N1CTF2020-Web-SignIn WP

发布于 2020-10-19  15 次阅读


给了源码

<?php 
class ip {
    public $ip;
    public function waf($info){
    }
    public function __construct() {
        if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
            $this->ip = $this->waf($_SERVER['HTTP_X_FORWARDED_FOR']);
        }else{
            $this->ip =$_SERVER["REMOTE_ADDR"];
        }
    }
    public function __toString(){
        $con=mysqli_connect("localhost","root","********","n1ctf_websign");
        $sqlquery=sprintf("INSERT into n1ip(`ip`,`time`) VALUES ('%s','%s')",$this->waf($_SERVER['HTTP_X_FORWARDED_FOR']),time());
        if(!mysqli_query($con,$sqlquery)){
            return mysqli_error($con);
        }else{
            return "your ip looks ok!";
        }
        mysqli_close($con);
    }
}

class flag {
    public $ip;
    public $check;
    public function __construct($ip) {
        $this->ip = $ip;
    }
    public function getflag(){
        if(md5($this->check)===md5("key****************")){
            readfile('/flag');
        }
        return $this->ip;
    }
    public function __wakeup(){
        if(stristr($this->ip, "n1ctf")!==False)
            $this->ip = "welcome to n1ctf2020";
        else
            $this->ip = "noip";
    }
    public function __destruct() {
        echo $this->getflag();
    }

}
if(isset($_GET['input'])){
    $input = $_GET['input'];
    unserialize($input);
} 

分析一波:显然这个是个反序列化题。

推测一下POP链:

绕过__wakeup__destructecho触发__toString,然后报错注入得到需要的key,最后得到答案。

那测试一下试试,发现没办法绕过__wakeup(PHP5.5.9),就很奇怪,讲道理应该能正常绕过的。。。那还是得想想别的办法

stristr()也可以触发__toString,那么意味着可以让报错出现n1ctf从而触发布尔盲注,不过比原来是麻烦的太多了。。。绕过不了__wakeup确实不太习惯。。。

It is my final heart.
最后更新于 2022-07-24