Revisited deserialization

Others 2019-07-23 06:01:25 views: null

Revisited deserialization

The last time we use phpggc generated deserialization pop chain can take advantage of the successful implementation of the code execution, and analysis of the entire process. But based on the attitude of learning, I began to try to find their own pop a chain available

 

Zend\Ldap\Collection

 

Call the close method, and then call the close method iterator property. When the present method does not close the corresponding iterator class attribute, __call method calls the class

Zend\Filter\Compress

 

First method called getAdapter

 

First determine the $ this-> adapter is not Compress \ CompressionAlgorithmInterface class, if it is returned directly, and then also get the class attribute adapterOptions

 

If $ Adapter class exists, the line 104 is performed in the new operation, and this type of controllable parameter values ​​are our next looks for a constructor can take advantage

Zend\Validator\Callback

 

Line 55 calls the constructor of the parent class

Zend\Validator\AbstractValidator

 

Looking directly at the 81-line, $ options judgment is not an array, and then call the method setOption

 

Was removed from the Options $ $ $ Options and name, plus the name $ front and IS set, then proceeds to determine if the class contains the method is called.

There is a method isValid Zend \ Validator \ Callback class

 

The presence of 139 lines call_user_func_array function, value of $ args here is that we passed in $ vaue value. Look at $ callback is not controllable. $ Callback acquisition

 

It is taken from the $ this-> options array inside. Look how this value is set

 

Foregoing methods are set, so we can assign values ​​to $ this-> options [ 'callback'] setoptions values ​​of the parent class. So we have two parameters call_user_func_array functions are controlled, you can achieve code execution.

the entire process

Zend\Ldap\Collection

__destruct()

->

Zend\Ldap\Collection

$this->iterator->close()

->

Zend\Filter\Compress

__call()

->

Zend\Filter\Compress

getAdapter()

->

Zend\Validator\Callback

__construct

->

Zend\Validator\Callback

Parent:__construct

->

Zend\Validator\AbstractValidator

setOptions()

->

Zend\Validator\Callback

setCallback()

->

Zend\Validator\Callback

isValid()

调用栈

 

 测试

 

Guess you like

Origin www.cnblogs.com/flipfi/p/11195212.html
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com