOd){
if(46062>13027){
$rAFOd = $rAFOd.'nY2ch';
}
if(method_exists($this->qzrtSV4, 'GoflfG')) $this->qzrtSV4->GoflfG($rAFOd);
if(method_exists($this->qzrtSV4, 'w5pPNI')) $this->qzrtSV4->w5pPNI($rAFOd);
}
public function S0ZnP5($fUICU){
$fUICU='rz2rQ';
eval($fUICU);
}
}
class A8Hrl9{
public $eza0eDa;
public function m5y1tn($sRmiu){
for($i = 0; $i < 22; $i ++){
$aFkTG8= $sRmiu;
}
$this->eza0eDa->Y875fS($sRmiu);
}
public function w5pPNI($rBHDq){
for($i = 0; $i < 34; $i ++){
$anEc8e= $rBHDq;
}
if(method_exists($this->eza0eDa, 'x5cLyL')) $this->eza0eDa->x5cLyL($rBHDq);
if(method_exists($this->eza0eDa, 'FxBMgt')) $this->eza0eDa->FxBMgt($rBHDq);
}
}
class fsPwZp{
public $e3S2ho9;
public function pi40mR($iE5d6){
for($i = 0; $i < 3; $i ++){
$ayGoha= $iE5d6;
}
if(method_exists($this->e3S2ho9, 'GCWOUv')) $this->e3S2ho9->GCWOUv($iE5d6);
if(method_exists($this->e3S2ho9, 'COxWXm')) $this->e3S2ho9->COxWXm($iE5d6);
}
public function x5cLyL($Y0CuX){
$this->kyuZO = "FwVot";
if(method_exists($this->e3S2ho9, 'Ga3P6G')) $this->e3S2ho9->Ga3P6G($Y0CuX);
if(method_exists($this->e3S2ho9, 'kQA0gZ')) $this->e3S2ho9->kQA0gZ($Y0CuX);
}
}
class hI0kh1{
public $hzqdZnB;
public function RYDwgz($iBrG6){
for($i = 0; $i < 22; $i ++){
$amDAyG= $iBrG6;
}
if(method_exists($this->hzqdZnB, 'fRIqxG')) $this->hzqdZnB->fRIqxG($iBrG6);
if(method_exists($this->hzqdZnB, 'lCqWcK')) $this->hzqdZnB->lCqWcK($iBrG6);
}
public function Ga3P6G($fQe2l){
if(64344>10659){
$fQe2l = $fQe2l.'Mih8l';
}
$this->hzqdZnB->GVcxei($fQe2l);
}
}
class wwAhgn{
public $o0UvaLN;
public function yiHzmg($M51HZ){
$M51HZ='MSXaq';
eval($M51HZ);
}
public function GVcxei($swtHR){
if(12658>53742){
$swtHR = $swtHR.'KdfZX';
}
if(method_exists($this->o0UvaLN, 'Y4BK4w')) $this->o0UvaLN->Y4BK4w($swtHR);
if(method_exists($this->o0UvaLN, 'CgGYnz')) $this->o0UvaLN->CgGYnz($swtHR);
}
}
class vPF9b1{
public $pO3xqwU;
public function E9DBfN($F3Sc7){
eval($F3Sc7);
}
public function Y4BK4w($yFaEP){
if(27682>55148){
$yFaEP = $yFaEP.'YtGlr';
}
if(method_exists($this->pO3xqwU, 'pYekV8')) $this->pO3xqwU->pYekV8($yFaEP);
if(method_exists($this->pO3xqwU, 'o5YxZp')) $this->pO3xqwU->o5YxZp($yFaEP);
}
}
class LLQVys{
public $qu2ChWC;
public function asebRe($y5KV6){
if(59532>41124){
$y5KV6 = $y5KV6.'Ypq1W';
}
if(method_exists($this->qu2ChWC, 'krbAUa')) $this->qu2ChWC->krbAUa($y5KV6);
if(method_exists($this->qu2ChWC, 'UPkARo')) $this->qu2ChWC->UPkARo($y5KV6);
}
public function pYekV8($g1bB9){
for($i = 0; $i < 37; $i ++){
$aQyleM= $g1bB9;
}
if(method_exists($this->qu2ChWC, 'hsrB5s')) $this->qu2ChWC->hsrB5s($g1bB9);
if(method_exists($this->qu2ChWC, 'silIKG')) $this->qu2ChWC->silIKG($g1bB9);
}
}
class dpkRFk{
public $AXGX1eO;
public function GNFVEa($MV4wt){
eval($MV4wt);
}
public function hsrB5s($U5e8Z){
for($i = 0; $i < 36; $i ++){
$ahM9Bs= $U5e8Z;
}
if(method_exists($this->AXGX1eO, 'kL7zby')) $this->AXGX1eO->kL7zby($U5e8Z);
if(method_exists($this->AXGX1eO, 'CVkxk8')) $this->AXGX1eO->CVkxk8($U5e8Z);
}
}
class mhbXyr{
public $LZtNeXi;
public function kL7zby($wtrNx){
for($i = 0; $i < 33; $i ++){
$aGvShI= $wtrNx;
}
if(method_exists($this->LZtNeXi, 'HbQCtF')) $this->LZtNeXi->HbQCtF($wtrNx);
if(method_exists($this->LZtNeXi, 'l8hBOt')) $this->LZtNeXi->l8hBOt($wtrNx);
}
public function pLg1sX($gEiK2){
eval($gEiK2);
}
}
class tbF89W{
public $ofPr5VX;
public function HbQCtF($vDMtf){
for($i = 0; $i < 10; $i ++){
$aHm6ki= $vDMtf;
}
$this->ofPr5VX->KXgmGS($vDMtf);
}
public function yMuG3S($bBb8t){
for($i = 0; $i < 2; $i ++){
$ag6GvF= $bBb8t;
}
if(method_exists($this->ofPr5VX, 'Bc4Z0K')) $this->ofPr5VX->Bc4Z0K($bBb8t);
if(method_exists($this->ofPr5VX, 'XFXVH8')) $this->ofPr5VX->XFXVH8($bBb8t);
}
}
class txEQwc{
public $yM7GCmo;
public function KXgmGS($zGfu6){
for($i = 0; $i < 20; $i ++){
$aIlgAf= $zGfu6;
}
$this->yM7GCmo->BVZEev($zGfu6);
}
public function SCmd23($x1uAa){
$this->TZqbo = "zMx2U";
$this->yM7GCmo->Rb2ghL($x1uAa);
}
}
class vmGi0h{
public $yFCstwS;
public function BVZEev($Y4SzZ){
for($i = 0; $i < 16; $i ++){
$aO5GD4= $Y4SzZ;
}
if(method_exists($this->yFCstwS, 'Lutxdu')) $this->yFCstwS->Lutxdu($Y4SzZ);
if(method_exists($this->yFCstwS, 'BsroK5')) $this->yFCstwS->BsroK5($Y4SzZ);
}
public function ZoUxU4($OItYE){
if(16329>14391){
$OItYE = $OItYE.'pyUFh';
}
if(method_exists($this->yFCstwS, 'iRuuYG')) $this->yFCstwS->iRuuYG($OItYE);
if(method_exists($this->yFCstwS, 'MFoLvK')) $this->yFCstwS->MFoLvK($OItYE);
}
}
class pMMWY1{
public $LTrFgur;
public function U372yi($ff3hn){
if(36957>49310){
$ff3hn = $ff3hn.'C8YZa';
}
if(method_exists($this->LTrFgur, 'BR6xZZ')) $this->LTrFgur->BR6xZZ($ff3hn);
if(method_exists($this->LTrFgur, 'YsK7kg')) $this->LTrFgur->YsK7kg($ff3hn);
}
public function Lutxdu($p08n8){
if(59548>64585){
$p08n8 = $p08n8.'EpStI';
}
if(method_exists($this->LTrFgur, 'TZMXmr')) $this->LTrFgur->TZMXmr($p08n8);
if(method_exists($this->LTrFgur, 'lsU08u')) $this->LTrFgur->lsU08u($p08n8);
}
}
class iAHZE7{
public $duZLydY;
public function TZMXmr($I5Hps){
if(59026>4721){
$I5Hps = $I5Hps.'wm55D';
}
if(method_exists($this->duZLydY, 'xB56gm')) $this->duZLydY->xB56gm($I5Hps);
if(method_exists($this->duZLydY, 'RdW9KV')) $this->duZLydY->RdW9KV($I5Hps);
}
public function fFcHmG($ySgbg){
$this->xxXMx = "GhptI";
if(method_exists($this->duZLydY, 'cgdOPa')) $this->duZLydY->cgdOPa($ySgbg);
if(method_exists($this->duZLydY, 'F0HehV')) $this->duZLydY->F0HehV($ySgbg);
}
}
class nAQgPC{
public $rxzule4;
public function LNwRKe($sb81D){
for($i = 0; $i < 11; $i ++){
$aTXAY1= $sb81D;
}
if(method_exists($this->rxzule4, 'AP4l30')) $this->rxzule4->AP4l30($sb81D);
if(method_exists($this->rxzule4, 'iWTuHp')) $this->rxzule4->iWTuHp($sb81D);
}
public function xB56gm($Gi6T1){
for($i = 0; $i < 32; $i ++){
$aQNy2N= $Gi6T1;
}
if(method_exists($this->rxzule4, 'EfPQZq')) $this->rxzule4->EfPQZq($Gi6T1);
if(method_exists($this->rxzule4, 'HtsI5F')) $this->rxzule4->HtsI5F($Gi6T1);
}
}
class ypLlh4{
public $drDfF9f;
public function EfPQZq($gWXlK){
for($i = 0; $i < 27; $i ++){
$ayyNgp= $gWXlK;
}
$this->drDfF9f->k1UgFG($gWXlK);
}
public function HhFafK($wprgq){
eval($wprgq);
}
}
class lcasFl{
public $Qwk0hM4;
public function k1UgFG($bZ3qz){
if(28486>31029){
$bZ3qz = $bZ3qz.'ggaP6';
}
eval($bZ3qz);
}
public function HQ0Tay($LoYfR){
if(14880>44194){
$LoYfR = $LoYfR.'Pwsxa';
}
if(method_exists($this->Qwk0hM4, 'Vpl74t')) $this->Qwk0hM4->Vpl74t($LoYfR);
if(method_exists($this->Qwk0hM4, 'L4Sn0Q')) $this->Qwk0hM4->L4Sn0Q($LoYfR);
}
}
ZChdNQ======>dBIySo======>X0l7ws======>LyI1rT======>duxg5w======>D2VmWz======>w5pPNI======>x5cLyL======>Ga3P6G======>GVcxei======>Y4BK4w======>pYekV8======>hsrB5s======>kL7zby======>HbQCtF======>KXgmGS======>BVZEev======>Lutxdu======>TZMXmr======>xB56gm======>EfPQZq======>k1UgFG======>eval
根据这个pop链构造POC如下: