Typrcho反序列化漏洞学习

/img/x.jpg

漏洞点：install.php 64行，检测HTTP_REFERER

if (!empty($_GET) || !empty($_POST)) {//get和post都不为空
    if (empty($_SERVER['HTTP_REFERER'])) {//HTTP_REFERER如果为空，终止程序
        exit;
    }

    $parts = parse_url($_SERVER['HTTP_REFERER']);//解析URL，返回组成部分
	if (!empty($parts['port']) && $parts['port'] != 80) {
        $parts['host'] = "{$parts['host']}:{$parts['port']}";
    }

	//判定条件不成功，终止程序
    if (empty($parts['host']) || $_SERVER['HTTP_HOST'] != $parts['host']) {
        exit;
    }
}

序列化入口点232行，满足漏洞第一个条件：存在序列化字符串的输入点

<?php
  $config = unserialize(base64_decode(Typecho_Cookie::get('__typecho_config')));//此处
  Typecho_Cookie::delete('__typecho_config');
  $db = new Typecho_Db($config['adapter'], $config['prefix']);
  $db->addServer($config, Typecho_Db::READ | Typecho_Db::WRITE);
  Typecho_Db::set($db);
?>