PHP/5.6.40字符逃逸

    1. <?php
    3. /*
    4. # -*- coding: utf-8 -*-
    5. # @Author: h1xa
    6. # @Date:   2020-12-03 02:37:19
    7. # @Last Modified by:   h1xa
    8. # @Last Modified time: 2020-12-03 16:05:38
    9. # @message.php
    10. # @email: h1xa@ctfer.com
    11. # @link: https://ctfer.com
    13. */
    16. error_reporting(0);
    17. session_start();
    19. class message{
    20.     public $from;
    21.     public $msg;
    22.     public $to;
    23.     public $token='user';
    24.     public function __construct($f,$m,$t){
    25.         $this->from = $f;
    26.         $this->msg = $m;
    27.         $this->to = $t;
    28.     }
    29. }
    31. $f = $_GET['f'];
    32. $m = $_GET['m'];
    33. $t = $_GET['t'];
    35. if(isset($f) && isset($m) && isset($t)){
    36.     $msg = new message($f,$m,$t);
    37.     $umsg = str_replace('fuck', 'loveU', serialize($msg));
    38.     $_SESSION['msg']=base64_encode($umsg);
    39.     echo 'Your message has been sent';
    40. }
    42. highlight_file(__FILE__);

    看注释发现 message.php

    1. <?php
    3. /*
    4. # -*- coding: utf-8 -*-
    5. # @Author: h1xa
    6. # @Date:   2020-12-03 15:13:03
    7. # @Last Modified by:   h1xa
    8. # @Last Modified time: 2020-12-03 15:17:17
    9. # @email: h1xa@ctfer.com
    10. # @link: https://ctfer.com
    12. */
    13. session_start();
    14. highlight_file(__FILE__);
    15. include('flag.php');
    17. class message{
    18.     public $from;
    19.     public $msg;
    20.     public $to;
    21.     public $token='user';
    22.     public function __construct($f,$m,$t){
    23.         $this->from = $f;
    24.         $this->msg = $m;
    25.         $this->to = $t;
    26.     }
    27. }
    29. if(isset($_COOKIE['msg'])){
    30.     $msg = unserialize(base64_decode($_SESSION['msg']));
    31.     if($msg->token=='admin'){
    32.         echo $flag;
    33.     }
    34. }

    看注释发现 message.php

    1. <?php
    3. /*
    4. # -*- coding: utf-8 -*-
    5. # @Author: h1xa
    6. # @Date:   2020-12-03 15:13:03
    7. # @Last Modified by:   h1xa
    8. # @Last Modified time: 2020-12-03 15:17:17
    9. # @email: h1xa@ctfer.com
    10. # @link: https://ctfer.com
    12. */
    13. session_start();
    14. highlight_file(__FILE__);
    15. include('flag.php');
    17. class message{
    18.     public $from;
    19.     public $msg;
    20.     public $to;
    21.     public $token='user';
    22.     public function __construct($f,$m,$t){
    23.         $this->from = $f;
    24.         $this->msg = $m;
    25.         $this->to = $t;
    26.     }
    27. }
    29. if(isset($_COOKIE['msg'])){
    30.     $msg = unserialize(base64_decode($_SESSION['msg']));
    31.     if($msg->token=='admin'){
    32.         echo $flag;
    33.     }
    34. }

    一开始没看出和 web262 有啥区别,仔细看了一下发现,反序列化时使用了 session 而不是直接通过 Cookie 接收

    做法和 web262中第二种做法一样,虽然不是通过 Cookie 接收,也别忘了了 Cookie 的 msg 字段附加个值,不然不满足

    1. if(isset($_COOKIE['msg'])){

    先请求 index.php (这里 poc 不明白怎么构造看一下 web262 第二种做法)
    image.png
    因为 PHP 的 session 是通过 Cookie 里的 PHPSESSID 获取的(不清除参考 web263 session 伪造),所以要记录下来,然后在 message.php 里带上。

    然后请求一下 message.php , 别忘了 Cookie 部分
    image.png
    flag
    ctfshow{6491abcd-1e5c-489b-b25f-9e941bc5c588}