Enable Xdebug in PHP setting, MAMP PRO.
Settings have taken effect. In PHP.ini
Open the project in PHPStorm. In the upper right corner, Add Configuration, click + symbol, select PHP Web Page, set Name, select Server, click Apply and OK.
Demo: QWB, Web, UPLOAD
Knowledge: code audit, PHP unserialize
Build an environment according to qwb-2019-upload in MAMP PRO.
Looked and found that it has register, login, upload image, etc.
And leak source code at url/www.tar.gz. It is based on ThinkPHP v5.
First, look at the routing configuration and understand the general structure.
Then, look for unserialize function. It appears in the login_check() of index.php.
Click at the beginning of the current line and appear a red dot.
In the upper right corner, select the Server Name, click on the red bug to start debugging.
It will open this server using a browser. URL: http://qwb/?XDEBUG_SESSION_START=11956
?XDEBUG_SESSION_START=11956 is the bridge to PHPStorm and PHP Xdebug connections.
NOTE: All urls that use it will pass PHPStorm!
Finally, implement the attack chain.
3. Attack chain