N1CTF2020-Web-SignIn WP

给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?php 
class ip {
public $ip;
public function waf($info){
}
public function __construct() {
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$this->ip = $this->waf($_SERVER['HTTP_X_FORWARDED_FOR']);
}else{
$this->ip =$_SERVER["REMOTE_ADDR"];
}
}
public function __toString(){
$con=mysqli_connect("localhost","root","********","n1ctf_websign");
$sqlquery=sprintf("INSERT into n1ip(`ip`,`time`) VALUES ('%s','%s')",$this->waf($_SERVER['HTTP_X_FORWARDED_FOR']),time());
if(!mysqli_query($con,$sqlquery)){
return mysqli_error($con);
}else{
return "your ip looks ok!";
}
mysqli_close($con);
}
}

class flag {
public $ip;
public $check;
public function __construct($ip) {
$this->ip = $ip;
}
public function getflag(){
if(md5($this->check)===md5("key****************")){
readfile('/flag');
}
return $this->ip;
}
public function __wakeup(){
if(stristr($this->ip, "n1ctf")!==False)
$this->ip = "welcome to n1ctf2020";
else
$this->ip = "noip";
}
public function __destruct() {
echo $this->getflag();
}

}
if(isset($_GET['input'])){
$input = $_GET['input'];
unserialize($input);
}

分析一波:显然这个是个反序列化题。

推测一下POP链:

绕过__wakeup__destructecho触发__toString,然后报错注入得到需要的key,最后得到答案。

那测试一下试试,发现没办法绕过__wakeup(PHP5.5.9),就很奇怪,讲道理应该能正常绕过的。。。那还是得想想别的办法

stristr()也可以触发__toString,那么意味着可以让报错出现n1ctf从而触发布尔盲注,不过比原来是麻烦的太多了。。。绕过不了__wakeup确实不太习惯。。。


N1CTF2020-Web-SignIn WP
http://hexo.init-new-world.com/n1ctf2020-web-signin-wp
Author
John Doe
Posted on
October 19, 2020
Licensed under